Live Cyber Attack Lab 🎯 Watch our IR team detect & respond to a rogue insider trying to steal data! Choose a Session


7 Tips to Avoid Employee Data Theft

Data Security

graphic showing employee theft

Employee data theft is a specific insider threat where a malicious insider steals data from the current organization for monetary gain or a competing company’s benefit.

The Tesla incident is a perfect example of employee data theft. A Tesla employee copied 300,000 files worth of Autopilot code as they prepared to take a new job with a Chinese self-driving car competitor.

Download the data breach stats!

Why is Employee Data Theft an Issue?

You know the horror movie trope, “the call is coming from inside the house!” Employee data theft is like that. The bad actors are already inside your network, with access to intellectual property (IP) that is valuable to other organizations. It could be anything from a list of sales contacts to hundreds of thousands of lines of proprietary source code.

The challenge for organizations is drawing the line between productivity and security. How do you balance the need to trust your employees and the security of your data and IP? Humans want to trust each other, and we work best when we feel that our companies trust us, but that leaves us vulnerable to a few bad actors. And in the digital age, lenient security controls can lead to data breaches and employee data theft.

graphic explaining the challenge of balancing security and productivity

Malicious Intent vs. Data Misuse

It’s important to distinguish between malicious intent and data misuse. Data misuse implies unintended consequences from poor data handling processes, whereas malicious intent is intentional.

graphic showing the difference between malicious intent and data misuse

Example of Data Theft With Malicious Intent

We can argue whether Edward Snowden was malicious or not, but his theft of classified government documents was undoubtedly intentional.

Example of Data Theft Due to Data Misuse

Uber’s “God Mode” incident is an excellent example of data misuse. In this case, Uber employees accessed internal tools to stalk celebrities or other people of note on their Uber rides. The employees didn’t profit from the data misuse, but they did breach their customers’ privacy and were fined $20,000 by the state of New York.

Employee Data Theft Prevention

So what are the best practices to prevent employee data theft? And how do you balance productivity and security? Let’s dive into this conundrum.

graphic detailing the 7 steps to employee theft prevention

1. Asses What Data Needs Protection

First, you have to know where your crown jewel data lives and establish a data classification policy that accurately identifies and categorizes data so you can prioritize your data security strategy.

  • Clearly define which compliance regulations and IP that you need to classify.
  • Automate the discovery of your critical data across your enterprise data stores.
  • Implement manual classification capabilities so that users can apply protections to IP.

2. Decide Who Should Have Access to This Information

Once you have established what your important data looks like, you need to address who needs access to that data. Pro tip: It’s not “Everyone” or “Authenticated Users.”

A significant source of risk of employee data theft is users that have access to data that they shouldn’t.

The principle of least privilege says that users only get access to data they need to do their jobs. But we all know that people accrue more access over time as they change roles and work on various inter-departmental projects. Rarely does anyone go back and review old entitlements to ensure they’re still required. As a result, organizations have far greater exposure to employee data theft than they realize.

Most organizations start by fixing global access and broken inheritance issues before limiting access to data based on need.  Removing global access is non-trivial. Without a comprehensive audit trail of data access events, you can inadvertently revoke access from mission-critical people (or applications).

Varonis maps who can access data and who does access data, and shows where users have too much access. Then you can safely automate changes to access control lists and security groups. Varonis can automatically fix broken inheritance and global access issues and add new single-purpose access groups with the active users of that data significantly faster than any team could do manually.

After that behemoth is tamed, you then have to figure out who should have access to data and have a system in place to limit access and audit access to maintain your beautiful least-privilege system. This task will involve regular users of that data and ask them who needs access to data. It’s also a great time to implement a system that automates and audits data access requests so you can maintain least-privilege easily.

3. Create a Policy

Establish a data security policy based on one of the established frameworks like the Data Security Governance framework by Gartner or the NIST framework. These frameworks outline best practices for data security that you can use to customize a policy for your organization.

Build a comprehensive policy that establishes the business needs of a data security policy and how to balance risk and productivity.

graphic showing monitoring data

4. Apply Security Analytics and Monitor Behavior

Data security monitoring and behavior analytics can help shed light on potential data security policy violations before the incident becomes employee data theft.

In particular, monitor user activity for deviations from their normal data use behaviors. Like if a user starts hoarding data, or accesses data they don’t usually access.

Be careful to consider all of the factors around a user’s current behavior and don’t go off half-cocked at every data security policy violation. Users, for the most part, are trying their best and are not malicious insiders. The examples of employee data theft are the exception. Therefore, data analytics can only tell you that a user’s behavior patterns changed, and you should investigate. Data analytics cannot assign motive or consider circumstance.

Varonis Threat Models

Varonis DatAlert correlates metadata from several streams to provide Incident Response teams with the necessary intelligence they need to investigate insider threats and potential employee data theft quickly.

Here are just two examples of Varonis detecting potential employee data theft in the real world:

  • A healthcare organization suspected system administrators of using their access to view customer PII, which is a clear violation of HIPAA. Varonis worked with the customer to analyze the abnormal file access and prove not only which sysadmins broke the rules, but which ones didn’t. We showed the customer exactly what inappropriate records the sysadmins accessed so they could self-report the violation and avoid a large fine.
  • A financial customer received an alert of excessive access to files by a single user and engaged the Varonis IR team. The Varonis IR team used the file access auditing to show exactly what data the user accessed and copied as they prepared to leave the firm. Varonis created a timeline of the incident that the customer’s security team could bring to upper management and prevented the employee data theft.

5. Implement Watchlists

Establish criteria so you can add users to a watchlist to enable additional monitoring. For example, if a user submits a two-week notice, add them to a watchlist in your data security analytics to detect exfiltration attempts.

Varonis provides the functionality to add and remove users from the watchlist so your security team can better anticipate and prevent potential employee data theft.

graphic showing training employees on security protocol

6. Train Employees on the Security Protocol

Train your employees on the data security policy when they join the company and offer refreshers yearly. Part of the reason is CYA – employees can’t claim ignorance if they signed off that they completed the training. But you can also use the training to empower employees to be aware of potential employee data theft and provide anonymous tip lines so the security team can investigate incidents quietly before they become data breaches.

7. Have a Plan of Action in Case Data Theft is Detected

Implement an Incident Response Plan and a process that enacts that plan when you discover employee data theft. The plan needs to be comprehensive and includes all of the potential stakeholders, like HR and Legal, in addition to the cybersecurity team.

The IR plan informs the process of responding to any cybersecurity incident, including employee data theft. Check out the blog for details about creating an IR plan.

Employee data theft is a legitimate concern for any organization. As I am writing this article, a new incident about Amazon employees abusing their access in exchange for bribes hit the wire. It looks like these employees stole terabytes of proprietary data, including algorithms that enabled some sellers to gain a competitive advantage.

Check out the Cyber Attack Lab, where we demonstrate how Varonis spots an employee data theft attempt in action.

Jeff Petters

Jeff Petters

Jeff has been working on computers since his Dad brought home an IBM PC 8086 with dual disk drives. Researching and writing about data security is his dream job.


Does your cybersecurity start at the heart?

Get a highly customized data risk assessment run by engineers who are obsessed with data security.