Back to Blog
Security best practices
Data Sprawl is Making Insider Threats More Frequent and More Damaging
We analyzed the behavior of 1.4 million employees working in various industries, and found that the majority of exfiltration incidents involve data taking multiple steps across multiple people.
In this article
As the financial reward for an employee monetizing their employer’s data increases, so does insider risk for the business. Insider-driven data breaches have made recent headlines, impacting companies with valuable intellectual property including Apple, Qualcomm, and more.
As seen in our previous post, The 10 Most Common Forms of Company Data Employees Steal or Expose, while most sensitive data originates in specific systems or locations, it has a concerning tendency to move throughout the organization. In many cases, data spreads beyond the people who have permission to access it at the source. For example, a user experience designer downloading Microsoft Excel files containing M&A content owned by the corporate development team should be flagged as anomalous behavior, based on the role context.
In our 2022 Insider Risk Report, we found that less than half of data exfiltration incidents involve an employee accessing data directly and then exfiltrating it. Furthermore, we discovered that the majority of incidents (53.8%) involve data moving two or more steps before it is exfiltrated.
Let’s take a look at a few examples to see the path that a customer list downloaded from Salesforce can take through the organization one, two, or three steps before being exfiltrated:
We’ve found that some sensitive data takes as many as 42 steps as it circulates within an organization before someone exfiltrates it. As data naturally and constantly spreads, it moves to places it is less likely to be tracked and protected. The challenge facing security teams is they need to protect data as it moves beyond the systems where it is being protected today.
Going forward, we anticipate that the average number of moves data takes within an organization will increase over time. Data sprawl is bound to expand as employees use more applications, share files more frequently, and increasingly transform data. Being able to track, and trace this flow of data will become increasingly important for information technology and security teams looking to protect their company’s sensitive data. These modern user behaviors will force security practitioners to seek modern alternatives to traditional DLP, IRM, and UEBA data protection tools. In order to protect data going forward, the ability to map out the flow of an exfiltrated file, from origin to egress, across tens and even hundreds of transformations and modifications is table stakes for a world-class security organization.