Dr. Dexter Morse, global head of insurance and risk at global specialty chemical company Arxada, investigates how chemical companies can protect themselves from the effects of negligent or malicious employees.
The greatest threat to your company and network is not the hackers and crackers on the outside trying to get in but your own employees who want to cause mischief or who inadvertently cause damage from within. Insider threats affect more than 34% of businesses globally every year. 66% of companies believe that insider threats are more likely to happen. This is supported by research from Panda Security, which shows that insider threats have increased by 47% over the last two years. A determined “rogue employee” can severely harm an employer and inflict substantial damage by:
* Vandalising company property and destroying company files and documents
* Embezzling money
* Social media campaigns to defame the company and ruin its reputation
* Manipulating, falsifying or withholding data regarding the safety and efficacy of a product i.e. in clinical trials
* Environmental violations – bypassing environmental regulations by improperly disposing of hazardous waste, emitting pollutants beyond permitted limits, or neglecting safety protocols that could lead to environmental damage
* Disregarding safety protocols, risking accidents that could harm themselves, coworkers or nearby communities. This could include the improper handling of hazardous chemicals or failing to follow safety procedures in manufacturing facilities.
* Tampering with chemical products, changing their composition in ways that compromise their safety or effectiveness. This can pose serious risks to clients, consumers and cause reputational damage.
* Fraud, falsifying quality control data or misleading customers about the characteristics or safety of chemical products.
* Disrupting business activities by reporting suspicious packages to emergency services.
* Causing the company to incur expenses, liability or fines from regulators and authorities, litigation
* Intellectual property theft (i.e. formulas or manufacturing processes, client information, codes, etc.) being disclosed to competitors or used for personal gain
A rogue employee is someone who has stopped complying with company policies and behaves in an unscrupulous manner. This frequently happens when an employee faces personal or professional struggles.
There are five basic types of “rogue employees”.
1. Ambitious, resourceful and independent Individuals
They stay up all night to find a way around the rules and procedures, are intelligent, cunning, driven and motivated so are especially dangerous to an organisation.
2. Disgruntled employees / revenge seekers
They hold a grudge and wish to harm the company. When they quit or are fired they may steal proprietary information and leak it or damage the company by contacting suppliers, shareholders, authorities, regulators etc. Often exemplary employees can quickly turn into hostile disgruntled employees due to a change in manager, passing over for a promotion or changes to working conditions.
3. Negligent Employees
These employs disobey rules and protocols. These are employees who leave their computer unlocked when they leave their desk, post login IDs and passwords on sticky notes on their computer monitor, share sensitive information in emails, leave client lists or confidential presentations on whiteboards in meeting rooms or forget company laptops, phones or documents on public transport.
Two-thirds of insider threat incidents are caused by negligence. Negligent insiders who have their credentials stolen account for 25% of all incidents.
Unintentional rogue activities are random, difficult to plan for and therefore a greater risk and more common than intentional ones. Many ex-employees often still have access to confidential or highly confidential data at their previous employer.
Research by Osterman found that 89% of employees who have left their jobs retained access (login and password) to at least one corporate software application from their former employer.
The apps included: File sharing tools (DropBox and Google Drive); Finance (i.e. Paypal); Customer Relationship Management (i.e. Salesforce); Website and IT Services (i.e. Google apps, MS office). Especially alarming was the fact that 45% of these past employees could access “confidential” or “highly confidential” data.
Almost half had accessed ex-employer accounts after leaving the company. 68% admitted storing work-related materials in their personal cloud storage services and 60% were not asked for their cloud credentials when they left the company.
4. Employees with secret political affiliations and loyalties
This is the realm of espionage, well documented in the domains of military projects and industrial/IT development. Male rogue employees are stereotypically high-flying (Kim Philby) or so- called grey mice (Rudolf Abel). Female rogue employees are stereotypically glamorous women (Mata Hari, Anna Chapman).
However, in reality anybody can be a rogue employee. This could take the form of employees with sympathies to Palestine or Israel, animal rights, ecological issues such as climate change and modern slavery in the supply chain.
