60% of Insider Threats Involve Employees Planning to Leave

Researchers shows most "flight-risk" employees planning to leave an organization tend to start stealing data two to eight weeks before they go.

Kelly Sheridan, Former Senior Editor, Dark Reading

May 20, 2020

5 Min Read

More than 80% of employees planning to leave an organization bring its data with them. These "flight-risk" individuals were involved in roughly 60% of insider threats analyzed in a new study.

Researchers analyzed more than 300 confirmed incidents as part of the "2020 Securonix Insider Threat Report." They found most insider threats involve exfiltration of sensitive data (62%), though others include privilege misuse (19%), data aggregation (9.5%), and infrastructure sabotage (5.1%). Employees planning an exit start to show so-called flight-risk behavior between two weeks and two months ahead of their last day, the researchers discovered.

Most people who exfiltrate sensitive information do so over email, a pattern detected in nearly 44% of cases. The next most-popular method is uploading the information to cloud storage websites (16%), a technique growing popular as more organizations rely on cloud collaboration software such as Box and Dropbox. Employees are also known to steal corporate information using data downloads (10.7%), unauthorized removable devices (8.9%), and data snooping through SharePoint (8%).

Today's insider threats look different from those a few years ago, says Shareth Ben, director of Insider Threat and Cyber Threat Analytics with Securonix. Cloud tools have made it easier for employees to share files with non-business accounts, creating a challenge for security teams.

"The issue with these cloud collaboration tools, from a data leakage standpoint, is the IT admins and security operations teams don't have much visibility into what happens with respect to how users share the data," Ben explains. Most companies have adopted the cloud, or are in the process of adopting the cloud, because it's a business priority — but security is often left behind.

IT security operations teams, especially at large businesses, struggle to draw conclusions from insider threats due to lack of, or differences between, policies and procedures from each line of business, the report states. Tools to detect data aggregation often lag behind, mostly because businesses have trouble classifying data considered sensitive when it's spread across networks. As more companies trust their employees to do the right thing while using cloud applications, it gets tougher to figure out when someone has gone rogue.

"It's becoming more and more difficult to differentiate the abnormal from the normal," Ben explains. He offers some additional insight on how to detect suspicious employee activity.

Spotting Red Flags
There are two ways to detect flight risk, Ben says. In the first stage, companies can look for increased instances of an employee trying to access certain websites. Their browsing activity will include more time on job search websites; they may email a resume to external parties. If the employee in question is an administrator, "that's even more alarming," Ben continues. He cites instances in which someone tries to access certain administrative accounts or SharePoint sites. This kind of behavior isn't necessarily bad, he notes, but it does prompt a closer look.

In the second stage of detecting a flight risk, the people who exhibit the initial behavior start to move information considered sensitive via email, collaboration tools, or USB. The use of USB devices has continued to decline for two primary reasons: More organizations have begun to either block or restrict USB usage, and employees are growing more reliant on cloud-based tools. Ben also notes that emails to an individual account are typically more suspicious than emails to several people. It's unlikely an insider would involve a group in a data exfiltration scheme.

With respect to privileged account misuse, researchers noticed specific behaviors that could lead to an insider threat. These include circumvention of IT controls (24.3%), geolocation anomaly (18.9%), rare audit log tampering and suspicious command executed (16.2%), account sharing (13.5%), authentication anomaly (10.8%), and self-escalation of privileges (8.1%).

While Ben says the type of data exfiltrated varies by organization, most employees planning to leave a company take things they worked on. Someone who spent most of their time on a project may feel entitled to it; however, their employer may feel differently. Most people try to exfiltrate Microsoft Office files, he notes. Source code is another common type of stolen data.

Target data also varies depending on industry vertical. In pharmaceuticals and life sciences, where 28.3% of incidents took place, insiders may target valuable intellectual property. In financial services, the second-largest hotspot for insider threats at 27.7%, rogue insiders may find value in stealing personally identifiable information or banking data. The Verizon "2020 Data Breach Investigations Report" discovered 35% of attacks on financial and insurance organizations involved internal actors.

"The bigger the brand, the larger the corporation, the more they have to lose, the larger the risk exposure," Ben says. Most Fortune 500 companies have a dedicated insider threat group focused on mitigating the organization's risk. Smaller and midsize companies want to have the same but lack the budget. Other priorities, such as installing the right security tools, come first.

Related Content:


Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register

About the Author(s)

Kelly Sheridan

Former Senior Editor, Dark Reading

Kelly Sheridan was formerly a Staff Editor at Dark Reading, where she focused on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial services. Sheridan earned her BA in English at Villanova University. You can follow her on Twitter @kellymsheridan.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights