I’ve spent decades in security – government, military, and private industry – watching one simple truth play out: the riskiest thing you can give an employee isn’t a key to the vault… it’s a live internet connection they don’t need to do their job.
From multi million-dollar intellectual property theft, to crippling ransomware infections, to hours of productivity lost every single day to “just checking Facebook,” uncontrolled internet access drains your business from the inside out.
In this briefing, I map out real-world cases, industry losses, and an action plan that any business can start implementing today to close the gaps. Read the full article below – and ask yourself: Would you be comfortable explaining a massive data breach to your Board of Directors tomorrow morning?
Risk Appetite & the 10-Minute Test
Your organization’s security posture is directly tied to one thing: your risk appetite. The higher your appetite, the looser your controls; the lower your appetite, the tighter your controls. Most civilian organizations – and more than a few government and military operations -underestimate their true risk appetite. They think they’re conservative until an event exposes just how much they’ve been gambling.
My litmus test is simple, I once asked a CEO: “Would you be comfortable explaining on the news, ten minutes from now, what just happened to your company and why you and your staff are not responsible? How about to the Board of Directors or the Investors?”
If the answer is “no,” you’ve just admitted your risk appetite is lower than your current security practices. This briefing maps some of the most common – and most underestimated – risks that can bring an organization to its knees in 48 hours or less.
Section 1 – Intellectual Property Theft
Risk Appetite Check: If an insider walked out today with your crown jewels – proprietary formulas, designs, or customer data – how long before you’d know? How long before your competitor would have it? Would it take 6 months of your competitor polishing what they stole before you realize it? A year? 2 years when they hit the market with your well researched new product?
Action Points:
- Minimum access required to perform role – nothing more. Zero Access model implementation is most desired.
- Separate networks for high-risk functions (sensitive R&D;, access to high-value assets, Building Power Grid, etc.). Remember, sometimes theft of secrets is not needed when simply denying you access to your own data/research will do the trick.
- Continuous entry/exit monitoring for staff with privileged access.
- Consider banning all mobile and/or communications devices and smart-glasses inside the premises(research laboratories, engineering spaces, build bays, etc). It is difficult to get a picture of a sensitive design if you can’t bring your camera/phone/camera glasses past the security desk.
Section 2 – Employee Productivity Drain via Unfettered Internet Access
Risk Appetite Check: If your team spent 20% of their workday on personal browsing, could your operation still meet deadlines and quality standards? (This might sound hard but if you answered yes, perhaps you can shed 1/5th of your staff, which is a LOT expenditure wise-no matter your companies size!)
Action Points:
- Minimum access required to perform role – nothing more. Again, Zero Access model implementation is most desired in this case. Individual workstations should always be restricted at the network level to the absolute minimum access required to perform their respective role and nothing more. High risk environments often accomplish this with MAC layer filters on the network itself.
- Consider no-communication or no-mobile-device rules for sensitive functions.
- Implementation of zero-trust models to segment and verify access at every step.
Note: These are examples only – effective controls should be tailored to your actual risk profile and may involve far stricter measures (or less restrictive)
Section 3 – Dormant Malware in Critical Systems
Risk Appetite Check: If an attacker already has a silent foothold in your operational network, how quickly could they take control – and how much damage could they cause before you even knew it happened?
Action Points:
- Physical network segmentation – no crossover between operational systems and general access networks.
- VPN-only interconnects with no open internet exits nodes to all partner/vendor networks with strict SLA’s.
- Review all support contract requirements and current access allowances: Does the third party have network access?
-From where is that access coming?
-Ensure valid SLA’s that are enforceable across borders. Be careful with offshore support provided by countries that are or could become threat actors with geopolitical shifts.
-Do they also service your only serious competitor? - Do they pay their staff and contractors enough to resist a $5,000 cash bribe from someone meeting them after work near your IT facility or the hotel they all bunk in when onsite?
