A recent report, published May 20 of this year, by Securonix, indicates that “flight risk” employees, or those employees who are on the verge of leaving their place of employment, often show a marked change in behaviour anywhere from two weeks to two months prior to committing an insider attack. This shift in behavior represents a significant challenge to any organization’s overall security and its ability to maintain business as usual.

Background

In previous Packetlabs blogs, we’ve highlighted the grim fact that, all too often, employees are an organization’s greatest threat to cybersecurity. While the idea itself may seem counterintuitive, the concept is quite simple and there are two main factors that come into play. First, and most obviously is that employees have access to information that anyone outside of the organization does not. Compound this with the fact that human beings are prone to error, and the potential for misuse of company and customer data becomes very real.

See also:

The second reason is decidedly more deliberate and is adequately demonstrated by the Securonix 2020 Insider Threat Report. According to the report, flight risk employees with privileged access to systems hold significant potential to cause damage to their organization; as well, they may have motive to steal company data and brand secrets on their way out. While the risk is very much a problem across industries, the report also goes onto highlight relevant differences in target data, more on that later.

The Report

Topping the list of insider attack vectors, perhaps unsurprisingly, is exfiltration of sensitive data which continues to be the most significant insider threat across industries. More often than not, this takes place via email transfers or web uploads to personal cloud storage services. Not far behind is privileged account abuse in which a rogue employee with malicious intent, or willful ignorance of company policy, leads to the loss of sensitive company data.

Following the careful examination of hundreds of insider incidents across various industries, it was suggested that 80% of flight risk employees will try to take sensitive company data with them.

In terms of preferred method of exfiltration, 43.75% of rogue employees forwarded sensitive data to their personal emails, 16% made use to cloud collaboration privileges and some 10% perform data aggregation through download.

Of notable mention, approaching 9% of incidents, was the use of removable storage devices, such as unauthorized USB devices used for intentional data theft. Fortunately, the abuse of such removable devices, as a means to steal sensitive company data, is on the strict decline as more and more organizations are restricting or block USBs completely, partially as a result of the COVID-19 pandemic and its repercussions.

Target Data

It is worth noting that the highest number of data theft incidents took place in the pharmaceutical, financial and IT industries. Target data varied, depending on the industry vertical. In the pharmaceutical and life sciences, where nearly 24% of incidents took place, insiders were more likely to target valuable intellectual property. In the financial industry, the runner up in terms of insider threats with nearly 28% of incidents, rogue employees were more likely to target identifiable information, or banking data. These details are in line with Verizon’s “2020 Data breach Investigations Report” which found that 35% of attacks on financial and insurance organizations involved an internal threat actor.

“Data aggregation and snooping of sensitive data is still prominent in most organizations, however tools to detect such behavior still lag behind. This is primarily due to organizations struggling to classify data that is deemed sensitive, combined with data being vastly distributed across networks and systems.”  

Detecting the Internal Threat

IT security teams, especially within large organizations often struggle to draw conclusions from insider threats due to lack of, or differences between, policies and procedures across each department, the report indicates. Additionally, many large businesses have trouble classifying data considered sensitive when it’s spread across multiple networks. As more and more organizations trust their employees to do the right thing, it gets much more difficult to determine when someone has gone rogue. That said, there are some tells an organization can look out for.

“The bigger the brand, the larger the corporation, the more they have to lose, the larger the risk exposure”  

Shareth Ben, Director of Insider Threat and Cyber Threat Analytics, Securonix  

Initially, an employee intent on leaving a company will show increased browsing activity on job search websites. There may also be evidence of resume dispersal to or from personal email accounts and potentially even to potential third parties. While this sort of behaviour is not always indicative of a flight risk, it does present a red flag that may warrant a closer look.

In the next and final stage of a flight risk, the employee may begin moving documents, or sensitive company information to personal email, the cloud or with the use of USB devices. Often, as an employee gears to leave an organization, they may feel that are entitled to anything they made contributions to and justify the data theft with themselves. Some of the more common types data thefts attempted are Microsoft Office files, as well as source code.

Summary

In the current work environment, with a major proportion of the workforce working remotely, these types of risks are more likely to happen. As our previous blog article on cybersecurity during a pandemic highlighted, employees are taking greater risks working from home and IT security teams are much less likely to detect such events, increasing the risk of data exfiltration significantly.

If you want to learn how Packetlabs can help your organization adapt to the threat of insider threats, please contact us for more information.