A record 47 million Americans quit their jobs voluntarily in 2021, and apparently many took sensitive information with them.

That’s the conclusion that emerges from a new report by data detection and response firm Cyberhaven Inc. The company analyzed 372,000 incidents of data exfiltration — or the unauthorized transfer of sensitive information from one system to another — involving 1.4 million workers over a six-month period. It discovered that 9.4% of employees had taken data during that time.

More than 40% of the compromised data was client or customer information, 13.8% was source code and 8% was regulated personally identifiable information. The top 1% of guilty parties were responsible for nearly 8% of incidents and the top 10% accounted for 35%.

Unsurprisingly, the prime time for data exfiltration is between the time employees give notice and their last day on the job. Cyberhaven measured a nearly 38% increase in incidents during that period and an 83% jump in the two weeks before an employee resigned. Incidents jumped 109% on the day employees were fired.

The risk is low on a per-person basis but grows with scale. Organizations experience an average of just 0.045 data exfiltration incidents per employee per month, but that adds up to 45 monthly events at a 1,000-person company.

The most common way employees liberate information via cloud storage accounts, which were used in 27.5% of instances. That was followed by personal webmail at about 19%, with 14.4% of cases involving corporate email messages sent to personal accounts. Removable storage drives accounted for one in seven instances.

Most cases are accidental

Chief Executive Howard Ting cautioned against jumping to the conclusion that a lot of employees are crooks. “The No. 1 cause of data exfiltration is accidents,” he said Friday. “We shouldn’t assume every user is malicious. People often aren’t aware they can’t put sensitive data on Google Drive.”

Many companies also don’t do a good job of communicating their policies about data ownership. Salespeople may believe that they are entitled to keep details of accounts for which they were responsible, and developers may view their code as a prized possession. Business emails containing internal contact information are also easily forwarded to personal accounts without malicious intent and sensitive data can be stored on local hard drives with just a couple of mouse clicks.

Cyberhaven, which has raised $48 million in funding, has proprietary technology that runs on employee workstations and looks for activity such as file downloads and copy-and-paste operations. “We detect every application that is used,” Ting said.

The company classifies data according to a combination of content inspection and context, such as where the data came from and who has access to it. “We’re able to do a much broader type of classification,” Ting said. “For example, we know that everything that comes out of your GitHub repository or Workday application is probably sensitive.”

Cyberhaven’s technology can optionally warn users when exfiltration occurs. Simply knowing that their activity is being watched can be a powerful way to promote good behavior, Ting said. “When we turn on the user warning system at some of our accounts, the number of incidents goes down by a factor of 10 to 20,” he said.

Companies are so focused on external threats that they often give little mind to vulnerabilities behind the firewall. Customers “are often blown away by what they see,” he said. “It’s a huge wakeup call. I don’t think they’re surprised that it’s a problem, but they are surprised by the scope of the problem.”

Photo: Flickr CC