Cifas Homepage
NewsroomCareersContact Us

Company data - what insiders are really after

9 March 2022

Employees stealing from their employer is certainly not a new trend or threat, and is often characterised by the ‘minor theft’ of stationary or the odd notepad. However, insider criminals will be looking for lucrative methods of stealing from their employer, such as through the theft and sale of company data.

Few companies can be considered to be safe from the insider threat, with research indicating 95% of businesses are impacted by thefts, with almost 20 incidents being reported to the police each day in the UK. It is therefore not surprising that the latest estimates put the cost of employee theft at £190 million each year.

Sarah-Jill Lennard, an expert in cyber security and a Non-Executive Director to Cifas’ Board, said: ‘The risk of data loss, whether caused by carelessness, negligence or malicious attack continues to grow, especially with so many IT departments hastily enabling staff to work from home. Cyber breaches can be hugely expensive with research indicating the average cost to a firm being $4.24 million in 2021, a 10% increase on 2020. As well as the cost, it can lead to a serious impact on reputation and a loss of client trust, as well as, of course, the loss of IP, personal data and fraud.”

What are the motives of an inside fraudster?

There are numerous reasons why an employee may commit fraud against their employer.

The first is the financial gain by committing the fraud. As with many other forms of fraud, research finds a high proportion of perpetrators are in financial difficulty, or are living beyond their means. Organisations attending Cifas’ Organised Fraud Intelligence Group (OFIG) meetings have also discussed how other expensive habits, such as gambling or drugs, have been funded by the proceeds of internal fraud.

Secondly, disgruntled employees, or those recently dismissed, may seek to cause reputational damage. A recent example shared by an OFIG attendee included a dismissed staff member stealing customer phone numbers and then contacting them to using bad mannered language and discredit the organisation.

Finally, almost a third of employees leaving a company admit to stealing data, with more than half of these people claiming this was to help them in their new job. With half of employees eyeing up new employment during the great resignation, some staff may be looking for opportunities to support their future role. A significant proportion of workers also believe that data they either create or manage belongs to them, rather than the company, and so incorrectly believe they have the right to take this data with them.

What are the key threats and risks employers should be looking for?

Cifas’ data shows that 1 in 10 cases filed to the Internal Fraud Database are linked to the “theft of personal data” or the “theft of commercial data”. Below we have picked out several key threats and risks employers should be aware of that heighten the risk of theft of data:

  1. An ever-increasing volume of confidential data (such as client details, business processes and products) are stored electronically. These can be transferred to devices or other online platforms in just a few clicks.
    Could your organisation prevent devices being connected to ports and block access to file sharing sites online?
  2. The reduced physical supervision of employees with the switch to working from home can make it more difficult to identify key indicators of an insider.
    Could your organisation implement processes to detect suspicious activities remotely, such staff accessing multiple customer accounts in a short period of time or those accessing systems outside of business hours?
  3. Many insiders plan how they are going to steal commercial or personal data before they leave, with 70% of intellectual property theft occurring within 90 days of the employee departing. Most organisations have an employee onboarding process, but could your organisation implement an offboarding process to detect these instances?
  4. Underground forums often promote opportunities to make “quick money” by acting as an insider. Similarly, organised criminals will often look to “place” insiders in specific roles and sectors where they will have access to sensitive data.
    Could your organisation monitor brand mentions on both the dark web and surface web to detect early indicators of insider recruitment?

Insiders as a service?

Unfortunately this is a threat to organisations, as our intelligence continues to highlight the growing prominence of fraud-as-a-service (FaaS). Internal fraud is no different, as there are clear opportunities for insiders to collaborate, share tactics, expose company vulnerabilities and recruit other insiders.

Employees with extensive permissions are in an attractive position to steal data and impersonate customers, take over accounts and socially engineer victims to facilitate other frauds and scams.

Threat actors perpetrating these crimes are often diligent in their research. Our intelligence suggests LinkedIn is increasingly being referenced on messaging platforms, such as Telegram, as a tool to target insiders or advertise access to “their insider” for a fee.

How can my organisation protect against the insider threat?

In addition to the tips given above, here are a range of other controls your organisation may consider to detect data theft:

  • Machine learning and analytics can be used to spot suspicious activity, such as data transfers, accessing files outside of business hours, or attempts to rename files with something innocuous;
  • Data access policies should be integrated into onboarding, security awareness and offboarding processes. Limits to data access should also be set so staff can only access data that is necessary for their role;
  • Training should be provided to promote the awareness of insider recruitment methods, such as contact via LinkedIn or social media;
  • Vetting processes should be used to counter the risks posed by “organised placing” of applicants to act as malicious insiders;
  • Anonymous reporting channels should be established for staff to report incidents of suspicious behaviour;
  • Offboarding processes should include returning equipment, deprovisioning access and analysis of previous activity where there are concerns.


The continued demand for data to perpetrate fraud against organisations and customers means company data will remain an attractive target. In this new era of hybrid working and data loss being commonly linked to employees, either through negligence or intentionally, companies must take active steps to share both data and intelligence with each other, such as through Cifas, to protect against the threat.

Posted by: Duncan McLellan

Duncan is a Fraud Intelligence Analyst at Cifas.


The Five Main Risks A Company Must Manage when Dealing with Gambling Related Harms

11 March 2022

Dan Trolaro, Vice President of Prevention at EPIC Risk Management, discusses the risks organisations need to manage when dealing with gambling related harms.


The influence of social media on the insider threat

7 March 2022

Cifas' Insider Threat Manager, Tracey Carpenter, explores how influences from social media can lead an employee into committing internal fraud.

Back to blog home >
Posted by: Duncan McLellan

Duncan is a Fraud Intelligence Analyst at Cifas.