5. Employees with mental health issues
These employees can cause harm to themselves, their colleagues and the organisation. According to research by Business in the Community and BUPA, 41% of employees say they have experienced poor mental health where work was a contributing factor. The most common cause being pressure, followed by workload, long hours and not taking enough leave. The most common diagnosis was depression or general anxiety.
Alarmingly, 30% of employees affected by poor mental health admit to telling nobody about it. Only 13% felt comfortable disclosing a mental health issue to their line manager. Those who do open up put themselves at risk of serious repercussions. Of those employees who disclosed a mental health issue, 15% were subject to disciplinary procedures, demotion or dismissal. It is estimated that one in four of us will be affected by mental health issues of some kind during our lifetime.
Let’s look at some examples of Rogue employees at work and how they can impact your chemicals business:
DuPont: Striking Gold
In 2018 Jerry Jundong Xu, a former employee of chemicals firm, Chemours (the largest producer of sodium cyanide, a chemical used to mine gold, silver and other precious metals) pleaded guilty to a US charge of conspiring to steal trade secrets related to its lucrative sodium cyanide business and sell them to Chinese investors.
He had worked for Chemours and its parent company, DuPont since 2004 in the marketing of these products and was terminated in 2016. He was accused of using his position to obtain trade secrets and confidential information, including spreadsheets, reports and photographs of plant system diagrams regarding three different company projects related to cyanide sites and facilities. Prosecutors said that he had told contacts in China that he had obtained “complete” sales plans, including pricing information on the US and Mexican gold mining market. He received a one-year prison sentence.
In 2014, also involving Dupont a federal jury convicted a former engineer employee, Robert Maegerle of stealing secrets related to the company’s titanium dioxide production process and selling them to a firm controlled by the Chinese government. Chemours operates the titanium dioxide business today.
Dow and Cargill: An Expensive Pest
In 2011 a Chinese scientist, Huang Kexue who admitted to stealing trade secrets on a pesticide and a new food product from two US firms and sending them to China and Germany, was sentenced to more than seven years in prison. Huang was born in China but had permanent resident status in the US. He pleaded guilty to stealing secrets from Dow AgroSciences, where he worked from 2003 to 2008, and Cargill Inc. According to court papers, Cargill estimated the value of the information stolen at $12m (£7.7m), while Dow gave no specific figure, beyond saying it amounted to millions of dollars. In his plea, Huang admitted giving the information to a Chinese university, as well as the National Natural Science Foundation of China and the 863 Program, a Chinese government initiative to develop and acquire high-level technologies.
Apotex – How Generic?
Apotex Inc., the Canadian generic-drug company waged a long court battle against an ex-employee, Mulasim Hussain who was fired for allegedly stealing millions of dollars’ worth of pharmaceutical trade secrets from a laboratory computer in the hope of launching a rival company in his native Pakistan.
Hussain, a veteran chemist who worked at Apotex’s research-and-development laboratory for over a decade, was fired in 2017 after the company discovered he had registered a private corporation and taken steps to construct his own generic-drug plant in Faisalabad, Pakistan.
In hundreds of pages of court documents filed in Toronto, Apotex claimed that a search of Hussain’s company email account revealed equipment invoices, factory floor designs, and a partially completed business plan that listed 21 generic medications each one produced by Apotex. Forensic investigators hired by Apotex also uncovered evidence that Hussain had plugged at least six USB drives into lab computers, a clear violation of Apotex policy; one of his drives allegedly contained “highly confidential” information about Mefenamic acid capsules, a popular painkiller.
In one document, Hussain imitated the style of Apotex’s logo and copied its slogan, “Advancing Generics” as part of a detailed business application submitted to Pakistani officials. Hussain denied stealing any proprietary information during his employment with Apotex.
Who are the largest threats?
Research by Observe IT found that 55% of organisations believe that privileged users, those who have the most access to a company, present the greatest risk. Companies can do their best to stop known attacks, but attacks from users who intentionally or accidentally allow malicious actors to gain access are difficult to track and hard to stop, and such attacks can happen to anyone or anywhere.
