top of page
  • Venus Caruso

Data Security Risks: Insider Threats and Departing Employees

News headlines on stories covering hacks, data breaches, exploits, and security vulnerabilities affecting organizations across various industries worldwide are reported daily. While employers may have invested in various security measures to safeguard against external threats, trusted insiders, such as employees, can pose equally significant risks to an organization’s sensitive data. Employees have insider knowledge of your company's operations, systems and data, making them capable of causing significant damage if their actions go undetected. Most employees may be dedicated and trustworthy, but some employees become disgruntled, seek revenge, are motivated by personal or financial gain, or may accidentally compromise an organization’s security due to lack of awareness or hasty actions. A recently published report on this very topic emphasizes the prevalence of this insider risk, particularly when it comes to departing employees.

The Report

Cyberhaven, a cybersecurity company that specializes in data protection and insider threat detection, published an insightful report on insider risks. It analyzed anonymized usage data based on companies using its product from January 1, 2022 to June 30, 2022, tracking the behavior of over 1.4 million employees when handling sensitive company information at work. The incidents uncovered by Cyberhaven cover various forms of data exfiltration. In most cases, these instances involved an employee either removing sensitive information from the organization or sending it to unauthorized recipients outside the company. Once sensitive data leaves your organization's control, it becomes vulnerable to a multitude of risks, ranging from misuse for personal or financial gain to sale on the dark web or exposure to your competitors.

Type of Sensitive Data Exfiltrated

The report identified ten categories of sensitive data commonly exfiltrated by employees. These include client and customer data, source code, personally identifiable information (PII), design files and product formulas, protected health information (PHI), financial data, sensitive project files, confidential business information, unpublished or sensitive marketing information, and employee human resource data. Notably, 44.6% of the exfiltrated data is client or customer data, followed by 13.8% source code, with 17.9% of the exfiltrated data falling under regulated categories like PII, payment card industry (PCI), and PHI. Based on Cyberhaven's analysis, over 80% of the compromised data consisted of intellectual property (IP) that is more challenging to identify.

Departing Employees: A Crucial Time

When it comes to departing employees, monitoring their activities becomes crucial for organizations. Typically, human resources work in collaboration with information security teams to ensure that departing employees do not take any sensitive company data with them. However, Cyberhaven’s analysis uncovered an increase in data exfiltration before employees officially gave their notice of resignation. The study found:

  • 68.7% of increased exfiltration occurs before employees give notice.

  • employees who voluntarily quit are 23.1% more likely to exfiltrate data on the day before their last date of employment and 109.3% are more likely to do so on the day they are fired.

  • during the two-week period preceding an employee's notice, there was an alarming 83.1% surge in exfiltration incidents.

These findings underscore the importance of having robust security measures in place to identify and mitigate these potential insider risks posted by departing employees.

Methods of Data Exfiltration

Employees were found to use a variety of methods for removing sensitive data from an organization, ranging from personal cloud storage and personal webmail to removable media and messaging apps. Specifically:

  • uploading to personal cloud storage services, such as Dropbox, Google Drive, WeTransfer, Box, and iCloud, accounted for 27.5% of all incidents.

  • attaching sensitive files to, or copying and pasting sensitive data into, their personal webmail accounted for 18.7% of incidents.

  • sending sensitive data from their work email to their personal email accounted for 14.4% of incidents. This may include incidents where employees accidentally sent information to the wrong recipient, resulting in exposing sensitive data to unauthorized external parties.

  • copying large amounts of sensitive data to removable media, such as USB storage drives, accounted for 14.2% of incidents.

  • attaching or copying and pasting data into messaging apps, such as WhatsApp and Signal, accounted for 6.4% of incidents. Monitoring this type of removal method may be challenging because some messaging apps, such as WhatsApp and Signal, use end-to-end encryption, making it hard to determine what information is contained within these messages.

Final Remarks

While external threats often dominate news headlines, it is important not to overlook the potential risks that exist within your own workforce. The Cyberhaven report provides compelling data on insider threats, particularly for departing employees, and reinforces the critical need for organizations to effectively address these risks as part of their ongoing efforts to protect sensitive data.

By understanding the types of data most susceptible to exfiltration, the methods used for removal, and the behaviors exhibited by departing employees, companies can implement targeted strategies to mitigate these risks. Mitigation strategies will naturally vary by organization type, size, and resources, but may include training employees on security awareness and best practices; restricting access privileges to sensitive information on a “need-to-know” basis; deploying user monitoring systems to track and analyze employee behavior when handling company data; implementing data loss prevention solutions to detect and prevent exfiltration attempts in real-time; performing audits and penetration testing to help identify vulnerabilities that may be exploited by employees; and, promptly disabling a departing employee's access to critical systems (among others).

While no security measure is failsafe, implementing a layered defense strategy enables your organization to better manage these potential insider risks.


The information provided in this article is for general informational purposes only. Nothing stated in this article should be taken as legal advice or legal opinion for any individual matter. As legal or other developments occur, the information contained in this article may not be the most up-to-date legal or other information.


Commenting has been turned off.
bottom of page