- Consider implementing behavioral security models which will watch for abnormal activity (e.g. An employee who has never accessed a certain part of the network, or any network/data related access for that matter, for the first time in months/years: This should be flagged and reviewed be security staff.)
Remember: a network tap the size of a coffee cup – hidden in the ceiling above your merger & acquisitions office or under the floor near your CFO – is all it takes to compromise the most sensitive discussions you have or to steal important acquisition documents from key staff or nodes.
CFO and COO network printers are often high value targets. They are
maintained by outside contractors 90% of the time, they have an internal processor capable of cracking basic encryption, they have network interfaces and often can be used to “sniff” traffic on the network, they have 1 or more hard disks internally to store anything they steal (think: print jobs with keywords like “acquisition” that come to the printer…), they have built in web-servers that run HTTPS which is handy when exfiltrating stolen data over encrypted channels to avoid intrusion detection systems, and they usually have email servers built in.
Think of your office printer as a potential Trojan horse. Tools for using printers maliciously have been around for over 20 years-I know, I was part of team that researched, developed proof of concept code, and spoke about the weaknesses back in 2002 at DEFCON and Blackhat. The vulnerabilities continue to be present re-surfacing in various forms through at least 2024… Think about that.
This following contains verifiable, citable sources measuring productivity loss caused by private internet use in the workplace, including social media, personal email, and related online activities. All entries include the study name, date, geography, key findings, and source URL.
Nucleus Research: Facebook Costs Companies 1.5% of Total Productivity (July 2009 (United States) Employees accessing Facebook at work reduced overall productivity by 1.5%. Findings based on analysis of workplace internet activity logs across multiple U.S. organizations.
Notes: Older but methodologically sound; widely cited as a conservative baseline for social media productivity impact.
Source: https://nucleusresearch.com/news/facebook-costs-companies-1-5-percent-of-total-productivity/
Select Software Reviews: Employee Productivity Statistics (March 2025 – Likely U.S. and global aggregated survey) 73% of employees use social media at work. Average time lost is 47 minutes per employee per day due to non-work-related social media use.
Notes: Derived from aggregated research; geography not explicitly stated, likely mixed U.S./global respondents.
Source: https://www.selectsoftwarereviews.com/blog/employee-productivity-statistics
Pew Research Center: Social Media and the Workplace (June 22, 2016 – United
States) 34% use social media at work to take a mental break. 24% use it to make or support professional connections. 20% use it to get work-related information.
Notes: Nationally representative survey of U.S. workers; still relevant as a behavioral baseline. Source: https://www.pewresearch.org/internet/2016/06/22/social-media-and-the-workplace/
Microsoft Work Trend Index Special Report: Breaking Down the Infinite Workday
(June 17, 2025 – Global (31 countries, Microsoft 365 telemetry & survey))
Average worker receives 117 emails/day and 153 Teams messages/day. Interruptions occur approximately every 2 minutes during core working hours.
Notes: Combines telemetry from trillions of productivity signals with a survey of 31 global markets.
Source: https://www.microsoft.com/en-us/worklab/work-trend-index/breaking-down-infinite-workday
Iqbal & Horvitz: Disruption and Recovery of Computing Tasks (CHI 2007) (April 2007 United States) Alert-triggered task switches took ~10 minutes to handle. Full resumption of the original task took an additional 10-15 minutes; 27% of suspensions took >2 hours to resume.
Notes: Field study with 27 U.S. information workers logging task activity over two weeks.
Source: https://erichorvitz.com/CHI_2007_Iqbal_Horvitz.pdf
Recent China-Linked IP Theft Cases (2024-2025) with Loss Figures
This document summarizes recent, citable cases of intellectual property theft linked to Chinese actors from 2024-2025, focusing on cases where monetary losses or stakes are public. Figures are attributed to court rulings, filings, or official statements.
Hytera <-> Motorola (U.S. criminal & civil cases)
Jan 14, 2025 – Hytera Communications (China) pleaded guilty in U.S. District Court (N.D. Illinois) to conspiracy to steal Motorola trade secrets.
