How to Spot the Six Archetypes of Insider ExfiltrationThe key to stopping insider exfiltration is recognizing the threat and learning to

identify the individuals most likely to steal sensitive data. Knowing which personae

to watch for could help an organization avoid a costly breach.

The Ship Jumperis looking for or just accepted a new job.

WARNING SIGNS:Frequent absences, unexplained disappearances or unexpected medical appointments can be signs of a Ship Jumper. Workers who have accepted a new job are the most likely to give data to a competitor, especially in positions such as sales, product development, and business intelligence.

BEHAVIORAL CLUES:• Dissatisfaction with current position• Negative attitude• Talks trash about goings on at the company

The Unhappy Campermay have received a poor performance review, been passed over for promotion or been placed on a performance improvement plan.

WARNING SIGNS:Employee may be consistently out sick the day after receiving news of poor performance or reprimand. He or she keeps score and may show a propensity toward revenge or vindictive behavior.

BEHAVIORAL CLUES:• Negative a�ect• “Out-to-get-me” attitude• Quick to point the finger, blames others• Poisons the well

The Spendthri� is experiencing acute or chronic financial problems.

WARNING SIGNS:Employee talks excessively about money and how much things cost in a negative light. He or she always seems to be in a financial jam, may get calls from collection agencies at work or talk about taking on a second job to increase cash flow.

BEHAVIORAL CLUES:• Admission of financial problems• Talking about needing to find a new source of income• Lifestyle doesn’t match income level• Borrowing money from coworkers

The Angleris always working schemes to exploit perceived weaknesses or vulnerabilities in people and systems.

WARNING SIGNS:The Angler is often a fast talker who brags about working or gaming the system at work and/or in his or her personal life. He or she has no qualms with breaking the rules or cutting corners if it means getting ahead.

BEHAVIORAL CLUES:• Inappropriately charming, fast-talker• Tendency of taking things a little too far• Willing to break the rules to get ahead• Always on the lookout for a new angle

The Uploadersaves all of their work to a personal cloud software account, regardless of company policy.

WARNING SIGNS:Whether deliberate or unintentional, the Uploader saves everything to a personal cloud account. He or she refuses to use network drives or company-sanctioned cloud stores.

BEHAVIORAL CLUES:• Lacks trust in corporate systems and software• Virtually no files saved to computer or personal network files• May be hesitant to share his or her work

The Exwas romantically involved with a coworker and recently experienced a breakup or an existing relationship is on the rocks.

WARNING SIGNS:The Ex constantly obsesses about a coworker he or she used to date. He or she may attempt to access business accounts or personal files of the former partner, often triggering multiple failed password attempts as a result.

BEHAVIORAL CLUES:• Stalker-like behavior• Propensity toward revenge or vindictive behavior• Comments like “they’ll be sorry”

Red Flags• Exporting abnormally large amounts of contact data

out of CRM or other databases.• Sudden interest in the company’s network and

databases outside the scope of o�cial job role.• Failed password attempts.• Attempts to access other employee accounts.• Sudden increase in free space on employee’s computer.• Deleting large numbers of files or emails.• Changing computer configurations.• Repeated attempts to access privileged folders

on the Intranet or shared drive.• Sudden appearance of external drives to back up data.• Sudden change in behavior around taking a laptop home at night.• Installation of unsanctioned sync and share software like Box,

Google Drive, or Dropbox.

Mitigate the Risk• Implement endpoint backup to monitor the movement

of data on the endpoint.

• Monitor access to secured databases and software.

• Follow up with employees who repeatedly attempt to access secured resources.

• Remind employees that resign of the non-compete and non-disclosure agreements they signed when they were hired.

• Connect the ability to receive severance to the promise not to steal or use IP or other company data.

• Follow through when a breach occurs.

• Foster communication between Human Resources, IT and the employee’s supervisor to monitor possible bad actors.

User behavior is a business blindspotWe see what you can’t

www.code42.com/contact