Punishment for Stealing Company Information
All of the cases we have examined resulted in lawsuits, which shows that corporate data theft is not just considered a petty offence – in the US, it is punishable by law, as stipulated by the Computer Fraud and Abuse Act (CFAA). “The CFAA is the primary statutory mechanism for prosecuting cybercrime and provides for both criminal and civil penalties.” (Source: iclg.com) This means, if you are able to prove that someone committed data theft, you can press criminal charges against that person. In the US, sentences for cybercrimes are hefty:
Conclusion: How to Prevent Employee Data Theft
So, what can you as an employer or IT decision-maker do to stop potential rogue employees from packing their USB sticks and G-Drives full of your sensitive, confidential and classified data as they exit the building and your cloud?
Start with the very basics: Limit access from the get-go. Do not give anyone more privileges than necessary (least privilege principle). Automate processes wherever you can. Mistakes are where people are.
Make sure to review those privileges, too, and do it repeatedly. If you are already limiting access on a need-to-know basis, then that is a 1up for you – but you have to make sure outdated permissions are also removed as soon as they are no longer needed. Otherwise, you’ll soon be dealing with a phenomenon known as a privilege creep, which is when users accumulate way more privileges than they need over time. You wouldn’t believe how many interns are running around with more privileges on their hands than a CEO! And that is a huge risk to your data security.
Zero trust is a security strategy that basically assumes everyone is the enemy. While it sounds harsh – you want to trust your employees, after all – the truth is that everyone is a potential insider threat, so the mantra that applies here is better safe than sorry. As part of a zero-trust approach, employees, devices and services with access to your network are required to continuously verify their identities through active checks like MFA.
Furthermore, you must keep track of changes made to permissions and users. If you know who has access to what and since when, who granted access, and who requested it, then you are on the right track.
Make sure you can report on those changes, too. Reports go a long way for audits, and not just external ones. Any company is well advised to perform regular self-audits, too!
Another measure you should not underestimate is employee training. Teach your staff how to safely access data and how to handle trade secrets. Teach them about IP – if they take intellectual property when they leave due to a lack of better knowledge, then that is your fault because you did not educate them well enough. Put all of this in the contract so they really know what is right and what is wrong.
Also, train managers! They, too, require training on how to treat sensitive data. On top of that, they need to be trained in awareness of the issues involved with employee offboarding processes and how to detect and prevent employees from stealing data when they go.