The Forgotten VPN Connection

While out picking mushrooms in the forest, Jerry’s grandmother, Louise, tripped over a tree root and broke her leg. Though she was well enough to go home after a while, she still needed assistance at home until the cast could come off. Jerry wanted to help out and asked his boss for permission to work from home for a couple of weeks so he could take care of his grandma.

The company’s policy did not usually allow staff to work from home, but since Jerry was such a nice guy and had been a loyal member of the team for so many years, they decided to make an exception. The IT department thus set up Jerry’s private PC with a VPN connection so he could start working from home right away.

After four weeks, Louise’s cast was ready to come off and she was back on her feet picking mushrooms in no time. Jerry returned to the office, just in time to commence work on a new, big project. Unfortunately, his supervisor, Tim, forgot to inform the IT department about Jerry’s return and that his VPN access was therefore no longer required.

Tim was not trying to put the company at risk on purpose. He just wanted to bring Jerry up to speed on the new project as quickly as possible. Also, Tim was dealing with some personal issues – he was caught up in a custody battle over his children with his ex-wife and it was a real mess. So, there was really no space in Tim’s head for Jerry’s VPN connection (which should have been revoked when Jerry returned to the office in the first place).

Data theft is rarely as obvious as in this stock photo. Adobe Stock, (c) Elnur

In the weeks following Jerry’s return, he and Tim frequently found themselves in arguments over various issues. Tim was on edge because his custody battle had gotten really ugly. And Jerry had been feeling underappreciated at his job for a while now.

After attempting to negotiate a raise and failing, Jerry put out his feelers and soon received an attractive job offer from a competing company. This got the ball rolling: Jerry, who never had bad intentions, but was angry and disappointed over how things had played out, began to steal some of the work and concepts he had developed over the years. His plan was to use the data to make a good impression at the new workplace.

He debated over how to go about abstracting the data. A USB stick was not an option due to device control. E-mailing the files also seemed risky. However, unlike Tim and the IT admins, Jerry had not forgotten about his VPN connection.

As later analysis of the log files would show, Jerry spent several weeks copying confidential data to his own computer using the VPN connection. The files included CAD drawings and calculations for unreleased products.

The financial damage to the company would have been in the millions had Jerry not accidentally blown his own covers while chatting to a new colleague. As a consequence, Jerry was fired immediately from the new job and is now facing legal charges. Employee data theft is no trivial offense.

Stealing data is not worth it. And yet, businesses who rely solely on IT staff and managers to execute all workflows consistently and without errors will always have to deal with potential Jerries.

Had the company stood by its no-work-from-home policy or activated the DLP function in the VPN software (which should have been done regardless of the policy), the data theft could have been prevented. However, Jerry’s case illustrates just one of many possible gateways for unauthorized access. Others include:

The only reliable protection against such scenarios can be achieved by applying the principle of least privilege, which states: “Users should have only those privileges they need to perform their job duties.”

The access management software tenfold assigns all standard privileges automatically in accordance with the principle of least privilege, and revokes them again when they are no longer required.