Executive Summary
- The exfiltration of data deemed sensitive continues to be the most common insider threat caused by employees and contractors, followed by privileged account abuse, in several organizations.
- The exfiltration of sensitive data over email continues to be the #1 egress vector, followed by web uploads to cloud storage sites.
- An employee or contractor had been identified as a flight risk in about 60% of the incidents detected.
What is a flight risk?
An employee who is about to terminate their employment with a company for various reasons. These employees typically show flight risk behavior patterns when their browsing behavior and email behavior indicate they are leaving the company. This behavior is pertinent to insider threats because over 80% of flight risk employees tend to take data with them, anywhere from 2 weeks to 2 months prior to their termination date.
- Data aggregation and snooping of sensitive data is still prominent in most organizations, however tools to detect such behavior still lag behind. This is primarily due to organizations struggling to classify data that is deemed sensitive, combined with data being vastly distributed across networks and systems.
- Using cloud collaboration tools like Box and Dropbox, sharing data outside the organization has become prominent as companies make the shift to embrace cloud infrastructure and applications for end users. In addition, the ease with which cloud collaboration tools allow for sharing documents with non-business accounts presents an elevated challenge to IT security operations teams.
- The circumvention of IT controls is prevalent across all organizations. IT security operations teams, especially ones from large enterprises, are finding it difficult to draw conclusions about such incidents mostly due to lack of, or differences between, policies and procedures for each line of business.
- Account sharing continues to be a huge problem for organizations, resulting in compliance, security hygiene issues, and, in some severe cases, leading to account compromise.
- For effective insider threat mitigation, product vendors are forced to be precise in applying purpose-built algorithms to curated use cases in order to derive the desired outcomes.
- The work from home situation due to the recent COVID-19 pandemic has exacerbated the problem pertinent to data leaving the enterprise perimeter, which continues to become more porous.