Skip to content

Paranormal (User) Activity: 4 Terrifying IT Stories on Insider Threats


October 30, 2018

5 minute read

bettercloud user activity insider threats ftr

What keeps you up at night?

Whether it’s ghost stories, creepy podcasts, or the long-awaited sequel to Halloween, this $9 billion holiday has something to keep everyone double-checking the closet before bed, hoping not to see Slender Man or a 61-year old Michael Myers.

For IT and security professionals, spooky season can feel like a year-round experience.

Although many companies are now prioritizing security as a business-critical endeavor, it can be dizzying trying to cover the multitude of attack vectors created by data sprawl. In fact, 86% of IT professionals think (or aren’t sure if) they have confidential/sensitive data exposed.

With so many possibilities, which security challenge is keeping IT and security professionals up at night in 2018?

Insider threats — specifically, those caused by end users.

According to Veriato’s 2018 Insider Threats Report, 56% of IT professionals say that regular employees pose the biggest insider threat risk to the organization. End users are the stewards of the critical information that powers your company, which is what frightens IT. As a matter of fact, 57% of IT professionals said that the type of data they feel is most vulnerable to insider attacks is confidential business information such as financials, customer data, or employee data.

Below you’ll find four terrifying tales from implementation sessions with new customers where we uncovered both malicious and negligent employees jeopardizing confidential business information. As with all sinister stories, enjoy these from a safe distance, ready to return to the real world in an instant unharmed.

Happy Halloween!

Note: Given the sensitive nature of data security and privacy, we have removed the company names to protect our customers’ information. No other details have been changed.

1. An ex-employee undercutting a venture capital firm

Seventy-six percent of IT professionals believe former employees still have access to their organization’s data. This story proves that this belief is warranted.

Like a blood-sucking vampire leaching the life out of its victim, a partner at a venture capital firm in San Francisco poached deals from his former company for two years after he left. He was able to do this by retaining access to his old firm’s Dropbox environment, which was the source of truth for potential investments. Each time his new firm was competing for a deal, he viewed the term sheet that his former company was offering and proposed better terms.

Without knowing the issue existed, it was impossible for the VC firm to remediate it.

Fortunately, when they started using BetterCloud, they were able to uncover ex-employees like this one who retained access to several applications after leaving, and revoke their access. Moving forward, they also were able to overcome a specific obstacle faced by many Dropbox customers: retaining a user’s files before removing access and reclaiming their license. BetterCloud allows them to automatically transfer a user’s files to a vault account, suspend the user, then wait a defined duration of time before fully deleting the license.

2. A nationwide behavioral health center exposing patient information across 50 locations

Before we started working with this large rehabilitation network headquartered in Florida, their team had a DLP solution reminiscent of the monster from Frankenstein — stitched together and unexpectedly wreaking havoc. Their team is gravely concerned with HIPAA compliance, which is why they were shocked when they found that their homemade systems had not flagged serious PII issues.

Using BetterCloud, they made a disturbing discovery. For each patient who stayed at any of their locations, they found documents containing the patient’s name, several identifiers, their social security number, and their stay history with the facility. All of these patient documents were publicly shared, accessible to anyone on the web.

Equally concerning was that these patient documents were shared with personal Gmail accounts, ex-employees, and people from other departments who shouldn’t have had access.

Finally, mixed into their cauldron of violations was a document containing pictures of every company credit card, along with billing addresses. Fortunately for this customer, they escaped the situation unscathed as BetterCloud’s DLP features were able to uncover exposed company data and quickly remediate the issues across 50+ locations.

3. Third-party application installs with full domain access (built by companies with questionable security)

Movies about exorcisms are a nightmare-inducing staple at the movie theater around Halloween. Just as audiences fear what terror resides inside a host, IT professionals worry about third-party apps: dangerous applications living inside of other applications.

One company that recently came on board as a BetterCloud customer knows this fear well. The security-focused IT team at this 450-person computer gaming company was completely unaware of how pervasive hazardous third-party apps had become in their environment. Across their company we found 595 installs of third-party apps, with 143 of those installs having full domain access. These kinds of excessive permissions can be a security and privacy risk. For Google, full account access means a site or app can see and copy your information, edit or delete it, or create new information. (If this was a movie, we’d be seeing the third-party apps exorcist being brought in right about now.)

Digging through the types of companies that had full domain access made their head turn. They learned that many of these applications were built by tiny 4- or 5-person companies overseas with no security certifications on their websites.

As we told them and other customers: If these companies get compromised, we can guarantee you won’t hear about it, which means your data is not secure.

4. A C-suite executive taking proprietary research with her to a top competitor

As we saw above, ex-employees haunting their former company by retaining access to data can be disastrous.

For one midmarket research firm in San Francisco, the damage didn’t happen from a ghost user lurking in their domain. Instead, it happened when a user acted nefariously in the days before she left to join their top competitor.

Months later when the IT team became BetterCloud customers, they learned exactly what went down: One of their Strategy executives downloaded several files to her computer and shared Dropbox files to her new work email days before she left the firm. The documents contained years of studies and proprietary research that she planned to employ at the rival company.

Without a way to be alerted when users exhibit suspicious behavior like this, companies risk the loss of intellectual property and subsequently, market share. Preventing such actions or remediating them promptly is also essential as stolen proprietary information can entangle companies in expensive lawsuits. BetterCloud enables IT teams to combat insider threats not only through Activity-based Alerts on suspicious user behavior but also automatic remediation.

Learn more about how BetterCloud’s own security team handles insider threats

Join us for an insider threats webinar on November 6th and 7th. BetterCloud’s VP of Security Carlos Batista and Senior Security Architect Austin Whipple will discuss why insider threats are one of the top security concerns for all organizations. In addition to offering tips and guidance on how to implement a robust insider threats program, they’ll cover best practices for keeping sensitive data safe. They’ll also share an exclusive preview of the findings from our 2018 Insider Threats Survey (stay tuned for the full research report in February). Sign up for the webinar here.

To learn more about how BetterCloud can keep your organization’s data safe, request a demo here.