CapaOne
A trusted employee. A refused laptop. 100 million dollars in intellectual property at risk.
Not every security incident starts with an encrypted server or a ransom demand.
Some begin with a termination letter. A disputed laptop. A salesperson who had access to R&D data he should never have been able to open.
At CapaSystems User Group in Skanderborg on Wednesday 29 April, Christian Ranum Spohr from Eagle Shark presented this case — Case 2 from a session that also covered ransomware. Where Case 1 was loud, urgent, and visible, Case 2 was quiet, slow, and far harder to detect.
That is what makes it the more instructive of the two. And it is a case that demonstrates exactly why least-privilege access control is not a technical configuration — it is a governance decision with financial consequences.
When the Risk Comes From Inside the Organization
The case began with a termination. An employee in a trusted position was let go as part of a restructuring. He refused to return his work computer. The company assumed it was a simple dispute. It was not.
Digital forensics revealed he had accessed systems he had no business entering — specifically the company’s full research and development folder, containing intellectual property valued at an estimated 100 million US dollars. He was a salesperson. He had no legitimate reason to access R&D data. But the access rights had never been restricted.
Christian Ranum Spohr’s team was brought in. What followed was a months-long investigation combining digital forensics, physical surveillance, and legal documentation. The team discovered the former employee had established a shell company — staffed by a childhood friend and three neighbours — through which he was channelling contracts and payments. The investigation also uncovered a Russian business partner with whom he had been in regular contact, and documented physical meetings between the two.
The case was resolved without going to court. The union complaint filed on the employee’s behalf was dropped when the evidence was presented. The computer was eventually returned — though it had been submerged in water and was no longer functional. The intellectual property theft was contained. The financial exposure was limited to the investigation cost, which was significantly less than the potential 100 million dollar loss.
The Detail That Made the Breach Possible
The access rights had never been restricted.
That single sentence carries the entire weight of this case. Not a sophisticated attack. Not a zero-day exploit. Not an external adversary who spent months mapping the infrastructure. A salesperson walked into the R&D folder because no one had ever closed the door.
Christian Ranum Spohr was direct about it at CapaSystems User Group: there was an IT manager who learned something important from this case — not because the tools failed, but because no one had asked the right question. Why does a salesperson have access to R&D data?
“There was someone with IT responsibility who learned something important from this case. And there is a reason not everyone should have the keys to everything.”
— Christian Ranum Spohr, Eagle Shark · CapaSystems User Group, Skanderborg, April 2026
What This Case Reveals About Least-Privilege Access Control and Insider Threat Risk
In most mid-market organizations, access rights accumulate over time. Employees change roles. Projects end. Permissions granted for a specific purpose remain long after the purpose disappears. The result is a sprawling access landscape that no one fully controls — and that a motivated insider can exploit for months before anyone notices.
The insider threat does not announce itself. It does not trigger alarms at 11 PM on a Friday. It operates quietly, within the bounds of legitimate credentials, until someone either discovers it by accident or conducts a deliberate investigation.
For IT leaders — and particularly for CIOs and CISOs responsible for governance and risk — this represents a structural problem. The question is not whether employees can be trusted. Most can. The question is whether the organization has the operational discipline to ensure that trust and access are two separate things. Verizon’s 2025 DBIR found that 29% of breaches in EMEA originated from within the organization — a figure that underscores how significant the insider risk is for Nordic and European IT leaders specifically.
Access Rights as a Governance Responsibility
Every employee should have access to exactly what their role requires. Nothing more. When a role changes — through promotion, transfer, or termination — access should change immediately. And every access event to sensitive systems should generate a log that someone reviews.
This is not a technical aspiration. It is a governance requirement. Under NIS2, organizations are expected to implement and document risk-based access controls — and to demonstrate that those controls function in practice, not just in policy documents.
The former employee in Christian Ranum Spohr’s case had standing access to data that represented the company’s core intellectual value. There was no technical barrier between a salesperson and 100 million dollars worth of R&D. That is not a failure of trust. It is a failure of governance.
What IT Leaders Can Do Before the Incident Occurs
CapaOne Endpoint Management Platform gives IT leaders the operational foundation to close this gap. Built in Denmark and hosted in the EU, CapaOne provides real-time visibility into who has access to what across the endpoint estate, enforces least-privilege principles, and maintains the audit trail that turns a security incident into a documented, defensible case.
When access rights are continuously managed rather than set once and forgotten, the window for undetected insider misuse closes significantly. Anomalies become visible. Termination workflows trigger access revocation automatically. The salesperson’s path to the R&D folder no longer exists.
A complete endpoint management platform — designed to work with Microsoft Intune, or entirely without it — CapaOne addresses the governance gap that insider threats exploit most: standing access rights that should have been removed, and blind spots in endpoint visibility that allow misuse to continue undetected.
The former employee in this case walked through a door that should have been closed the day his role changed. In most organizations, that door is still open — for someone.
That is the real insider threat. Not the person. The gap.
Frequently Asked Questions
An insider threat occurs when a current or former employee, contractor, or trusted partner misuses their access to systems, data, or intellectual property. Unlike external attacks, insider threats operate within the bounds of legitimate credentials — making them harder to detect and often more damaging to the organization.
Most organizations grant access rights based on initial role requirements but rarely review or restrict them as roles change. A salesperson who gains access to R&D data during a cross-functional project may retain that access for years. Without continuous visibility into access patterns and endpoint behaviour, there is no trigger to investigate until damage has already occurred.
Least-privilege access means every employee has access only to the systems and data their current role requires — nothing more. When roles change or employment ends, access is revoked immediately. This limits the attack surface available to a malicious insider and ensures that any unauthorized access is detectable against a baseline of expected behaviour.
Endpoint management platforms that enforce least-privilege, log access events, and provide real-time visibility into endpoint behaviour give IT leaders the operational tools to detect and respond to insider threats. When every access event is logged and every endpoint is visible, the window for undetected misuse closes significantly.
Access rights should be reviewed continuously — especially during role changes, project transitions, and employee offboarding. Many insider threats occur because permissions granted years earlier were never removed or revalidated. Continuous review is not a one-time audit. It is an operational discipline.
