Company pays staff not to leak data

In a move security teams everywhere described as “boldly honest” and lawyers called “a creative contract,” a mid-market analytics firm has started writing checks to employees in exchange for silence.

BluePond Analytics — a data shop occupying an exposed brick office above a kombucha bar — quietly launched an internal program this month that pays staff a monthly “non-leak stipend” instead of buying more monitoring or training. Sources familiar with the organisation confirm that the decision came after years of failing phishing simulations, a string of mis-configured S3 buckets, and the recognition that “humans are still the most reliable initial access vector,” a refrain highlighted, as one engineer put it, by the latest CrowdStrike announcement.

Inside BluePond, the math was simple: cancel the $2.6M/year enterprise SIEM and EDR contracts, stop paying for more awareness micro-courses, and redistribute some of that budget directly to people with terminal access. The pilot offers $1,200/month to engineers with access to production, a $5,000 one-time “NDA sweetener” for senior staff, and a $50 gift card for anyone who reports a suspicious DM and sticks to the silence rules.

The results are a gentle chaos. “We turned off the SIEM, EDR and SSO,” said a source in Product who asked to remain anonymous. “We reverted to local accounts for legacy services and disabled the federation because SAML was ‘too noisy.’ We’re getting paid, baby!” Another source in security — visibly torn between morality and mortgage payments — described packing up telemetry dashboards into a box labeled ‘for the CEO’s show-and-tell’.

“We ran 12 phishing campaigns last quarter and the click rate never dropped below 42%. Cash is the only thing that moved the needle,” said “Joey,” a security engineer, shrugging while uninstalling an endpoint agent.

“Not having a SIEM is liberating,” said an exasperated VP of Finance. “We saved $3.2M and can justify three more designer beanbags and the stipend. Audit will deal with the narrative later.”

Technical staff report a surreal workstream: kernel drivers for the EDR were gracefully retired, log forwarding to the centralized SIEM stopped at 23:59 on a Friday, and team leads were asked to maintain spreadsheets of who “opted into silence” for HR. The company also quietly disabled single-sign-on for certain contractors — a move security folk describe as “technically retrograde and terrifying” — so that the stipend program can track who truly holds credentials.

Consequences ripple. DLP rules that once flagged strange FTP exfiltration are dormant. Third-party insurers asked for clarifying language about “voluntary non-disclosure compensation” before renewing cyber policies. A bug bounty manager opened a spreadsheet titled: If paying employees not to leak works, do we still pay researchers?

The experiment’s success is ambiguous: morale is oddly high, debug times are shorter, and the vendor reps have stopped answering calls. BluePond is now recruiting a “Chief Incentive Officer” to scale the program. An internal memo circulated Friday suggested tiered payouts for privileged access — a performance review, the memo explained, might now include “silence compliance.”

In an ironic twist, the first public leak from a competitor’s internal chat was interpreted internally as a validation of the policy — “cash > ops,” according to a celebratory GIF. The security team, for once, is both offended and overpaid.