Civil award: Jury initially awarded $764.6M (Feb 2020); post-appeal figure stands at
approximately $407.4M (compensatory + reduced copyright).
Criminal penalties: Court can impose up to $60M in fines and must order full restitution to Motorola (amount TBD at sentencing, scheduled Nov 2025).
Source: https://nucleusresearch.com/news/facebook-costs-companies-1-5-percent-of-total-productivity/
Huawei/HiSilicon Engineers → Zunpai (China domestic prosecution)
July 28, 2025 – Shanghai court sentenced 14 former Huawei employees for stealing
chip-related trade secrets to form rival startup Zunpai. Authorities froze assets valued at approximately $13.1M; additional financial penalties imposed.
Source: https://www.shanghai.gov.cn/
AbbVie v. BeiGene (U.S. civil trade-secret suit) Sept 2024 – AbbVie filed complaint in N.D. Illinois alleging former scientist took BTK degrader trade secrets to BeiGene (China). Per complaint: AbbVie invested ‘many millions of dollars’ over ‘years’ in developing the BTK degrader program.
Source: https://www.courtlistener.com/docket/67825489/abbvie-inc-v-beigene-ltd/
Google AI (Linwei/L. Ding) (U.S. criminal case) Feb 4, 2025 – Superseding indictment charges former Google engineer with economic
espionage for allegedly stealing AI trade secrets to benefit PRC entities. Loss figure not disclosed; program value could be modeled using IBM average breach cost or
equivalent R&D; replacement.
Source: https://www.justice.gov/opa/pr/former-google-engineer-charged-theft-trade-secrets APT27/i-Soon Contractor Cases (U.S. criminal indictments)
Mar 5, 2025 – 12 Chinese nationals (including PRC officials) charged in DOJ indictment for a years-long hacking campaign targeting U.S. companies and government agencies. No monetary figure disclosed; DOJ characterizes losses as ‘significant’.
Source: https://www.justice.gov/opa/pr/doj-announces-indictment-against-12-chinese-nationals.
Modeling Potential Financial Impact
When specific case loss figures are not public, the following model uses conservative
assumptions to estimate impact. This can be applied to scenarios like Google AI or AbbVie v. BeiGene where only qualitative statements (‘millions invested’) are available.
Inputs: IBM Cost of a Data Breach 2025 (U.S. average): $10.22M per incident Industry R&D; replacement costs: Pharmaceuticals – $161M+ per program (Tufts Center average for drug development) Average mid-size firm headcount: 500 employees
Example Calculations:
1. Insider steals proprietary AI model: $10.22M (breach cost) + $25M (model redevelopment) =~$35.2M total impact.
2. Pharma program exfiltrated: $10.22M (breach) + $161M (R&D; replacement) =
~$171.2M.
3. Company-wide breach due to insider cloud exfiltration: $10.22M × 3 compromised projects =~$30.66M.
Note: These are conservative; real losses can be significantly higher when factoring in lost market share, reputational damage, and opportunity cost.
Healthcare & Related Ransomware Cases with Confirmed/Probable
Entry Vectors
This document summarizes three major ransomware incidents-Optum/Change Healthcare, NHS Dumfries & Galloway, and CDK Global-focusing on how the ransomware entered, the scale of impact, and quantifiable financial losses where available.
Optum / Change Healthcare (U.S., Feb 2024)
Entry Vector: Compromised Citrix remote access portal with no multi-factor authentication enabled; used to deploy BlackCat/ALPHV ransomware.
Impact: ~190 million medical records affected-one of the largest U.S. healthcare data
breaches.
Financial Loss: $22 million ransom paid for deletion of stolen data (which was reportedly not deleted).
Source: https://www.hipaajournal.com/change-healthcare-responding-to-cyberattack/
NHS Dumfries & Galloway (UK, Feb 2024)
Entry Vector: Likely phishing attack leading to ransomware deployment by the INC Ransom group.
Impact: Personal data of over 100,000 patients and staff exposed, including medical records and test results.
