Mitigating the Threat

of Data Theft by

Departing Employees

James A. Martin

How Real is the Threat?

Who’s Most at Risk?

What’s at Risk?

Why Does it Happen?

High-Profile Examples

How Real is the Threat?

60% of all data breaches

are an inside job (IBM,

2016)

77% (Verizon, 2017)

Sources: IBM 2016 Cyber Security Intelligence Index;

Verizon Data Breach Investigations Report 2017

How Real is the Threat?

Of 60% ‘inside job’ data

breaches:

• 75% malicious

• 25% inadvertent

Source: IBM 2016 Cyber Security Intelligence Index

How Real is the Threat?

Source: Biscom

85% of departing

employees take company

info they created

How Real is the Threat?

Source: Biscom

90% of employees who took

data upon departure did so

because the employer lacked

policy or technology to prevent

it

How Real is the Threat?

Source: Accenture

69% of businesses are hit

with “attempted or realized”

data theft by insiders

How Real is the Threat?

Source: Haystax Technology

74% of businesses feel

“vulnerable to insider

threats”

56% say threats are more

frequent

How Real is the Threat?

Source: IBM/Ponemon Cost of Data Breach Study

$158 — average cost per

stolen or lost record in a

company database

Who’s Most at Risk?

Sources: Accenture; IBM; Biscom

Media and tech firms

Health care

Manufacturing

Financial services

What’s at Risk?

Source: Biscom

Source code

Patent filing

Business critical data

Customer data

Names

Phone Numbers

Email addresses

Bank account numbers

Why Does it Happen?

Source: PC World

Money

Major software co. employee

sold valuable source code on

Dark Web for $15k

Why Does it Happen?

Source: PC World

Money

Insiders selling info from financial, health

care, and legal firms

• Bank account #s

• Patient info

• Upcoming merger/acquisition deals

Why Does it Happen?

Source: Biscom

Malice

20% of employees would be

more likely to steal data if fired

or laid off & give it to a

competitor

High-Profile Examples

Source: The New York Times; TechCrunch

2017 Waymo/Uber• Anthony Levandowski left Google’s Waymo self-

driving car initiative

• Started his own company Otto

• Uber acquired Otto in 2016

• Waymo sued Uber in civil court, claiming Uber was

using trade secrets stolen from Google

• Result: Uber fired Levandowski (May 2017); lawsuit

going to trial; possible criminal investigation

High-Profile Examples

Source: Business Insider

2017 Facebook/Zenimax Media• Former Zenimax employee became Oculus CTO

• Facebook acquired Oculus

• Zenimax claimed employee stole trade secrets

• Result: Facebook paid Zenimax $500 million

High-Profile Examples

Source: Ars Technica

2016 Zynga • Zynga sued two former employees

• Claimed they stole confidential information

• Gave info to new employer, a competitor (Scopely)

• Files stolen allegedly included “hundreds of detailed

design specifications”; “unreleased game design

documents”; and “financial-related information”

• Employees tried to cover their tracks, deleted 24k

folders and documents

• Result: TBD

High-Profile Examples

Source: The Wall Street Journal

2016 US Office of the

Comptroller of the Currency• Former employee removed more than 10k records

• Employee downloaded files to USB thumb drives

before retiring

• Discovered during retrospective two-year agency

review of employee downloads

• Result: OCC said it was a “major” breach but no

evidence that data was misused

Mitigating the Threat of Data Theft by Departing Employees

Netwrix Corporation

Roy Lopez

System Engineer

Checklist: Offboarding

IT Security Department Notify systems administrators of account suspension and archiving

Terminate all accounts (VPN, email, network logins, cloud services, specialized applications,

company-owned social media site accounts, backup accounts)

For departing privileged users, change all passwords to shared accounts, service accounts,

network devices (routers, switches, etc.), test accounts, jump boxes, etc.

Collect remote access tokens (two-factor authentication devices)

Update access lists to sensitive areas (server rooms, data centers, backup media access, etc.)

Remove employee from all the distribution lists and automated alerts

Physical Security Department Collect identification badge, keys, access cards, parking pass, etc.

Provide security debriefing

Done

Checklist: Offboarding

Records Department Ensure a departing employee returns all equipment, such as laptop, tablet, netbook, and

smartphone.

Verify returned equipment against inventory

Ensure a departing employee returns any company-owned or controlled documents

HR Department

Obtain forwarding mailing address

Complete offboarding paperwork

Notify organization of separation

Reaffirm any IP (intellectual property) and NDA (non-disclosure) agreement

Done

Be Aware of What Can Happen

Sensitive data theft in order to blackmail the company or to sell it to the competitor

Critical business data deletion to wreak havoc in company’s business processes

Credential and password changes to gain control over critical assets

Seven Oddities to Keep an Eye On

Someone is actively accessing data

Someone has undertaken too many failed access attempts to access data

Someone is actively accessing stale data

Someone is accessing data outside business hours

Someone is trying to log in from different endpoints

Someone has created new user accounts

Someone is massively deleting data

Demonstration

Netwrix Auditor

Netwrix Auditor Applications

Netwrix Auditor for Active Directory

Netwrix Auditor for Windows File Servers

Netwrix Auditor for Oracle Database

Netwrix Auditor for Azure AD

Netwrix Auditor for EMC

Netwrix Auditor for SQL Server

Netwrix Auditor for Exchange

Netwrix Auditor for NetApp

Netwrix Auditor for Windows Server

Netwrix Auditor for Office 365

Netwrix Auditor for SharePoint

Netwrix Auditor for VMware

About Netwrix Corporation

Year of foundation: 2006

Headquarters location: Irvine, California

Global customer base: over 8,000

Recognition: Among the fastest growing

software companies in the US with 105

industry awards from Redmond

Magazine, SC Magazine, WindowsIT Pro

and others

Customer support: global 24/5

support with 97% customer

satisfaction

Netwrix Customers

GA

Financial

Healthcare & Pharmaceutical

Federal, State, Local, Government

Industrial/Technology/Other

Industry Awards and Recognition

All awards: www.netwrix.com/awards

Free Trial: setup in your own test environment:

On-premises: netwrix.com/freetrial

Virtual: netwrix.com/go/appliance

Cloud: netwrix.com/go/cloud

Test Drive: run a virtual POС in a Netwrix-hosted test lab netwrix.com/testdrive

Live Demo: product tour with Netwrix expert netwrix.com/livedemo

Contact Sales to obtain more information netwrix.com/contactsales

Webinars: join our upcoming webinars and watch the recorded sessions

• netwrix.com/webinars

• netwrix.com/webinars#featured

Next Steps

Thank You!