Some say the “Great Resignation” is upon us. According to the Microsoft 2021 Work Trend Index, 40 percent of people plan to change jobs this year. One consequence of all this turnover could be a surge in corporate data loss and exfiltration.
Despite high-profile examples of former employees being sued for data theft, some think nothing of taking data with them to their next employer, according to a report by research firm Aberdeen Group in Waltham, Mass.
Valuable enterprise data is passed around in support of productivity, collaboration and digital transformation, said Derek Brink, an analyst at Aberdeen. “The past three years have shown that potential data loss or exposure is more likely to succeed on endpoints like desktops and laptops than on servers, and it’s getting worse.”
The Aberdeen report found:
The cost of breaches from insiders can be up to 20 percent of annual revenue per year.
75 percent of organizations don’t have consistent, centralized visibility into their environments. Most lack the tools necessary for visibility into how much enterprise file movement the organization has, and how frequently valuable files are exposed by legitimate users carrying out their day-to-day activities.
The average number of daily data exposure events is 13 per user. This is not surprising, given the widespread adoption by insiders of personal cloud-based applications, as well as employee turnover, authorized access by contractors and third parties, and an increasingly hybrid workforce.
At least 1 in 3 (33 percent) of reported data breaches involve an insider.
Digging into the Numbers
Joe Payne, CEO and president of Minneapolis-based insider risk management firm Code42, dug deeper into the issue, reviewing data loss detected by his software against Department of Labor statistics.
“Data exposure directly correlated to when people leave jobs,” he said. “We saw 61 percent more data exposure events between April and June 2021 than the previous quarter. Data exposure peaked at the same time as a massive shift in employment turnover. This is not a coincidence and needs to be taken seriously by organizations.”
Looking closer, source code exposure was three times higher during this period than in previous quarters. It accounted for 11 percent of all data exposure events detected in the second quarter of 2021, an 83 percent increase compared to the previous two quarters.
Payne gave the example of a Code42 customer who spotted source code valued at $5 million being taken by a software developer who was in the process of resigning. In this case, the IP theft was prevented by noticing the movement of data in the person’s last days. It’s much easier to take mitigation steps prior to someone’s departure than after an employee has left the organization.
The number of data breaches attributable to insiders is in dispute. Aberdeen says one-third, Payne says two-thirds, and others trot out different numbers. Regardless, everyone can agree that the number is certainly well above 10 percent. Yet 90 percent or more of security budgets are focused on mitigating external attacks. Thus it isn’t always difficult for quitting employees or contractors to sneak out some data or some valuable IP. Chances are, no one is watching.
USB drives and other small devices can be used to exfiltrate large volumes of data. Their portability makes it relatively easy to remove IP, databases or marketing information.
“There are countless ways for employees and contractors to copy product specs and plans onto a removable USB drive, drop some customer pricing details into a personal Dropbox or Google Drive, or leave source code in a personal GitHub repository,” Payne said. “Companies need training and technology to tackle the ‘Great Data Exfiltration’ head-on before any more data walks out the door.”
He advocates better visibility into file movement and insider risk. Companies need an automated way to detect when data lands someplace unexpected, or in an untrusted destination (like a personal shared drive), and then those events need to be flagged for further scrutiny.
Code42’s Incydr SaaS product allows security teams to mitigate file exposure and exfiltration risks without disrupting legitimate work and collaboration. It monitors file activity and provides visibility into corporate file, vector and user activity to ensure product specs, customer pricing plans, and source code aren’t being moved to an untrusted or unrecognized place. This includes web browser uploads, cloud sync activity, file sharing, Airdrop, and use of removable media.
“Our surveys show that 75 percent of organizations don’t have consistent, centralized visibility into their environments,” Payne said. “They have no idea how frequently valuable files are leaked by malicious or negligent users or how often data is exposed by legitimate users doing their day-to-day work activities.”
Drew Robb is a freelance writer in Clearwater, Fla., specializing in IT and business.