An employee accessing confidential information.
Image: Feodora/Adobe Stock

A former employee could try to sell account credentials from their previous employer over the dark web. A current employee could record a confidential presentation by the CEO and then send a link to that recording to the press. An existing employee could share a customer list with a third party, which then was offered for sale to a competitor. These are just a few incidents of data theft and insider threats investigated by workforce security provider DTEX throughout 2022.

Released on Thursday, DTEX’s 2023 Insider Risk Investigations Report examined the scope of employee attrition and data theft for 2022. To generate its report, the company looked at hundreds of investigations conducted by the DTEX Insider Intelligence and Investigations team for the year. The results point to an increase in corporate IP and data theft.

Jump to:

What business data are employees stealing?

The i3 team investigated almost 700 cases of data theft by departing employees; this was twice as many cases as 2021. Based on the incidents, DTEX determined that 12% of employees take sensitive information with them when they leave an employer. The stolen information included customer data, employee data, health records and sales contracts.

But, the 12% doesn’t take into account non-sensitive data, such as templates and presentations; based on anecdotal evidence, DTEX said it believes that more than half of departing workers leave with this type of data.

How are employees stealing data?

Employees use a few different methods to grab corporate data, including screenshots, recordings, and syncing to personal devices or accounts. As just one example, the employee who sent a link of the CEO’s presentation to the press used a screen recording tool to capture the confidential data and then uploaded the recording to a personal account.

What factors contribute to employees’ data theft incidents?

Employee termination was a major contributor to data theft and system sabotage last year. In many of the cases the DTEX team investigated, employees who had been terminated still had some type of access to their corporate accounts, even after they had been laid off. In some cases, current employees provided corporate data or account credentials to their former colleagues without even knowing they had been terminated.

SEE: Access management policy (TechRepublic Premium)

Aside from departing employees, existing workers can pose a threat. Some employees maintain side gigs for which they use their corporate devices. The unsanctioned use of third-party work on such devices rose almost 200% last year. And in a shadow IT scenario, the use of unsanctioned applications increased by 55% over the same time.

Employee data theft warning signs

To catch employees who may try to record or copy sensitive information, DTEX suggests being on the lookout for certain early warning risk indicators. These include:

  • The anomalous use of screen or video recording software at video conferences.
  • Any research conducted on how to skirt past security controls.
  • The use of personal file services, such as Google Drive or Dropbox.
  • Saving sensitive presentations as images.

To stop employees who may be using corporate devices or applications inappropriately, DTEX suggests looking for some warning signs. These include:

  • Unusual browser activity accessing sites not used by the general employee population.
  • Signing into personal social media accounts to conceal activity.
  • Using multiple non-corporate webmail accounts.
  • Administrative access to accounting systems not related to their job.
  • Unusual use of personal file sharing sites.

How to prevent employee data theft incidents

To protect your organization against data theft and similar threats, DTEX offers the following recommendations:

  • Set up policies that clearly define the difference between the personal use and corporate use of data, devices, networks and other assets. Make sure those policies are conveyed to employees, whether they’re new, existing or departing.
  • Implement a zero-trust mindset when removing data access for departing employees. Always assume that there will be some remaining access to sensitive data and systems after an employee leaves. Turn to tools that will create a full audit trail should a problem arise.
  • Understand that technology won’t be 100% effective in thwarting data theft. That’s why you need to focus on your policies in this area and keep evaluating your existing procedures for departing employees.
  • Be proactive by looking at the early warning signs of malicious intent and not just actual incidents.
  • Maintain a trusted insider relationship with employees. Respect their privacy, communicate policies about data access and offer support rather than suspicion.

Read next: 10 best employee monitoring software for 2023 (TechRepublic)

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday