Departing employees are most likely to leak sensitive information to competitors, criminals or the media in exchange for cash. Insider threats are an ongoing menace that enterprise security teams need to handle. It’s a global problem but especially acute in the US—with 47 million Americans quitting their jobs in 2021, the threat of ex-employees taking sensitive information to competitors, selling it to criminals in exchange for cash, and leaking files to media is making data exfiltration a growing concern. About 1.4 million people who handle sensitive information in their organization globally were tracked over the period from January to June 30 this year by cybersecurity firm Cyberhaven to find out when, how and who is involved in data exfiltration.On average, 2.5% of employees exfiltrate sensitive information in a month, but over a six-month period, nearly one in 10, or 9.4% of employees, do so, Cyberhaven noted in its report. Data exfiltration incident occurs when data is transferred outside the organization in unapproved ways. Among employees that exfiltrated data, the top 1% most prolific “super stealers” were responsible for 7.7% of incidents, and the top 10% were responsible for 34.9% of incidents. North America accounted for the highest number of incidents at 44%, followed by the Asia Pacific region at 27%. Europe, the Middle East, and Africa accounted for 24% of incidents while 5% of incidents were recorded in South America. Personal cloud storage is the most common exfiltration vectorThe most common exfiltration vectors are personal cloud storage (used in 27.5% of incidents), personal webmail (used in 18.7% of incidents), and corporate email to an inappropriate recipient (resulting in 14.4% of incidents). Exfiltration via corporate email can include employees emailing sensitive data to their personal email addresses from their work account or employees accidentally sending sensitive information to the wrong recipient, for example when their email client autocompletes the addressee and in a rush, they send it, the report noted. Messaging applications such as WhatsApp and Signal are used in 6.4% of incidents. They are a growing concern because their use of end-to-end encryption makes it difficult for organizations to know what’s being sent with them, the report said. Dropbox was used in 44.8% of exfiltration incidents and Google Drive was used in 25.5% of incidents. In 44.6% of incidents, client or customer data was exfiltrated by employees. Enterprises usually have a large amount of information about their customers and files from their customers. “One possible explanation is that employees do not understand the sensitivity of this information in the same way they do for, say, a product formula or a medical record,” Cyberhaven noted. The second most at-risk data is source code, which accounts for 13.8% of exfiltrated data. Most companies across verticals develop their own applications and algorithms, which they use to gain a competitive advantage. Losing their source code to a competitor can have a material impact on their businesses, the report noted. Regulated data—including personally identifiable information, payment card information, and protected health information collectively account for just 17.9% of exfiltrated data— according to Cyberhaven. Departing employees are most likely to leak dataDuring the period between when an employee gives notice and their last day, Cyberhaven research showed a 37.7% increase in the number of data exfiltration incidents compared with the baseline. However, during the two week period before the employee gave notice, an 83.1% increase in incidents was observed. Of the increase in data exfiltration before an employee voluntarily departs, 68.7% occurs before they notify the company, when they are less likely to be monitored.During the period between when an employee gives notice to quit and their last day, incidents increase by 37.7%, the report said. Employees who are fired are 23.1% more likely to exfiltrate data the day before they were fired and 109.3% are more likely to exfiltrate data the day they are fired, compared to the baseline. “It appears some employees find out or sense their impending dismissal and decide to collect sensitive company data for themselves, and others may be notified they’re terminated and collect data before their access is turned off,” according to the report. Related content news Top cybersecurity product news of the week New product and service announcements from Bedrock Security, GitGuardian, Legit Security, Nametag, and Cybereason and Observe By CSO staff Mar 29, 2024 70 mins Generative AI Security news analysis Thousands of servers hacked due to insecurely deployed Ray AI framework Ray deployments are not intended to connect to the internet, but AI developers are doing so anyway and leaving their servers vulnerable. By Lucian Constantin Mar 28, 2024 4 mins Vulnerabilities news Cisco: Security teams are ‘overconfident’ about handling next-gen threats Tooling complexity and generative AI may harm many companies’ security posture. By Jon Gold Mar 28, 2024 3 mins Security brandpost Sponsored by Microsoft Security Iran’s evolving influence operations and cyberattacks support Hamas Understanding how Iranian and Iran-affiliated threats traverse 3 distinct phases may help identify vulnerabilities and attack vectors. By Microsoft Security Mar 28, 2024 5 mins Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe