Insider threat struck the world of professional sports recently when an employee of the NBA team the New York Knicks allegedly shared proprietary information with another NBA team, the Toronto Raptors. In a case of sports espionage, the Knicks are suing the Raptors for theft of assets that could give the Raptors a competitive advantage.

The lawsuit alleges that a Knicks employee was offered a role in the Raptors organization. According to the lawsuit, after the employee gave notice to the Knicks that he was leaving, he began harvesting data and shared login credentials to third-party software the Knicks used for game analysis.

This is not the first time a professional sports team has suffered proprietary data theft. In 2015, the St. Louis Cardinals were accused of accessing a database used by the Houston Astros to steal proprietary information. An employee of the Cardinals later pled guilty to the data theft. A Justice Department press release indicates that he used a variation of the credentials of a former Cardinals employee to access systems used by the Astros. My colleague Merritt Maxim has even written research about securing the “internet of sports.”

IRM Caught The Data Theft — But Only After Losing The Data

It turns out that the Knicks, like many other organizations with sensitive data to protect, had an insider risk management (IRM) program. And that program did part of its job: It detected the data theft. The only problem is that it only acted after the data was gone.

It’s never good to guess or hypothesize about a data breach and how it happened (and here I am doing it anyway). There are many variables to which the outside world may never be privy. Using the information provided in the court filings, however, we can see that the following are alleged to have occurred:

  1. A Knicks employee gave notice that they were leaving to join a competitive organization.
  2. After giving notice, that employee downloaded large quantities of sensitive data.
  3. The employee emailed much of that data to a private email address and the email of the future employer (the Raptors).
  4. The employee also emailed login credentials for third-party software to the new Raptors email address.

If all is as reported, it seems that the employee didn’t do a great deal to hide the data theft. It seems like it should have been fairly easy to detect — and stop — if the program was set up to do so.

Make IRM Part Of Your Data Security Strategy

An IRM program can act to stop this type of data theft. This requires that the IRM team work closely with data security stakeholders to identify suspicious employee behavior and use that information to block data transfers.

In this case, the IRM team may have observed the following indicators:

  1. An employee gave notice that they were going to a competitor. This should have triggered the IRM team to give that employee additional scrutiny and investigate their behavior over the past 60–90 days. Many times, employees who give notice start doing reconnaissance, gathering data, or transferring data before they give notice.
  2. The employee downloaded large amounts of sensitive data. Maybe it was part of the employee’s day-to-day job to download data and work with it. Given that they had given notice and were downloading large amounts of data, this should have alerted the IRM team that something was amiss.
  3. The employee started transferring data — lots of it — to outside email addresses. This is where the linkage between the IRM program and the data security controls comes in. At this point, the employee’s risk level should have been at the highest possible level. The data security tools should have, by policy, blocked any attempts to send data outside the organization and blocked any other data transfers. This is especially true of any data sent to a competitor’s email domain.

All organizations have insider risk. This case is an indication that competitive industries, like professional sports, will resort to extreme tactics to gain a competitive advantage. They will also go after your users to get access to their knowledge and, sometimes, their credentials.

An IRM program will detect these actions and can inform your data security strategy to stop data loss before your competitor — or nation-state actors — can get it.

Learn More About Insider Risk

My colleague Brian Wrozek and I are also presenting on insider risk and threat intelligence in our session, “Expose Risky Insiders With Threat Intelligence,” at Forrester’s upcoming Security & Risk event in November. I’ll also lead a “Learn-A-Skill” session on building an IRM function at the event.

Forrester clients can schedule an inquiry or guidance session with me to do a deeper dive on insider risk and learn how to start their own IRM program.

The Security & Risk Enterprise Leadership Award

We’re excited to announce that we’re accepting entries for the Security & Risk Enterprise Leadership Award! This is an excellent opportunity to showcase how your organization builds trust and gain recognition for your efforts. We can’t wait to see how you have transformed security, privacy, and risk management to drive trusted relationships with customers, employees, and partners to fuel your organization’s long-term success.

The deadline for submissions is Tuesday, September 12, 2023. To view complete award nomination criteria and submit an entry, visit here.