Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/20/2020
03:40 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

60% of Insider Threats Involve Employees Planning to Leave

Researchers shows most "flight-risk" employees planning to leave an organization tend to start stealing data two to eight weeks before they go.

More than 80% of employees planning to leave an organization bring its data with them. These "flight-risk" individuals were involved in roughly 60% of insider threats analyzed in a new study.

Researchers analyzed more than 300 confirmed incidents as part of the "2020 Securonix Insider Threat Report." They found most insider threats involve exfiltration of sensitive data (62%), though others include privilege misuse (19%), data aggregation (9.5%), and infrastructure sabotage (5.1%). Employees planning an exit start to show so-called flight-risk behavior between two weeks and two months ahead of their last day, the researchers discovered.

Most people who exfiltrate sensitive information do so over email, a pattern detected in nearly 44% of cases. The next most-popular method is uploading the information to cloud storage websites (16%), a technique growing popular as more organizations rely on cloud collaboration software such as Box and Dropbox. Employees are also known to steal corporate information using data downloads (10.7%), unauthorized removable devices (8.9%), and data snooping through SharePoint (8%).

Today's insider threats look different from those a few years ago, says Shareth Ben, director of Insider Threat and Cyber Threat Analytics with Securonix. Cloud tools have made it easier for employees to share files with non-business accounts, creating a challenge for security teams.

"The issue with these cloud collaboration tools, from a data leakage standpoint, is the IT admins and security operations teams don't have much visibility into what happens with respect to how users share the data," Ben explains. Most companies have adopted the cloud, or are in the process of adopting the cloud, because it's a business priority — but security is often left behind.

IT security operations teams, especially at large businesses, struggle to draw conclusions from insider threats due to lack of, or differences between, policies and procedures from each line of business, the report states. Tools to detect data aggregation often lag behind, mostly because businesses have trouble classifying data considered sensitive when it's spread across networks. As more companies trust their employees to do the right thing while using cloud applications, it gets tougher to figure out when someone has gone rogue.

"It's becoming more and more difficult to differentiate the abnormal from the normal," Ben explains. He offers some additional insight on how to detect suspicious employee activity.

Spotting Red Flags
There are two ways to detect flight risk, Ben says. In the first stage, companies can look for increased instances of an employee trying to access certain websites. Their browsing activity will include more time on job search websites; they may email a resume to external parties. If the employee in question is an administrator, "that's even more alarming," Ben continues. He cites instances in which someone tries to access certain administrative accounts or SharePoint sites. This kind of behavior isn't necessarily bad, he notes, but it does prompt a closer look.

In the second stage of detecting a flight risk, the people who exhibit the initial behavior start to move information considered sensitive via email, collaboration tools, or USB. The use of USB devices has continued to decline for two primary reasons: More organizations have begun to either block or restrict USB usage, and employees are growing more reliant on cloud-based tools. Ben also notes that emails to an individual account are typically more suspicious than emails to several people. It's unlikely an insider would involve a group in a data exfiltration scheme.

With respect to privileged account misuse, researchers noticed specific behaviors that could lead to an insider threat. These include circumvention of IT controls (24.3%), geolocation anomaly (18.9%), rare audit log tampering and suspicious command executed (16.2%), account sharing (13.5%), authentication anomaly (10.8%), and self-escalation of privileges (8.1%).

While Ben says the type of data exfiltrated varies by organization, most employees planning to leave a company take things they worked on. Someone who spent most of their time on a project may feel entitled to it; however, their employer may feel differently. Most people try to exfiltrate Microsoft Office files, he notes. Source code is another common type of stolen data.

Target data also varies depending on industry vertical. In pharmaceuticals and life sciences, where 28.3% of incidents took place, insiders may target valuable intellectual property. In financial services, the second-largest hotspot for insider threats at 27.7%, rogue insiders may find value in stealing personally identifiable information or banking data. The Verizon "2020 Data Breach Investigations Report" discovered 35% of attacks on financial and insurance organizations involved internal actors.

"The bigger the brand, the larger the corporation, the more they have to lose, the larger the risk exposure," Ben says. Most Fortune 500 companies have a dedicated insider threat group focused on mitigating the organization's risk. Smaller and midsize companies want to have the same but lack the budget. Other priorities, such as installing the right security tools, come first.

Related Content:

 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/3/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4177
PUBLISHED: 2020-06-03
IBM Security Guardium 11.1 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 174732.
CVE-2020-4180
PUBLISHED: 2020-06-03
IBM Security Guardium 11.1 could allow a remote authenticated attacker to execute arbitrary commands on the system. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system. IBM X-Force ID: 174735.
CVE-2020-4182
PUBLISHED: 2020-06-03
IBM Security Guardium 11.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 174738.
CVE-2020-4187
PUBLISHED: 2020-06-03
IBM Security Guardium 11.1 could disclose sensitive information on the login page that could aid in further attacks against the system. IBM X-Force ID: 174805.
CVE-2020-4190
PUBLISHED: 2020-06-03
IBM Security Guardium 10.6, 11.0, and 11.1 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 174851.