Operational Disruption: Hospital services disrupted; letters sent to affected patients.
Source: https://www.thetimes.co.uk/article/tally-of-victims-reaches-100000-in-nhs-cyber-attack-xlsw975cc
CDK Global (U.S., June 2024)
Entry Vector: Believed to be phishing or spear-phishing campaign used to deploy BlackSuit ransomware.
Impact: Automotive dealer management systems across the U.S. and Canada taken offline for nearly two weeks.
Financial Loss: $25 million ransom paid; dealerships suffered an estimated $605 million in lost revenue in two weeks.
Source: https://en.wikipedia.org/wiki/CDK_Global
Source: https://www.pcgamer.com/hardware/german-phone-repair-and-insurance-firm-goes-bankrupt-after-paying-eur200-000-to-ransomware-hackers-despite-reported-revenue-of-70-million/
Anthem Breach Summary (2014-2015)
This document summarizes the key details of the Anthem breach, including the confirmed entry vector, scope of data loss, and financial impact. The case is widely regarded as one of the largest healthcare data breaches in U.S. history and serves as a clear example of how employee internet access can be exploited via phishing.
Entry Vector: The breach began with a spear-phishing email sent to an Anthem subsidiary employee. Once the email was opened, attackers harvested credentials and moved laterally through the network. They ultimately gained access to the enterprise data warehouse. A database administrator discovered unauthorized use of his credentials, which triggered the investigation.
Sources: Twingate (2024), HIPAA Journal (2020)
Scope & Impact: Approximately 78.8 million records were compromised, exposing sensitive personal information including names, birth dates, Social Security numbers, addresses, and other data.
Sources: Wikipedia, PMC (2022)
Financial Fallout: Anthem incurred nearly $260 million in direct costs, including: $30M in breach notification $112M for credit monitoring $2.5M in investigative support $115M for cybersecurity improvements
Legal settlements and penalties included: $115M class-action settlement (2017) $16M
HIPAA fine (2018, largest on record at the time)
Sources: Coverlink (2021), Axios (2017), HIPAA Journal (2018)
Why This Case Matters: The Anthem breach underscores that even large, well-funded organizations can be compromised through employee-level phishing attacks. It illustrates the direct link between seemingly small lapses in internet/email security and catastrophic operational, financial, and reputational damage.
SCADA/OT Exposure Cases (2024-2025)
This document summarizes notable SCADA and operational technology (OT) exposures and compromises from 2024-2025, focusing on incidents caused or enabled by direct internet connectivity. The cases highlight how exposed industrial control systems can lead to operational disruption and, in some cases, could allow manipulation of critical processes such as chemical dosing in water treatment.
CyberAv3ngers / IRGC-linked PLC Compromise (U.S. Water Sector, late 2023-early
2024)
Entry Vector: Exploited internet-exposed Unitronics PLCs with default or no passwords on open ports.
Impact: Attackers rewrote ladder logic, defaced HMIs, disabled operator controls, and
renamed devices to disrupt operations.
Risk Context: While no public evidence confirms chemical overdosing, compromised PLCs could potentially manipulate pump and dosing operations if configured for those processes.
Source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a
Source: https://arxiv.org/abs/2508.02375
Censys Exposed HMI Interfaces (U.S. Water Sector, Oct 2024)
Discovery: Researchers found nearly 400 web-accessible SCADA/HMI interfaces for U.S. water facilities.
Exposure: 40 of these interfaces were fully unauthenticated and controllable via a standard web browser.
Potential Impact: Many interfaces displayed pump, valve, tank level, and chemical feed indicators-suggesting possible control over chemical dosing processes. No confirmed malicious manipulation was reported.
Remediation: Coordinated takedown and securing of exposed systems reduced exposure within weeks.
Source: https://industrialcyber.co/industrial-cyber-attacks/about-400-exposed-web-based-us-water-facility-interfaces-as-coordinated-remediation-effort-underway/
Source: https://www.securityweek.com/misconfigured-hmis-expose-us-water-systems-to-anyone-with-a-browser/
Engineered Conflicts and Logic Bombs – Same Playbook, Different
Battlefield
In geopolitics, as in cybersecurity, the most damaging strikes are often pre-positioned long before they’re launched. The so-called “Pakistan/India war scares” over the years – often hyped by state media or political operatives
– have shown how tensions can be cultivated, staged, and then triggered for maximum political leverage. The same principle applies in cyberwarfare through logic bombs: malicious code planted in critical systems, sitting dormant until a carefully chosen moment. In both cases, the trigger isn’t about chance – it’s about timing.
Whether it’s a border incident engineered to sway public opinion or a power grid
failure designed to destabilize an economy, the strategy is identical: prepare the payload in secret, detonate when it matters most, and leave the target reeling with no time to respond.
From Erosion to Breach – and the Fix
After decades of building hardened networks and seeing them perform exactly as intended, I’ve also watched what happens when those controls are slowly dismantled. It never happens overnight. It’s a drip feed of exceptions – a department head asks to check personal email, another wants social media access for ‘marketing research,’ someone insists their team needs an open internet connection for ‘efficiency.’ Each one feels minor at the time. And over months and years, those exceptions stack into full, unfettered access.
The result? Every door you once locked is open again, and when the breach comes – it always comes – it’s bigger, faster, and far more expensive. What could have been a contained incident on a single workstation turns into a full-network outage, a ransomware note, and millions in damages. I’ve seen this cycle repeat: tight, segmented networks slowly eroded until they’re indistinguishable from the open internet -followed by bigger and bigger breaches.
In this series of cases and data, we’ve covered three major loss channels:
1. Intellectual Property theft – insiders and foreign actors walking out with crown-jewel data.
2. Productivity loss – hours lost each week to employees using company time for private internet use.
3. Malware and ransomware – breaches starting with a single click on a phishing email, costing millions.
And we’ve added a fourth: exposed SCADA
and operational systems, directly reachable from the internet, where a single unauthorized action could shut down critical infrastructure or even endanger public safety.
I’ve spent enough years behind the curtain to know that the story the public hears is rarely the full story. Sometimes, for reasons bigger than one company, it has to be that way – whether for national security, market stability, or public confidence. But if you’re an owner or an executive, understand this: the less you control access, the more likely you are to end up managing optics instead of managing operations. And
when that day comes, it’s already too late.
Based on what’s already been confirmed in open sources – Volt Typhoon inside U.S. critical infrastructure, Russian OT malware deployed in Ukraine – it’s naïve to think our own SCADA networks are clean. If anything, it would be surprising if some of them didn’t already have dormant code sitting in place, waiting for a political or military trigger. That’s why operational isolation isn’t optional – it’s survival. The solution isn’t complicated – it’s just uncomfortable for people used to unlimited access.
Here’s the operational internet access policy that will get you started on the way to where you need to be:
- No private email or social media from corporate systems – zero exceptions.
- HR exception only on a dedicated, isolated workstation with no connection to the core network and no USB or removable media ports.
- Corporate email heavily filtered for inbound and outbound traffic, with attachments restricted to approved MIME types only.
- External communications not directly tied to core business handled only on off-network, dedicated computers.
- Critical systems (finance, SCADA, EHR) air-gapped or VPN-isolated, with no open Internet capability – ever.
Call it draconian if you like – I call it survival. Is it easy to implement? Nope, no sugar coating here-it will be difficult, policies may need to be modified, HR is going to hate me for posting this, employees will have to get used to not checking Facebook or TicTok every 10 minutes, the network shop will have to implement MAC filtering and all that is associated with managing that and users, and your security shop-the just might be happy.
Remember, the same permissions that let a staffer check Facebook are the ones a foreign intelligence service can use to exfiltrate your intellectual property or lock down your production systems. If the internet isn’t required for the job, cut it. You’ll save time, reduce risk, and close doors that should never have been opened in the first place.