Insider threats are an ongoing menace that enterprise security teams need to handle. It’s a global problem but especially acute in the US—with 47 million Americans quitting their jobs in 2021, the threat of ex-employees taking sensitive information to competitors, selling it to criminals in exchange for cash, and leaking files to media is making data exfiltration a growing concern.
About 1.4 million people who handle sensitive information in their organization globally were tracked over the period from January to June 30 this year by cybersecurity firm Cyberhaven to find out when, how and who is involved in data exfiltration.
On average, 2.5% of employees exfiltrate sensitive information in a month, but over a six-month period, nearly one in 10, or 9.4% of employees, do so, Cyberhaven noted in its report. Data exfiltration incident occurs when data is transferred outside the organization in unapproved ways.
Among employees that exfiltrated data, the top 1% most prolific “super stealers” were responsible for 7.7% of incidents, and the top 10% were responsible for 34.9% of incidents.
North America accounted for the highest number of incidents at 44%, followed by the Asia Pacific region at 27%. Europe, the Middle East, and Africa accounted for 24% of incidents while 5% of incidents were recorded in South America.
Personal cloud storage is the most common exfiltration vector
The most common exfiltration vectors are personal cloud storage (used in 27.5% of incidents), personal webmail (used in 18.7% of incidents), and corporate email to an inappropriate recipient (resulting in 14.4% of incidents).
Exfiltration via corporate email can include employees emailing sensitive data to their personal email addresses from their work account or employees accidentally sending sensitive information to the wrong recipient, for example when their email client autocompletes the addressee and in a rush, they send it, the report noted.
Messaging applications such as WhatsApp and Signal are used in 6.4% of incidents. They are a growing concern because their use of end-to-end encryption makes it difficult for organizations to know what’s being sent with them, the report said.
Dropbox was used in 44.8% of exfiltration incidents and Google Drive was used in 25.5% of incidents.
In 44.6% of incidents, client or customer data was exfiltrated by employees. Enterprises usually have a large amount of information about their customers and files from their customers. “One possible explanation is that employees do not understand the sensitivity of this information in the same way they do for, say, a product formula or a medical record,” Cyberhaven noted.
The second most at-risk data is source code, which accounts for 13.8% of exfiltrated data.
Most companies across verticals develop their own applications and algorithms, which they use to gain a competitive advantage. Losing their source code to a competitor can have a material impact on their businesses, the report noted.
Regulated data—including personally identifiable information, payment card information, and protected health information collectively account for just 17.9% of exfiltrated data— according to Cyberhaven.
Departing employees are most likely to leak data
During the period between when an employee gives notice and their last day, Cyberhaven research showed a 37.7% increase in the number of data exfiltration incidents compared with the baseline. However, during the two week period before the employee gave notice, an 83.1% increase in incidents was observed. Of the increase in data exfiltration before an employee voluntarily departs, 68.7% occurs before they notify the company, when they are less likely to be monitored.
During the period between when an employee gives notice to quit and their last day, incidents increase by 37.7%, the report said.
Employees who are fired are 23.1% more likely to exfiltrate data the day before they were fired and 109.3% are more likely to exfiltrate data the day they are fired, compared to the baseline. “It appears some employees find out or sense their impending dismissal and decide to collect sensitive company data for themselves, and others may be notified they’re terminated and collect data before their access is turned off,” according to the report.
Copyright © 2022 IDG Communications, Inc.