The key to stopping insider exﬁltration is recognizing the threat and learning to identify the individuals most likely to steal sensitive data. Knowing which personae to watch for could help an organization avoid a costly breach.
How to Spot the 6 Archetypes of Insider Exfiltration
of Insider Exfiltration
The key to stopping insider exﬁltration is recognizing the threat and learning to
identify the individuals most likely to steal sensitive data. Knowing which personae
to watch for could help an organization avoid a costly breach.
The Ship Jumper
is looking for or just accepted a new job.
Frequent absences, unexplained disappearances or
unexpected medical appointments can be signs of a Ship
Jumper. Workers who have accepted a new job are the most
likely to give data to a competitor, especially in positions such
as sales, product development, and business intelligence.
• Dissatisfaction with current position
• Negative attitude
• Talks trash about goings on at the company
The Unhappy Camper
may have received a poor performance review,
been passed over for promotion or been placed
on a performance improvement plan.
Employee may be consistently out sick the day after receiving
news of poor performance or reprimand. He or she keeps
score and may show a propensity toward revenge or
• Negative affect
• “Out-to-get-me” attitude
• Quick to point the ﬁnger, blames others
• Poisons the well
is experiencing acute or chronic
Employee talks excessively about money and how much
things cost in a negative light. He or she always seems to be in
a ﬁnancial jam, may get calls from collection agencies at work
or talk about taking on a second job to increase cash ﬂow.
• Admission of ﬁnancial problems
• Talking about needing to ﬁnd a new source of income
• Lifestyle doesn’t match income level
• Borrowing money from coworkers
is always working schemes to exploit
perceived weaknesses or vulnerabilities
in people and systems.
The Angler is often a fast talker who brags about working or
gaming the system at work and/or in his or her personal life.
He or she has no qualms with breaking the rules or cutting
corners if it means getting ahead.
• Inappropriately charming, fast-talker
• Tendency of taking things a little too far
• Willing to break the rules to get ahead
• Always on the lookout for a new angle
saves all of their work to a personal
cloud software account, regardless
of company policy.
Whether deliberate or unintentional, the Uploader saves
everything to a personal cloud account. He or she refuses to
use network drives or company-sanctioned cloud stores.
• Lacks trust in corporate systems and software
• Virtually no ﬁles saved to computer or personal
• May be hesitant to share his or her work
was romantically involved with a coworker
and recently experienced a breakup or
an existing relationship is on the rocks.
The Ex constantly obsesses about a coworker he or she used
to date. He or she may attempt to access business accounts or
personal ﬁles of the former partner, often triggering multiple
failed password attempts as a result.
• Stalker-like behavior
• Propensity toward revenge or vindictive behavior
• Comments like “they’ll be sorry”
• Exporting abnormally large amounts of contact data
out of CRM or other databases.
• Sudden interest in the company’s network and
databases outside the scope of official job role.
• Failed password attempts.
• Attempts to access other employee accounts.
• Sudden increase in free space on employee’s computer.
• Deleting large numbers of ﬁles or emails.
• Changing computer conﬁgurations.
• Repeated attempts to access privileged folders
on the Intranet or shared drive.
• Sudden appearance of external drives to back up data.
• Sudden change in behavior around taking a laptop home at night.
• Installation of unsanctioned sync and share software like Box,
Google Drive, or Dropbox.
Mitigate the Risk
• Implement endpoint backup to monitor the movement
of data on the endpoint.
• Monitor access to secured databases and software.
• Follow up with employees who repeatedly attempt to
access secured resources.
• Remind employees that resign of the non-compete and
non-disclosure agreements they signed when they were hired.
• Connect the ability to receive severance to the promise
not to steal or use IP or other company data.
• Follow through when a breach occurs.
• Foster communication between Human Resources, IT and
the employee’s supervisor to monitor possible bad actors.