How To Spot Malicious Insiders Before Data Theft

Indeed, according to a recent article in the Guardian, the legal team defending Manning plans to highlight in court how numerous warning signs about Manning's emotional and mental state were ignored. The defense plans to call multiple witnesses, including a psychologist who recommended Manning be removed from his duties, as well as a psychiatrist who "had concluded Manning was 'at risk to himself and others' and that he should be banned from carrying a useable weapon."

Similarly, one of Manning's supervisors had reported that "Manning had an angry outburst during a counseling session in which he flipped over a table and had to be restrained after he stepped towards a rack of weapons." None of these warnings, however, appeared to have been acted on, or passed up the chain of command.

Although Manning had access to a wealth of secret information, it's also emerged that none of his data access was ever logged. That gets to another recommendation from Shaw and Stock: surveillance, especially for creating a baseline of normal behavior and data-access patterns. "With surveillance, it's virtually impossible for these individuals to engage in IT theft without changing their normal behavior," said Stock. "Once we see changes in those behaviors, they can become a person of interest to us."

Another recommendation: screen employees properly before hiring them. "For example, if someone served in the military, looking at their military discharge record, called their DD214, is one of the best predictors of behavior," said Stock. "If they behaved badly in the military, they'll behave badly in the workplace."

Likewise, he said that in insider theft investigations, the culprit often turns out to be someone that had been hired in spite of obvious warning signs, as noted by hiring managers. When asked why they hired the person anyway, people at the company would respond that they were ramping up a project, and needed the person anyway.

Interestingly, not every insider who steals information has a grudge against their employer. While that was true in 67% of cases, Stock said that "26% who stole didn't have any bad feelings toward the company." In many of those cases, however, the employees displayed "Machiavellian" signs--combining ambition with job frustration, and often willing to devote considerable time and energy to taking intellectual property they've worked on to their next job.

Overall, 65% of people who stole IP already had a job lined up with a rival company, 20% were simply recruited by outsiders who wanted the data. In 25% of cases, data ended up with a foreign company or national entity.

Role-based access control based on least user privilege is one of the most effective ways to prevent the compromise of corporate data. Our new report explains why proper provisioning is a growing challenging, due to the proliferation of "big data," NoSQL databases, and cloud-based data storage. Download the report now. (Free registration required.)