The Case That Started With a Refused Laptop
“A trusted employee. A refused laptop. 100 million dollars in intellectual property at risk.” This is how Christian Ranum Spohr from Eagle Shark opened his presentation at CapaSystems User Group in Skanderborg — and it sets the stage for one of the most instructive insider threat cases in recent European IT security.
A terminated salesperson refused to return his work computer. Digital forensics revealed he had accessed the company’s research and development folder containing approximately 100 million US dollars in intellectual property — despite having no legitimate business reason to do so.
The investigation uncovered that the former employee had:
- Established a shell company with associates
- Channeled contracts and payments through it
- Maintained contact with a Russian business partner
- Conducted physical meetings with external parties
The case was ultimately resolved without litigation. The computer was recovered (though damaged), and the intellectual property theft was contained — limiting financial exposure to investigation costs rather than the full potential loss.
The Core Problem: Access Rights Never Restricted
The critical failure was straightforward: “The access rights had never been restricted.”
As Ranum Spohr put it: “There was someone with IT responsibility who learned something important from this case. And there is a reason not everyone should have the keys to everything.”
Why Insider Threats Go Undetected
In typical mid-market organizations, access rights accumulate over time without regular review. Employees change roles, projects end, but permissions remain. The result is an uncontrolled access landscape that insiders can exploit quietly — operating within legitimate credentials until accidental discovery or deliberate investigation.
Verizon’s 2025 Data Breach Investigations Report noted that 29% of breaches in EMEA originated from within the organization, highlighting the significance of insider risk for European IT leaders.
Least-Privilege Access as Governance
Least-privilege access is not merely a technical configuration — it is a governance responsibility. Key requirements include:
- Employees accessing only what their role requires
- Immediate access revocation during role changes or termination
- Logged access events to sensitive systems with regular review
Under NIS2 regulations, organizations must implement and document risk-based access controls with demonstrated functionality. Standing access rights that outlive their business justification are not just a security risk — they are a compliance liability.
Closing the Gap With Endpoint Visibility
The real insider threat is not necessarily the person — it is the governance gap: standing access rights that should have been removed, and blind spots in endpoint visibility that enable undetected misuse.
CapaOne Endpoint Management Platform addresses this gap by providing:
- Real-time visibility into access rights across endpoints
- Enforcement of least-privilege principles at scale
- Audit trails for security investigations
- Continuous access management rather than static permissions
- Automatic access revocation during offboarding workflows
Organizations that treat access management as a continuous process — not a one-time configuration — are far better positioned to detect and contain insider risk before it becomes a 100-million-dollar problem.
Ready to see how CapaOne handles this? Request a demo.