NEW: 2022 Gartner® Market Guide for Data Loss Prevention

Get my copy
May 27, 2020

3 factors for measuring the insider threat risk for your organization

“Healthcare remains the industry with the highest amount of internal bad actors” according to the 2020 Verizon Breach report. Despite a decline to an average of 30% across other industries, Healthcare won the prize for the “OOPS” factor with “Miscellaneous errors”.


“Healthcare remains the industry with the highest amount of internal bad actors” according to the 2020 Verizon Breach report. Despite a decline to an average of 30% across other industries, Healthcare won the prize for the “OOPS” factor with “Miscellaneous errors”. Misdelivery situations created by incorrect emails and mismatched mailing addresses continue to be a challenge.

Cross customer contamination is a common challenge especially in service organizations that serve the multiple customers with a pool of customer sales agents. Establishing complex DLP rules to first identify exfiltration of PCI and PII data is hard enough, knowing if the email with sensitive information is going to the correct recipient is even more challenging. DLP rarely has context as to the appropriate destination for sensitive data. Many organizations find that strict policies impede productivity, which in time-sensitive customer situations is not tolerated. DLP projects are frequently abandoned or policies loosened.

One Cyberhaven customer, ServiceSource, solved their cross-customer contamination issues by taking advantage of data tracing and data lineage capabilities to identify key customer sources of information. In minutes, they established simple data monitoring rules such that sensitive customer data can only be sent to destinations that corresponded to the data’s original source. This is easier when you have a set number of customers and when there is a clear delineation of data and also identifiable domains.

In the case of healthcare and other industries it might be impossible to prevent mistakes, but there is an opportunity to learn from employees. Monitoring how users are interacting with high value data is essential to developing an effective strategy to protect it. It is important to monitor data as it is created, copied, shared, parsed, and stored across the organization into multiple destinations including endpoints, personal email, cloud storage and other collaboration tools. By monitoring, there is an opportunity to see trends and then educate users as to security best practices for protecting sensitive data. Having 30% of your threats come from the inside is not a number that organizations in any sector should accept as status quo.


To contrast Verizon’s comforting words, “After examining hundreds of insider incidents across different industry verticals,” Securonix said “that roughly 80% of flight risk employees will try to take proprietary data with them.” The disturbing reality that even the most trusted of employees under stress of financial or health pressures will abuse their data privileges was confirmed by two seasoned CISO’s Yaron Levi of BCBS and Olivia Rose ex CISO of MailChimp in a recent CISO Perspective webinar. They both recommended reviewing privileges frequently. And a philosophy of always assuming the worst and exploring scenarios to identify insider threat risks.

No one knows the full extent and long term financial impact of the COVID-19 crisis. Nearly every company is tightening their belt and reevaluating their staffing and spending plans. It is expected that this is making employees nervous. As spouses and family members lose supplemental income (son in college – part time job at coffee shop) or primary employment, the stress will mount. This type of stress is easily compounded and leads to the types of risky behavior that seasoned CISOs have seen. But some of this behavior is predictable and easy to monitor. According to Securonix, “flight risk” employees, are “generally deemed to be individuals on the verge of resigning or otherwise leaving a job,” who “often change their behavioral patterns from two months to two weeks before conducting an insider attack.”

The time to start intensive monitoring and auditing of privileges is now. Employees will go after the most valuable data and the data that they have easy access to. The majority will forward content to their personal emails, others will abuse cloud collaboration access, and some will attempt to use unauthorized storage devices to take data. These activities are easy to monitor and if there is an increase of activity then it is time to take a closer look at the type of data that is being exfiltrated.

A data monitoring tool like Data Behavior Analytics (DaBA) can quickly give you a snapshot of the activity across all your data and all your users. With so many products and services being offered via free trials – the time to take advantage is now, so you can log and detect inappropriate exfiltration of data. DaBA gives you the best of both worlds – as an endpoint agent it monitors all the user interactions with data and there are APIs into cloud apps like Office 365 and Salesforce so that we can trace how users interact with data continuously. Since DaBA is data centric – you will not need to establish user baselines and be burdened by alerts. DaBA will monitor how all your users interact with your data and then alert when data has been placed at risk. DaBA is an easy to implement SaaS solution and available via free trial. You can focus on your high value data and quickly investigate any and all data exfiltration.


Previous UAM and UEBA tools have had a narrow focus on one user, but as collaboration is increasing across all organizations, new security views and tools are required. Collaboration is an important driver of innovation and productivity – it is therefore imperative for security teams to understand how employees interact with data.

Who is keeping a personal copy and why? Despite shared storage, we all like to keep a copy for ourselves for ease of finding, preserving our ideas or for future reuse. Yet, it is increasingly difficult to remember where we filed something and we easily create and rename another copy so it will be easier to find the next time. This data sprawl puts data at risk.

Collaboration apps are the number one risk cited as sources of data leaks followed by cloud storage in a recent Cybersecurity Insiders 2020 Insider Threat Report. While Insider Threats have suddenly declined after years of increasing, it would be naive not to expect a rise in Insider Threats based on the global health crisis that has more employees working from home and depending on new tools for collaboration.

Additional security education of the workforce is necessary. In order for employees to embrace training, the training has to be relevant to how they work. The best way to prevent mistakes is to understand the environment and processes that create them. Data monitoring tools like DaBA that follow data as your organization engages and interacts with high-value data will help the security team gather specific behaviors that put data at risk and provide the relevant business process language to engage with employees and create more successful security training programs.

One factor that affects everyone is time. The longer your wait the more the data sprawl spreads. The sooner you start to understand the risks of collaboration and other risky employee behaviors that are endangering your high-value data, the sooner you can put programs in place to protect it.

Start tracing your data