An analysis of security breaches involving exfiltration of data by internal employees published today by CyberHaven, a provider of data protection tools, found that, on average, only 2.5% of employees exfiltrate data from their organization—but those that do tend to grab a lot.
The report found that, among employees that exfiltrate data, the top 1% of “super stealers” were responsible for 7.7% of incidents while the top 10% were responsible for 34.9%. Overall, in any given month, 71% of employees who exfiltrated data did so only once, according to the report.
CyberHaven CEO Howard Ting said at a time when economic uncertainty is resulting in more layoffs, the probability that more data is going to be illicitly exfiltrated by insiders is only going to increase.
The report found there is a 23% increase in data exfiltration by employees the day before they were fired and a 109.3% increase the day they were terminated. That compares to a 37% increase in the number of data exfiltration incidents that occur on the last day of an employee who has quit.
However, the report also noted that during the two-week period before the employee gave notice, there was an 83% increase in incidents. Of the increase in data exfiltration before an employee voluntarily departs, 69% occurred before they gave notice. Too many organizations only start monitoring employee activity once they have given notice, noted Ting.
Most data exfiltration incidents span multiple steps and, sometimes, even multiple people as data is shared and then reshared. More than half of incidents (53.8%) involved data moving two or more steps before it is exfiltrated, according to the report.
The most common exfiltration vectors are personal cloud storage (28%), personal webmail (19%), corporate email to an inappropriate recipient (14%), USB storage devices (14%) and messaging applications (7%). The most popular personal cloud storage services used to exfiltrate data are Dropbox (45%) and Google Drive (26%).
Client or customer data makes up the bulk of the data being exfiltrated (45%), followed by regulated data (18%) and source code (14%), the report finds. Customer and client data tends to not be as structured as regulatory data, so the controls and policies applied to that data are often not as robust, noted Ting. Overall, the report found 80% of exfiltrated data is some form of hard-to-identify intellectual property (IP) that tends to be loosely guarded, he added.
Most information security professionals are highly focused on external threats, but Ting said too many organizations are not paying enough attention to how internal employees either inadvertently or deliberately exfiltrate data. Organizations need to put tools in place that allow them to better track where and how data is being employed, added Ting.
It’s not clear to what degree organizations can track data usage without making employees feel like they are being overly surveilled. However, the value of data has never been greater. The penalties for losing control of that data have also never been higher. The challenge is to find a way to keep track of how trust is being abused without making everyone in the organization feel like they are working for a despotic regime.