According to the Securonix 2020 Insider Threat Report, published on Wednesday, "flight risk" employees, generally deemed to be individuals on the verge of resigning or otherwise leaving a job, often change their behavioral patterns from two months to two weeks before conducting an insider attack.
Insider incidents are caused by individuals within an organization rather than external threat actors. Employees or contractors with privileged access to systems may cause damage, steal or sell data, or be the cause of a security failure -- such as by uploading or moving confidential resources to third-party services without permission.
A 2019 case involving Trend Micro, for example, involved a rogue employee who was caught stealing customer data in order to sell the records on to others for use in targeted scams.
Securonix says that the exfiltration of sensitive data continues to be the most common insider threat, often taking place via email transfers or web uploads to cloud storage services including Box and Dropbox. This attack vector is followed by privileged account abuse.
After examining hundreds of insider incidents across different industry verticals, the cybersecurity firm said that roughly 80% of flight risk employees will try to take proprietary data with them.
In total, 43.75% of insiders forwarded content to personal emails; 16% abused cloud collaboration privileges and 10% performed downloads of aggregated data during attacks analyzed in the report. Unauthorized USB and removable storage devices are also commonly used to swipe data.
However, the abuse of removable drives to steal information is on the decline as more companies than ever are either restricting or blocking USBs completely, and many organizations -- potentially prompted further due to the COVID-19 pandemic -- are transitioning to cloud and IaaS platforms.
The highest number of data exfiltration incidents took place in the pharmaceutical, financial, and IT industries.
Account sharing, difficulties classifying data as sensitive or non-sensitive when considering access privileges, a failure to implement least-privilege account controls and the constant circumvention of IT controls are prevalent, the report suggests, with large enterprises in particular "finding it difficult to draw conclusions about such incidents mostly due to lack of, or differences between, policies and procedures for each line of business."
Securonix suggests that algorithms can be useful in monitoring employees for rogue activities by flagging behavioral anomalies, as well as measuring data volume and transfers that appear to be beyond normal, baseline activities.
"Using traditional technologies -- such as DLP tools, privileged access management (PAM) solutions, and other point solutions -- is not sufficient to detect insider threat behavior today," Securonix added. "The adoption of cloud systems presents a complex threat fabric which requires advanced security analytics that utilizes purpose-built algorithms to detect specific outcomes."