Insider leaks are costly, but using steganography can help protect sensitive data from leaks by embedding invisible, traceable marks in digital content. Personalizing files and images to make it easier to identify sources of leaks, EchoMark safeguards critical information assets.
Being on “the inside” often means employees have access to highly sensitive and confidential information needed to do their jobs. This can range from financial performance to product launch timelines to source code. While this makes sense at first glance, granting access to this information also poses a tremendous threat to organizations - from top-secret government agencies, to Fortune-500 companies and small businesses - if employees leak it.
And unfortunately, this is a growing problem.
Since 2019, the number of insider incidents reported by companies rose from 66% to an astounding 76%.
These insider leaks are costly. The average cost of activities per company to resolve insider threats over a 12-month period in 2023 was $16.2 million, with North American companies experiencing the highest total cost at $19.09 million.
Examples abound throughout history. Take the Pentagon Papers in 1971, which altered public perception about the war in Vietnam, or the Walker Spy Ring in the late 1980s, which many say shifted the balance of power with the Soviet Union.
There are also plenty of recent examples. Jack “Airman” Teixeira sharing classified intelligence reports on Discord. An Apple employee leaking details about the iPhone 16. The list goes on.
As technology progresses, there are both more ways to try to steal information, and also more ways to try to prevent that theft. One promising area that has its origins in Ancient Greece known as steganography, or the act of concealing information in plain sight.
The first documented usage of steganography involved an individual who was in a battle with Greece thousands of years ago. Someone captured them, shaved their head, and tattooed a secret message on their scalp. Once their hair grew back they sent that person to the other leader, who knew to shave the person's head and to find the hidden message.
In modern times, the movie industry was the first to use steganography in an attempt to limit piracy and theft of valuable content. When you’re streaming something on Hulu or Netflix, that content is typically protected with Digital Rights Management (DRM). One facet of DRM for movie content has been to include audio and video watermarking so that each copy is slightly - albeit unnoticeably - different than anyone else’s content. So if a person tried to steal or share their copy, it could be traced directly back to them.
Now imagine this applied to an organization’s daily operations, where terabytes of digital communications—emails, presentations, images, customer data—often contain highly sensitive information. What if every piece of content had some form of hidden differences that personalized it for each employee?
Speaking from personal experience, the impact of personalized documentation on security is significant. As a civilian engineer for the U.S. Navy in the 1990s, I worked on the development of missile defense systems. I frequently received classified documents. Often when this happened I had to sign my name on the top of the document. This act changed that document from a commodity that everyone got into something that was my copy. That personalization causes the recipient to be a much better steward of that confidential information, and certainly think twice about sharing it with others.
But the world has become increasingly digital since then, and there are more ways of trying to share or copy information. For example, today, when you enter an intelligence community agency such as the CIA, NSA, or DOD, you are prohibited from taking your smartphone into work. Why? Because they're rightly terrified of people taking pictures of their screens or their printouts and leaking it. While that may work in highly classified environments, can you imagine the lack of feasibility trying to implement this in any run-of-the-mill office job? Or, complicating matters further, imagine trying to enforce this when with remote employees working from home.
Steganography presents a solution here, but it’s important to note that the act of hiding information from potential bad actors can also be used by bad actors themselves.
While steganography offers measures to increase security from internal leaks, it is also used by threat actors with bad intentions. They can use it to conceal data exfiltration or to hide malicious code that will grant access to internal information technology systems.
This has given steganography a bad reputation in some circles, but the approach can be turned on its head and aid with identifying bad actors. The NSA has used it with microdot recognition to help ID someone internally leaking documents. Steganography can also solve for something known as the “analog hole”, where someone either copies and pastes information into another document before sharing, or, even trickier, where they take a picture of it on their phone and share from there. If everyone’s document was slightly different, it wouldn’t matter that it was a picture of the information.
Today, we live in a digital era where seemingly everything is personalized. It’s time to bring this individualization into the workplace so information in files and images can be kept safe and in the right hands. The costs are too high.
