A record 47 million Americans left their jobs voluntarily in 2021, and apparently many of them took sensitive information with them.
That’s the conclusion of a new report from data detection and response firm Cyberhaven Inc. The company analyzed 372,000 cases of data exfiltration — or the unauthorized transfer of sensitive information from one system to another — involving 1.4 million workers over a six-month period. It found that 9.4% of employees took data during this time.
More than 40% of the compromised data was customer or client information, 13.8% was source code, and 8% was regulated personal information. The top 1% of at-fault parties are responsible for nearly 8% of accidents, and the top 10% account for 35%.
Not surprisingly, the best time to extract data is between when employees give notice and their last day of work. Cyberhaven measured an almost 38% increase in incidents during this period and an 83% jump in the two weeks before an employee left. Incidents jumped 109% on the day employees were fired.
The risk is low on a per-person basis, but increases with scale. Organizations experience an average of just 0.045 data exfiltration incidents per employee per month, but that adds up to 45 monthly events in a company of 1,000 people.
The most common way employees release information is through cloud storage accounts, which were used in 27.5% of cases. This is followed by personal webmail at about 19%, with 14.4% of cases involving corporate email messages sent to personal accounts. Removable storage devices account for one in seven cases.
Most cases are accidental
CEO Howard Ting cautioned against jumping to the conclusion that many employees are crooks. “The No. 1 reason for data leaks is accidents,” he said Friday. “We should not assume that every user is malicious. People often don’t know that they can’t put sensitive data on Google Drive.”
Many companies also don’t do a good job of communicating their data ownership policies. Marketers may believe they have the right to keep details of the accounts they are responsible for, and developers may view their code as a valuable asset. Business emails containing internal contact information are also easily forwarded to personal accounts without malicious intent, and sensitive data can be stored on local hard drives with just a few mouse clicks.
Cyberhaven, which has raised $48 million in funding, has proprietary technology that runs on employee workstations and looks for activities such as file downloads and copy-and-paste operations. “We detect every application that is being used,” Ting said.
The company classifies data based on a combination of content verification and context, such as where the data came from and who has access to it. “We are able to do a much broader type of classification,” Ting said. “For example, we know that anything that comes out of your GitHub repository or Workday app is probably sensitive.”
Cyberhaven’s technology can optionally alert users when exfiltration occurs. Just knowing their activity is being watched can be a powerful way to encourage good behavior, Ting said. “When we turn on the consumer alert system on some of our accounts, the number of incidents goes down by a factor of 10 to 20,” he said.
Companies are so focused on external threats that they often pay little attention to the vulnerabilities behind the firewall. Customers “are often blown away by what they see,” he said. “It’s a huge wake-up call. I don’t think they’re surprised that it’s a problem, but they are surprised by the scope of the problem.