Cybersecurity - What About the Threat from Within?

Securing your organisation’s data from breach, leakage, ransomware and social engineering is critical. Although external hackers make the headlines, a large percentage of data leakage is caused by trusted employees. In this article, we discuss how organisations can best protect their data, both reactively and proactively, from ‘the threat from within’.

This article was first published in the Orient Magazine, 25th September 2017.


By Gino Bello, Senior Director - Technology, FTI Consulting 


Securing your organisation’s data from hackers, whether your customers’ privacy or valuable intellectual property (IP), is critical. The threat from external parties, whether a breach or leakage, ransomware or social engineering, causes financial and reputational damage. But so does the threat from trusted employees. Although ‘outsider’ hacks make the headlines, 43% of data leakage is caused by trusted employees1. So how do organisations best protect their data, both reactively and proactively, from ‘the threat from within’?



In today’s competitive world, the value of IP increases. Internal and external parties recognise this. Theft of trade secrets and software by South East Asian countries cost USD$600 billion a year2. Two out of three departing employees take confidential business information with them3. Although ‘outsiders’ are generally threats that have been addressed with traditional security measures, preventing and detecting insiders is more challenging using ‘cookie-cutter’ measures.

What’s at Stake?


Beyond monetary and reputational loss, workplace data theft – for example proprietary, confidential, or copyrighted – is problematic. Theft may occur to profit from the sale of data, to form competing enterprises, or trying to get ahead with new employers. Employers need to be agile so that employees have appropriate access to data to perform their duties, but secure enough to satisfy their mandatory obligations. In today's digital world, data theft from customer contact databases, sales, marketing, business and strategy plans, designs, formulae, research or source code is easy.

Investigation – Responsive


Once an organisation suspects misconduct, they should consider bringing in computer forensics specialists to preserve and analyse IT assets, rich in evidence. Computer forensics specialists are armed with techniques to find the ‘smoking gun’. They can interpret subtle clues left by thieves to create a comprehensive account of the theft and identify the compromised data. With the evidence compiled by experts, organisations can mitigate the potential damage and bring perpetrators to justice. 
Types of digital evidence:
More common assets include laptops, desktops, servers, email accounts, smartphones and external storage devices. Newer, non-traditional types of digital evidence can include cloud, social media, open source intelligence, GPS / activity-based mapping paths, language / sentiment analysis and ‘clickstream’ analysis.
Any IT data destruction or retention policies that could inadvertently destroy evidence should be suspended. Once the suspect’s assets have been determined, the forensics team can create images of hard drives, as well as secure copies of email, network folders, use of document management systems (DMS), and customer relationship management (CRM) databases.
A Forensic Image:
An exact, bit-for-bit, defensible, and validated copy of source digital evidence and is used to preserve the original data for law enforcement, trial or investigation.  A forensic image can be taken of laptops, desktops, servers, mobile and other portable devices.
Retracing Steps – Analysing the Evidence
Within the Microsoft Windows operating system, a user’s options, preferences, configuration and activity logs (e.g. when USB drives are connected) are saved. This can prove to be a critical piece of evidence, as theft via flash drives is one of the most common methods of data transfer. Similarly, evidence of cloud storage usage such as Dropbox and OneDrive can be uncovered, adding to the timeline. File metadata can also provide clues into the actions and intent of a departing employee, e.g. files most recently opened, pinpointing potentially compromised files.
Types of misconduct where digital evidence is crucial:
Large or small-scale IP theft, collusion of employees to set up a competitor, inappropriate access by privy employees, corporate espionage, breach of contract, harassment and bullying
Threats from the Cloud
The corporate world has embraced cloud-computing applications that allow employees easy access to solutions wholly in an online environment, adding another layer of considerations for preventing and investigating theft. Applications such as CRMs or DMS’ contain valuable information that can range from client lists, marketing strategy documents, to minutes. The ease in which this data can be accessed, whether within the organisation or remotely from an employee’s home, makes cloud applications appealing to would-be data thieves.
A data forensics expert can analyse logs and employee's web browser artefacts to determine when these cloud-based applications were accessed and determine what was uploaded. Analysis of CRMs or DMS’ can assist in building the timeline and intent of an employee. Have they accessed or downloaded more information than they would typically? This type of activity can be detected proactively so that potential ‘flight risks’ can be identified.
What Else Can Be Done?
Organisations can take the following proactive measures to protect themselves:
  • Categorise – know the location of data and its value. When an issue arises, knowing where relevant data is stored enables teams to focus on specific data sources.
  • Conduct regular cyber risk and information governance reviews to mitigate the risk of data theft. Conduct ‘table-top’ dress rehearsals of potential incidents. Where appropriate, seek independent, external advice.
  • Training employees on the consequences of misconduct.
  • Forensically image employees’ devices that are privy to valuable information, regardless of whether there are allegations. It is cost and time efficient and retains key digital evidence when issues arise in the future.
  • Think outside the box – what applications (e.g. CRM, DMS, chat logs, SPAM filters) can be leveraged to detect behavioural changes that suggests impending departure or misconduct of employees?
  • Consider overt or covert investigations. There are advantages to both.







About the Author

Gino Bello is a Senior Director in the Technology segment at FTI Consulting and is based in Singapore. A computer forensic expert and certified Computer Examiner, Gino specialises in forensic collection, analysis and expert reporting of digital evidence. He has led a broad range of matters including large-scale, cross-border disputes, arbitrations and e-Discovery engagements in class actions and royal commissions. He also assists clients in Cyber risk and incident response. Gino has led investigations into IP theft, information leakage, anti-bribery and corruption, regulatory and other employee-related misconduct.

About the Company

FTI Consulting is an independent global business advisory firm dedicated to helping organizations manage change, mitigate risk and resolve disputes: financial, legal, operational, political & regulatory, reputational and transactional. Individually, each practice is a leader in its specific field, staffed with experts recognized for the depth of their knowledge and a track record of making an impact. Visit FTI Consulting's website for more information.