60% of Insider Threats Involve Employees Planning to Leave

Researchers shows most flight-risk employees planning to leave an organization tend to start stealing data two to eight weeks before they go.

More than 80% of employees planning to leave an organization bring its data with them. These flight-risk individuals were involved in roughly 60% of insider threats analyzed in a new study.
Researchers analyzed more than 300 confirmed incidents as part of the 2020 Securonix Insider Threat Report. They found most insider threats involve exfiltration of sensitive data (62%), though others include privilege misuse (19%), data aggregation (9.5%), and infrastructure sabotage (5.1%). Employees planning an exit start to show so-called flight-risk behavior between two weeks and two months ahead of their last day, the researchers discovered.
Most people who exfiltrate sensitive information do so over email, a pattern detected in nearly 44% of cases. The next most-popular method is uploading the information to cloud storage websites (16%), a technique growing popular as more organizations rely on cloud collaboration software such as Box and Dropbox. Employees are also known to steal corporate information using data downloads (10.7%), unauthorized removable devices (8.9%), and data snooping through SharePoint (8%).
Todays insider threats look different from those a few years ago, says Shareth Ben, director of Insider Threat and Cyber Threat Analytics with Securonix. Cloud tools have made it easier for employees to share files with non-business accounts, creating a challenge for security teams.
The issue with these cloud collaboration tools, from a data leakage standpoint, is the IT admins and security operations teams dont have much visibility into what happens with respect to how users share the data, Ben explains. Most companies have adopted the cloud, or are in the process of adopting the cloud, because its a business priority — but security is often
left behind
.
IT security operations teams, especially at large businesses, struggle to draw conclusions from insider threats due to lack of, or differences between, policies and procedures from each line of business, the report states. Tools to detect data aggregation often lag behind, mostly because businesses have trouble classifying data considered sensitive when its spread across networks. As more companies trust their employees to do the right thing while using cloud applications, it gets tougher to figure out when someone has gone rogue.
Its becoming more and more difficult to differentiate the abnormal from the normal, Ben explains. He offers some additional insight on how to detect suspicious employee activity.
Spotting Red Flags
There are two ways to detect flight risk, Ben says. In the first stage, companies can look for increased instances of an employee trying to access certain websites. Their browsing activity will include more time on job search websites; they may email a resume to external parties. If the employee in question is an administrator, thats even more alarming, Ben continues. He cites instances in which someone tries to access certain administrative accounts or SharePoint sites. This kind of behavior isnt necessarily bad, he notes, but it does prompt a closer look.
In the second stage of detecting a flight risk, the people who exhibit the initial behavior start to move information considered sensitive via email, collaboration tools, or USB. The use of USB devices has continued to decline for two primary reasons: More organizations have begun to either block or restrict USB usage, and employees are growing more reliant on cloud-based tools. Ben also notes that emails to an individual account are typically more suspicious than emails to several people. Its unlikely an insider would involve a group in a data exfiltration scheme.
With respect to privileged account misuse,
researchers noticed
specific behaviors that could lead to an insider threat. These include circumvention of IT controls (24.3%), geolocation anomaly (18.9%), rare audit log tampering and suspicious command executed (16.2%), account sharing (13.5%), authentication anomaly (10.8%), and self-escalation of privileges (8.1%).
While Ben says the type of data exfiltrated varies by organization, most employees planning to leave a company take things they worked on. Someone who spent most of their time on a project may feel entitled to it; however, their employer may feel differently. Most people try to exfiltrate Microsoft Office files, he notes. Source code is another common type of stolen data.
Target data also varies depending on industry vertical. In pharmaceuticals and life sciences, where 28.3% of incidents took place, insiders may target valuable intellectual property. In financial services, the second-largest hotspot for insider threats at 27.7%, rogue insiders may find value in stealing personally identifiable information or banking data. The Verizon 2020 Data Breach Investigations Report
discovered
35% of attacks on financial and insurance organizations involved internal actors.
The bigger the brand, the larger the corporation, the more they have to lose, the larger the risk exposure, Ben says. Most Fortune 500 companies have a dedicated insider threat group focused on mitigating the organizations risk. Smaller and midsize companies want to have the same but lack the budget. Other priorities, such as installing the right security tools, come first.
Related Content:
Long-Term Remote Work: Keeping Workers Productive & Secure
7 Security Pros: What My Nontraditional Background Brings to the Job
How Enterprises Are Developing and Maintaining Secure Applications
As DevOps Accelerates, Securitys Role Changes

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that really bad day in cybersecurity. Click for
more information and to register
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
60% of Insider Threats Involve Employees Planning to Leave