NEW: 2022 Gartner® Market Guide for Data Loss Prevention

Get my copy
September 30, 2022

9% of Employees Exfiltrated Data in the First 6 Months of 2022

Study analyzing the behavior of 1.4 million employees found that risky behavior is common, but an outsized number of incidents are due to a small group of “super stealers”

Insider threats have been steadily increasing in frequency, with many recent high-profile incidents at the world’s most prominent companies, including Apple, Uber, and Qualcomm. We found that the precursor to insider threats, insider risks, have also been increasing at an alarming rate. To figure out what’s driving insider risks, we dug into data from Cyberhaven’s product for our 2022 Insider Risk Report.

Data exfiltration by employees happens much more often than you would think, and not always for malicious reasons. Employees often share files between personal devices for productivity, or accidentally send documents to people outside of their organization that they shouldn’t. These incidents may seem unintentional and most of the time they’re harmless. But they significantly increase the risk to sensitive information, placing it just one step away from becoming a headline.

How often do insiders exfiltrate data?

To compile the findings in our 2022 Insider Risk report, we analyzed the behavior of 1.4 million workers for six months using the Cyberhaven product. We found that organizations experience, on average, 0.045 data exfiltration incidents per employee per month. This number may not seem meaningful or easy to understand, but it gives organizations a way to estimate the number of incidents they might have. For example, extrapolating from this number, a 1,000 employee company experiences on average 45 data exfiltration incidents each month.

We also found that a relatively small number of employees exfiltrate sensitive information—just 2.5% of employees at an average organization are responsible for one or more incidents during a one-month period. But across a longer time horizon, we found data exfiltration is more widespread across a broader group of employees. In a three-month period, 6.8% of employees exfiltrate sensitive data and in six months the number grows to 9.4% or nearly one in ten. Yes, you read that correctly – per our research, almost one in ten employees exfiltrated data in the first 6 months of 2022!

 

Beware of “Super Stealers”

A single data exfiltration incident, whether intentional or unintentional, can lead to an insider threat. Thus, being aware of behavioral patterns pertaining to the history of exfiltration incidents is critical. Employees with multiple repeat offenses could indicate malicious intent, rather than a simple mistake here and there.

We found that in any given month, 71% of employees who exfiltrated data did so only once. However, among the subset of employees that exfiltrated data, the top 1% most prolific “super stealers” were responsible for 7.7% of incidents, and the top 10% were responsible for 34.9% of incidents. Remember that only 2.5% of all employees exfiltrate data each month, so across all employees just 0.025% are responsible for 7.7% of incidents and 0.25% are responsible for 34.9% of incidents.

At a 50,000 person company that works out to 12 employees and 125 employees, respectively. The number of serial offenders is small enough that an organization could investigate each one, while relying on automation to coach users who make one-off mistakes in handling sensitive company data.

Insider Risks Must Be Managed

Every company nowadays has sensitive data it needs to protect, be it customer data, company source code, or design files. While most companies have spent their time defending against external threats, many have overlooked the danger of insider threats. The magnitude of insider threats only increases as a company amasses more sensitive data.

Enterprises must prepare appropriately to protect their data or risk becoming the next data leak headline. Ultimately, you’re only as strong as your weakest link, so insider threats simply can’t be overlooked.

Start tracing your data