According to Insights Insider, trusted business partners incidents were perpetrated in 15-25% of cases across all incident types and industry sectors. Companies trust business partners with sensitive information. They can still use this for personal gain or could also fall victim to an insider attack. Research by data and threat protection firm Bitglass revealed that 57% of insider threat actors are contractors and consultants.
US cyber security solutions company Fortinet surveyed IT professionals and found that fraud (55%), monetary gain (49%) and IP theft (44%) were the three biggest reasons why an insider threat attack occurred. Interestingly, the most vulnerable areas of companies are the finance (41%), customer success (35%) and R&D departments (33%). Companies also need to be aware of their trusted business partners, contractors and consultants.
What is the cost?
According to Security Round Table, 85% of organisations find it difficult to determine the damage of an insider attack. Downtime, lost customers, lawsuits and regulatory fines might cause additional damage.
According to IBM, it takes an average of 197 days to identify a data breach and a further 77 to recover from one. Identifying the breach means stopping production, locating the source and mitigating it. Insider attacks that take a long time to resolve cost $6.58 million more than those that are resolved quickly.
Basically, the longer it takes, the more it costs. Incidents that take more than 90 days to resolve cost an average of $13.7 million/year, as opposed to $7.12 million for those lasting less than 30, according to Panda Security.
The cost of insider threat incidents varies based on the kind of incident, with incidents involving stolen credentials causing the greatest financial damage. However, costs have been steadily rising for all incidents. Overall, the average global cost increased by 31% from $8.76 million in 2018 to $11.45 million in 2020, with the largest part spent on containment, remediation, incident response and investigation. There are also large regional variations with incidents in North America being the most costly and nearly twice as much as those in Asia-Pacific.
What can employers do?
Negligent employees can be reminded of the risks they can pose to their organisation by regular training on business ethics, best practices and cyber security training to supplement the policies and procedures they have in place.
This should be accompanied by audits to ensure compliance. In a recent survey by SC magazine, nearly 70% of employees polled said they had recently received cyber security training but 61% of employees failed when asked to take a quiz on that topic confirming that these are just tick box exercises.
Some companies are using tools to monitor for insider threats, including data leak prevention software, user behaviour analytics software use and employee monitoring and surveillance as a line of defence where permitted by local law. However, data from 2021 suggests a shortfall in security monitoring might be contributing to the prevalence of insider threat incidents. Only 28% of firms said that they used automation to detect anomalous activity and 28% only monitor access logs, while 14% do not monitor user behaviour at all and 10% only monitor it after an incident has occurred.
Tessian, a cloud email security platform, has found that most companies rely on security awareness training, following company policies and procedures, and machine learning and intelligent automation. It is advisable to establish clear written expectations relating to employee departures. Draft policies and incorporate specific terms into employment contracts about the obligations of departing employees (confidentiality, fidelity, mutual trust and return of company property (office keys, hardware, passwords, etc.)) and non-solicitation of employees and customers.
Tessian found that 45% of employees download, save, send or otherwise exfiltrate work-related documents before leaving a job or after being dismissed. It is also advisable to have a clear exit strategy which reflects the employee’s role in the business, the information and systems they have access to and whether that access has been permanently severed.
It may be appropriate to restrict or change the employee’s duties when they are leaving, i.e. allocate them more administrative tasks with limited access to information or place them on paid ‘garden leave’, especially where workplace disruption or jeopardised customer relationships could occur.
The appropriate steps to take will vary depending on each employee and the scenario. Employers should examine company computers, mobile phones and e-mail accounts to find evidence of improper conduct where the employee has departed under dubious circumstances and work with IT experts to secure data and prevent data theft or sabotage. They should ensure they have policies in place permitting them to monitor and examine the use of the company’s electronic equipment.
Lawsuits involving employees who have gone rogue frequently lack evidence so employers should quickly gather evidence proving the unlawful conduct and the harm caused to the business.
Professional, supportive, collegial, fair, ethical diverse work environments that foster camaraderie and a sense of belonging are less likely to encourage employees to want to get back at their employer. However, since there is no clear profile of a ‘rogue’ employee it is imperative for companies to be vigilant and to utilise the tools at their disposal and if such activity is identified to act swiftly to contain the breach in order to keep costs and reputational damage to a minimum.
