Last month, a Google Engineer was convicted of stealing AI trade secrets from Google and selling them to a government funded Chinese AI Startup. His method was almost embarrassingly simple: he copied stuff into Apple Notes on his work laptop, turned the notes into PDFs, and uploaded them to his personal Google account. Nobody caught him for almost a year. Why? Because everyone figured he was loyal. Good performance reviews, been there a while, had all the right access. Why would you watch someone like that? Turns out, while Google trusted him, he was also getting paid $177,600 a year by an AI startup in Beijing. And apparently helping China build better AI infrastructure was more appealing than what Google was providing.
Is Trust the Problem?
I spend a lot of time with credit unions, family offices and mature, well run manufacturing firms. When we talk cybersecurity, people are focused on the external threats. Ransomware, phishing, hackers trying to break in from outside. These are real threats. But I’ve never had someone say “Yeah, we’re also monitoring our employees who’ve been here 20 years to make sure their financial situation hasn’t gotten desperate” or “We keep an eye on whether anyone’s moonlighting with our competitors.” People’s situations change. That CFO who’s been with you since 2008 might be underwater on medical bills you don’t know about. Your ops manager who loves the mission might also be fielding calls from recruiters offering 40% more. Your most trusted IT person might be three years from retirement and looking at a retirement fund that won’t cover their kid’s college. Loyalty isn’t permanent. It’s a moving target based on how people feel about their current situation versus their options.
The Google engineer didn’t wake up planning to steal secrets. He got recruited. Someone saw an opportunity and worked him over time. Made it feel less like theft and more like a smart career move. Probably convinced him it was basically just taking his own work with him. That’s how this stuff happens in regulated industries too. Not dramatic movie-plot espionage. Just someone whose loyalty shifted because the math changed – either they need money you’re not paying them, or someone else is offering them something that looks better. A single insider incident runs between $2 million and $5 million for a medium sized shop of 150 employees. You can have perfect MFA and amazing endpoint protection, and still lose everything because someone you trusted implicitly had access to member data and a Gmail account.
Federal agencies now run continuous background checks on people with security clearances now. Not every five years – continuously. Because they figured out that a lot changes between year one and year five of someone’s employment. Most credit unions do background checks at hiring and then… hope for the best. NCUA examiners ask about access controls, but between exams, it’s mostly the honor system. I’m definitely not saying treat everyone or your most tenured employees like criminals. I’m writing that if someone has access to your core systems and member data, a process for verification on a regular cadence is a worthwhile risk control.
Nobody wants to admit that the person who’s been with them for 15 years might be vulnerable to outside pressure. It feels disloyal to even think about it. If Google’s engineers can get flipped while working on billion-dollar AI projects, your long-time employees can get flipped too. Different stakes, same human nature. The question isn’t whether you trust your people. The question is whether you’re verifying that the conditions that made them trustworthy five years ago still exist today. Because loyalty without verification isn’t a security strategy. It’s just hope that nothing changes.
Credit to CSO Online for the inspiration to write this blog post with experience working with business owners over the last decade plus where I’ve seen more than a few situations degrade because of a long term assumption of loyalty: https://www.csoonline.com/article/4127687/the-blind-spot-every-ciso-must-see-loyalty.html