Insider Data Exfiltration - Threats and New Challenges

Data exfiltration, also known as data theft, extrusion, leakage, exfil or exportation, is the unauthorized transfer of an organization’s proprietary information and data. Data exfiltration and breaches can originate from both external attackers and internal parties (insiders) within an organization. 

Recently, data exfiltration and theft by insiders have increased substantially, becoming a major concern for CISOs and their organizations. Today, insiders have become more sophisticated with greater knowledge and these risks are compounded when insiders own high-level credential access to their organization’s data and technology. 

Types of Insider Data Exfiltration 

Insider data exfiltration is the unauthorized access or theft of sensitive data by an insider within the organization, such as an employee or key trusted partner. There are three main categories of insider data exfiltration or theft. These include: 

• Unintentional - Accidental leakage of sensitive data by employee mistakes, targeted external social engineering attacks or unintended access to certain files. 
• Casual - Insiders violate data policies, but their intent isn’t to cause major harm. It’s more on the order of a stolen paperclip—likely wrong, but with little overall impact on the business.   
• Criminal - Targeted data policy and legal violations that cause significant security risk to the organization. Those caught will likely be fired from their job and charged with criminal offenses.  

Read: Understand the Differences Between Spear-Phishing and Phishing   

Insider Threat Risks and Vulnerabilities   

Recent world events produced a whole new set of risks and insider data exfiltration vulnerabilities for organizations. Significant changes include the shift to remote work and the great resignation. Insider data theft has increased in organizations especially as the reliance on remote work practices and technology changed the way employees interact with their organizations’ data and assets. 

With 1 in 4 U.S. employees working primarily from home and many more resigning to take jobs with higher pay or more flexible benefits, insider data theft has become easier to commit. An extremely high labor turnover, advanced information access methods and high stakes data makes insider data theft lucrative for profit or competitive advantage, whether it's by a current employee or a disgruntled ex-employee. 

Insider data exfiltration targets sensitive business information, passwords, server access credentials, financial info, or customer and employee personal information. Methods for data exfiltration have multiplied, with outbound email, insecure device downloads, database leaks, unprotected file servers and shares, cloud storage uploads, and unsecured cloud activity making up just a few of the ways in which insiders steal data.  

Insider Data Exfiltration - New Challenges 

As insider threats and data exfiltration become more aggressive and advanced, security teams find it increasingly difficult to prevent data loss before damage is done to the organization. Insider data exfiltration incidents are becoming common, bringing new challenges for organizations to address, including: 

• Too much focus on outsider threats and little focus internally allowing insiders to act undetected in the workplace. 
• Insiders have the knowledge and techniques to circumvent most safeguards in place, so high-level security measures are required. 
• Not enough internal digital forensics and incident response (DFIR) technology in place. 
• Lack of sufficient training for employees or IT groups. 
• Lack of employee buy-in required to monitor for threats. 

There are two types of insider data exfiltration: malicious and non-malicious. Non-malicious exfiltration is when data loss is caused by a sophisticated scam, employee error or lack of training. While non-malicious exfiltration events can cause harm, they are done so by accident, and it's easier to manage the impacts when employees can help trace what happened. 

Malicious data exfiltration is far more common. Whether insiders want to sell sensitive data, assist hackers with ransomware attacks or inform competitors through industrial espionage—all for profit—their actions are much more damaging to the organization. 

Prevent Insider Data Exfiltration   

User and data activity monitoring is an essential measure to prevent insider threats and mitigate the risks of damaging data exfiltration. Use these guidelines to protect your organization from serious harm caused by insider data exfiltration or theft. 

1. Classify data security as public, internal, confidential and restricted  
2. Keep personal information like addresses and credit card data restricted or not retained 
3. Set up privileged access management for high-risk admin accounts 
4. Encrypt sensitive data both on individual files and storage servers 
5. Revoke data access immediately for departing or former employees 
6. Monitor unusual or malicious network traffic activity  
7. Monitor data-related actions by employees and departments 
8. Establish strong bring-your-own-device policies 
9. Install a mobile device manager 

Insider Data Exfiltration Best Practices 

Insider data exfiltration is one of the most critical threats to organizational data security. Follow these best practices when developing an insider data theft prevention program. 

• Understand the difference between non-malicious and malicious insider data exfiltration techniques (to build effective strategies). While a lack of training, sophisticated scams or employee error may lead to unintended data theft, more commonly, insider data exfiltration is an intentional act by employees with high-level credentials and conflicts with the organization. 
• Communicate with your security team about the potential risks and causes of malicious insider data exfiltration attacks, such as industrial espionage by competitors, hacker recruitment for ransomware attacks or selling data for profit. 
• Implement data activity monitoring to closely observe downloads, outbound emails, cloud activity and access authorization for rapid incident response and risk mitigation. 

By recognizing potential insider threats and how employees may intentionally or unintentionally exfiltrate data, you can build a strategy to better protect critical information and your organization from damaging data theft. 

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.