Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:40 PM
Connect Directly

60% of Insider Threats Involve Employees Planning to Leave

Researchers shows most "flight-risk" employees planning to leave an organization tend to start stealing data two to eight weeks before they go.

More than 80% of employees planning to leave an organization bring its data with them. These "flight-risk" individuals were involved in roughly 60% of insider threats analyzed in a new study.

Researchers analyzed more than 300 confirmed incidents as part of the "2020 Securonix Insider Threat Report." They found most insider threats involve exfiltration of sensitive data (62%), though others include privilege misuse (19%), data aggregation (9.5%), and infrastructure sabotage (5.1%). Employees planning an exit start to show so-called flight-risk behavior between two weeks and two months ahead of their last day, the researchers discovered.

Most people who exfiltrate sensitive information do so over email, a pattern detected in nearly 44% of cases. The next most-popular method is uploading the information to cloud storage websites (16%), a technique growing popular as more organizations rely on cloud collaboration software such as Box and Dropbox. Employees are also known to steal corporate information using data downloads (10.7%), unauthorized removable devices (8.9%), and data snooping through SharePoint (8%).

Today's insider threats look different from those a few years ago, says Shareth Ben, director of Insider Threat and Cyber Threat Analytics with Securonix. Cloud tools have made it easier for employees to share files with non-business accounts, creating a challenge for security teams.

"The issue with these cloud collaboration tools, from a data leakage standpoint, is the IT admins and security operations teams don't have much visibility into what happens with respect to how users share the data," Ben explains. Most companies have adopted the cloud, or are in the process of adopting the cloud, because it's a business priority — but security is often left behind.

IT security operations teams, especially at large businesses, struggle to draw conclusions from insider threats due to lack of, or differences between, policies and procedures from each line of business, the report states. Tools to detect data aggregation often lag behind, mostly because businesses have trouble classifying data considered sensitive when it's spread across networks. As more companies trust their employees to do the right thing while using cloud applications, it gets tougher to figure out when someone has gone rogue.

"It's becoming more and more difficult to differentiate the abnormal from the normal," Ben explains. He offers some additional insight on how to detect suspicious employee activity.

Spotting Red Flags
There are two ways to detect flight risk, Ben says. In the first stage, companies can look for increased instances of an employee trying to access certain websites. Their browsing activity will include more time on job search websites; they may email a resume to external parties. If the employee in question is an administrator, "that's even more alarming," Ben continues. He cites instances in which someone tries to access certain administrative accounts or SharePoint sites. This kind of behavior isn't necessarily bad, he notes, but it does prompt a closer look.

In the second stage of detecting a flight risk, the people who exhibit the initial behavior start to move information considered sensitive via email, collaboration tools, or USB. The use of USB devices has continued to decline for two primary reasons: More organizations have begun to either block or restrict USB usage, and employees are growing more reliant on cloud-based tools. Ben also notes that emails to an individual account are typically more suspicious than emails to several people. It's unlikely an insider would involve a group in a data exfiltration scheme.

With respect to privileged account misuse, researchers noticed specific behaviors that could lead to an insider threat. These include circumvention of IT controls (24.3%), geolocation anomaly (18.9%), rare audit log tampering and suspicious command executed (16.2%), account sharing (13.5%), authentication anomaly (10.8%), and self-escalation of privileges (8.1%).

While Ben says the type of data exfiltrated varies by organization, most employees planning to leave a company take things they worked on. Someone who spent most of their time on a project may feel entitled to it; however, their employer may feel differently. Most people try to exfiltrate Microsoft Office files, he notes. Source code is another common type of stolen data.

Target data also varies depending on industry vertical. In pharmaceuticals and life sciences, where 28.3% of incidents took place, insiders may target valuable intellectual property. In financial services, the second-largest hotspot for insider threats at 27.7%, rogue insiders may find value in stealing personally identifiable information or banking data. The Verizon "2020 Data Breach Investigations Report" discovered 35% of attacks on financial and insurance organizations involved internal actors.

"The bigger the brand, the larger the corporation, the more they have to lose, the larger the risk exposure," Ben says. Most Fortune 500 companies have a dedicated insider threat group focused on mitigating the organization's risk. Smaller and midsize companies want to have the same but lack the budget. Other priorities, such as installing the right security tools, come first.

Related Content:

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.