Tag Archives: Insider threat

The Risk of the Insider Threat

Elon Musk, CEO of Tesla, sent an email to all employees over the weekend telling them that the company was hacked by an employee who changed code on an internal product and sent company data outside without permission.

The software, the Tesla Manufacturing Operating System, is likely used internally in the manufacturing process.

The employee created false user names and then modified the software without approval.  He also sent large volumes of sensitive Tesla data to third parties.

This investigation is not over and there is a question about whether outsiders were involved.  There are lots of people who do not like the idea of an electric car, starting with the oil and gas industry and some Wall Street insiders.  The traditional car makers, who seem perfectly willing to lie and cheat to pass emissions test could also be motivated to harm Tesla.

In this particular case, the employee said he was mad because he was passed up for a promotion.  THAT was probably a good move since it is going to be hard for him to work from prison.

This is an important notice for all employers.

Every company, except those with one or two employees, have employees who are not happy.  Would an unhappy employee become a saboteur?  Hopefully not, but the larger the company is, the more likely that at least one person will have a grudge and could, possibly, act on it.

In Tesla’s case, even though this person created fake accounts to try and hide his deeds, the company had sufficient tools in place to uncover the sabotage and figure out who the employee was.

For your company, how much damage could a disgruntled employee do and could you detect it?  How quickly could you repair the damage?  Could you figure out who did the damage in order to prevent a repeat performance?

In today’s world it probably does not take much to get just one employee really peeved and if you have someone outside the company who could motivate that action with money – well you have really increased the odds.

Information for this post came from CNBC.

The Insider Threat Cost One Mortgage Company $25 Million

This case of intrigue may seem like it belongs in a spy novel, but in this case, it is winding up in the Board Room and the court room.

Here is the story.  Chicago based Guaranteed Rate courted the employee of a much smaller rival mortgage company, Benjamin Anderson.  While still employed at the smaller company, Mount Olympus Mortgage, Anderson signed an employment contract with Guarantee Rate.  While an employee  considering moving to a new job wants assurances that if he or she quits his or her current job, there will be a job waiting at the new company, this is usually done via written offer letter, not a signed employment agreement.  Once he signed the agreement he was, in fact, working for two competing mortgage companies at the same time.

While this may be unethical – and possibly a violation of his contract with Mount Olympus – it may not be illegal.  What happened next, however, was illegal.

Over a period of weeks, Anderson downloaded and transferred loan files – hundreds of them – to his new employer.  Anderson’s new contract with Guaranteed Rate paid him a much higher commission during his first few months, encouraging him to close as many loans as possible during that time-frame.  Some of those loans closed before he even left Mount Olympus.

Eventually, Mount Olympus discovered what he was doing and sent cease and desist letters and then, ultimately, filed a lawsuit.  It is certainly possible that if Anderson had been less greedy and only transferred tens of loans, he might not have ever gotten caught.

Even though Mount Olympus was small, they were able to detect what was happening.  One way to detect this would be when they contacted a borrower and the borrower said that they were no longer working with that company.

The judgement, with a total value of around $25 million includes $13 million in punitive damages, $5.6 million in lost profits and $4.6 million in lost business value.  For a company as big as Guaranteed Rate, who funded $18 billion in loans last year, this is a blip, but for smaller companies this could be a death sentence.

There are several messages in this verdict –

First, if you are luring an employee away from a competitor, make sure that they are not working for both you and the competitor at the same time.  One strike against Guaranteed Rate.

Second, make sure that compensation is not structured to encourage a new employee to steal intellectual property from the employee’s former company.  Strike two against Guaranteed Rate.

Third, make sure that employees understand that bringing their former employer’s (stolen) intellectual property with them will not be tolerated and will be grounds for immediate dismissal.  This has to be a policy with teeth.  As Uber is learning right now in a lawsuit they are fighting, saying one thing but winking that they don’t mean it will land you in court.  Strike three and $25 million later…

Finally, for all companies, the ability to deter and detect the insider threat scenario is critical.  The theft of intellectual property can ruin a company.  Failing that, it can cost large legal fees on both sides and in some cases multi-million dollar judgments.

In this case it was likely easy to detect the theft, but in many cases you don’t have the obvious smoking gun, which means that logging and alerting becomes much more important.

Unfortunately, it is likely more common than you might guess that employees take at least some intellectual property with them when they leave an employer.  Strong policies and good insider threat detection can slow that theft down.

Information for this post came from the Chicago Tribune.

The Insider Threat

Some say that the insider threat is the most serious threat to a business and without debating whether one threat is worse than another, here is a great example of the insider threat and how not to deal with it.

First, the story.  Last month, three executives of the Denver Post resigned and formed an ad agency that would, potentially, compete with the Post.  The executives are SVP of advertising Richard Wicoff, senior digital sales strategist David Staley and director of digital advertising operations Nicole Brennan, all pictured below. 

If that was the end of the story, it wouldn’t be a story.  But it is not the end.

From the Post’s perspective, their company would compete directly with the Post’s Adtaxi with one major distinction.  Digible would be able to steer customers away from advertising in the Post if they thought that was best for the customer;  it is unlikely that Adtaxi would tell clients that their ad dollars would be better spent at Denver Post competitors.

The group and their company Digible, Inc. is being sued on a variety of grounds and the Post is asking a court for a temporary injunction.  Among other things the group is accused of doing is soliciting current clients and employees and downloading hundreds of files.

The Post’s attorneys are claiming theft of trade secrets and confidential information among other claims.

Obviously, for a new company, starting out with a big lawsuit is not great for business.

Regarding the non-solicitation issues, Digible’s attorneys claim that the three never signed a non-solicitation agreement.

Regarding competing, they never signed a non-compete agreement either.

Regarding the theft of trade secrets and other confidential information, Digible’s attorney said that they did not take any trade secrets.  It is likely hard to claim that a list of your advertisers is either confidential or a trade secret.  All you have to do is find that is to go to the library and read a few week’s worth of newspapers.  Likewise a list of their employees could probably be found on LinkedIn or other social media sites.

According to the complaint, both Brennan and Wicoff agreed that any intellectual capital they helped develop while employees was the property of the Post.  I am not a lawyer and don’t even pretend to be one on the Internet, but there are significant limits to what you can tell people to erase from their brains.  You can stop them from stealing, say, a strategy document that they created while employees, but you cannot ask them to unlearn any that they learned.  And, if the Post’s information security practices were as bad as claimed, well that becomes problematic for the Post as well.

However, the Post’s forensics person said that they did take hundreds of pages of documents.  The expert did say that he had no idea what, if anything, they did with those documents. Their expert said that the day after Brennan resigned she downloaded hundreds of files into Dropbox and the next day they were not there.  Without arguing whether you download files to Dropbox or upload those files (I think it is the second, but whatever), that raises some issues.

Let’s recap where we are so far.

  • Due to sloppy, lax or simply bad HR practices, key executives of the company did not sign important legal documents – which the Post, apparently, does not deny.  Those documents would be a non-solicitation agreement and a non-compete agreement.
  • In the absence of documents like those, there is likely nothing to stop them from soliciting employees or customers (unless there is language in other agreements that they did sign prohibiting that.  If that was so, I assume they would have produced those documents at the hearing requesting an injunction, which they apparently, did not).

The employees uploaded a number of files to Dropbox after they resigned.  Completely ignoring the contents of those files, the optics of that do not look good for the employees.  The employees understood that doing that left digital footprints and tried to erase those footprints using the software CCleaner.  The fact that the forensics team was able to determine that they uploaded files indicates that likely, they were using a company Dropbox account and probably on a company computer.

More recap –

  • The employees uploaded files to Dropbox after they resigned, likely from a company computer and company Dropbox account.  Without telling crooks how to get away with stealing stuff, doing that doesn’t seem very smart.  Assuming Flash drives were not blocked on their computers, it is LIKELY that copying those files to a Flash drive would have left fewer footprints and certainly taking those hundreds of files and zipping them into one file and encrypting it and then getting it off their computers using a different tool that had less tracking would have been smarter.
  • The trio’s attorney suggested that using CCleaner to wipe their computers would have just been good practice to stop  confidential information from leaking and it had nothing to do with them uploading files to Dropbox.  Maybe so if they could show that they did this as a matter of practice on, say, a daily basis, but doing it only after they resigned is probably a stretch to defend.
  • Letting the employees back into the office or back onto the network after they resigned – that qualifies as really, really, stupid.  Especially since the resignations occurred after the group was confronted the day before about starting a competing agency.   Short version – you confront someone about starting a competitor, they resign, you continue to let them work there.  I do have better words than stupid to describe that action by management, but this is a “G” rated blog.

Digible’s attorney argued that the Post’s oversight of business and other information was “not as strict as necessary”.  I am not sure why he brought that up.  Showing that the plaintiff is doing at bad job at managing their business is really not much of a defense.  It might be embarrassing, but  that’s about it.  Saying that is a justification for, if, in fact they did, which they deny, stealing trade secrets – well, I don’t think that is going to work.

The Business Journal’s article said that they had been discussing forming a competitor and leaving since February 2016.  If that were true and the group was even remotely smart and wanted to steal trade secrets, wouldn’t they have been doing that very slowly, below the radar, over the last 15 months rather than the day after they quit?  Maybe it is them who are not so smart.

The Post also claims that they breached their duty of loyalty and contractual confidentiality obligations.  The Post claims that they did sign confidentiality agreements, but it may have a challenge on their hands enforcing that if they had, as is claimed, sloppy information security practices – such as not identifying what documents were confidential or trade secret and/or not training employees on how to handle those types of documents.

Last recap –

  • Badly managing your digital assets such as lack of policies, lack of policy enforcement and lack of employee policy training  could, possibly, weaken the Post’s case.

We should hear about the injunction request soon and if granted, we should see what the next steps are.

All of this looks like a super-sized mess. It appears that Digible did some pretty stupid things and the Post isn’t exactly acting like a model for protecting it’s intellectual assets.

It seems like this would make a great college textbook case study on how not to protect company proprietary information and it could prove useful if companies look at what the Post was doing and made sure that they were not following in the Post’s footsteps.

Information for this post came from The Denver Post and The Denver Business Journal.

The Weakest Link

The Nasdaq posted an article on their web site from Dow Jones that talks about the big banks’ fight against hackers and malware.  While the article quotes the Association of Corporate Counsel statistic that 30% of data breaches are due to employee error, I think that number is significantly understated.

While this article is about banks, it is equally applicable to every other business.

Here are some tidbits about what the big banks are doing and you might consider:

  • J.P. Morgan Chase sends out fake phishing emails to its employees periodically.  A few weeks after they were hit with an insider breach that compromised more than 75 million records, they sent out a test phish.  20% of their employees fell for the email.  Chase is not disclosing what they are doing about it.  They did announce that they will be spending about $500 million on cybersecurity this year.
  • Chase is now PROHIBITING employees from using their work emails for personal use such as registering on shopping sites or social media.  This is a big turnaround from just a few years ago when those policies were relaxed.  Of course, at most companies, if I know your name, I can figure out your email because emails are standardized.  If I work for Chase, I can’t have my email address be BigRedTruck@Chase.com .  The only time there is any question about what my email would be at most companies is if there are two people with exactly the same name.  If companies used accounts like mt473251@myco.com and kept their directories as private as possible, they would at least make phishers work a little bit.
  • Bank of America’s CEO Brian Moynihan said that their cybersecurity budget is effectively unlimited and they are increasing their focus on employees.  He said that they are hard on their employees – they even discourage out of office notices on email and voicemail so that hackers cannot easily tell if an account is not being monitored at the moment.  This is a tradeoff with customer service, but you can get around that by having a coworker check your voice mail using a temporary password and check your email by delegating authority (WITHOUT sharing your domain password) for them to see your email.
  • Wells Fargo CEO John Stumpf that they are spending an “ocean” of money and it is the only expense where he asks if they are spending enough.  They declined to put a number to it, however.
  • As is well documented, LinkedIn is a great tool for hackers and is often one of the first sites I check when I am “checking out” a company.  Attackers get names, companies, job titles, job descriptions, software experience, etc.  Companies are trying to figure out what the balance should be between security and personal rights.  Social media (particularly Facebook) is also a great place to go to find out who is out of town, where they are going and sometimes even how long they will be gone.  This is very helpful if you want to break into their house or steal their mail.  In fact, some insurance companies have started to deny coverage based on social media posts.  MY recommendation is not to post anything until after you are back from a trip.
  • TD Bank is also sending out fake phishing emails to employees.  If they click on the link, they get a video explaining what they did wrong.  The videos get a workout!
  • Even small banks are working on improving personnel awareness.  Pinacle Financial Partners sends out phishing emails to its employees every quarter and even though employees know this, a small percentage still click on the links.

As i said earlier, this advice applies to any business.  Those that handle money, of course, should already be sensitive, but companies that have intellectual property (which would be almost any business) should also be nervous.  Intellectual property includes customers lists, contracts, proposals, technology and many other things that would be useful to a competitor or adversary.  The hackers that stole 75+ million records from Chase did it to facilitate insider trading and made several hundred million dollars before they got caught.  Whether Chase got any of that money back is unknown, but I doubt it.  it is unlikely that money is in any country friendly to the U.S. Even if they spend a few years in jail, it will be comforting to know that when they get out and go to, for example, the Caymans, they will be able to live out the rest of their lives in luxury.

Just food for thought.

 

Find link to the article at the Nasdaq web site.