The key to stopping insider exfiltration is recognizing the threat and learning to identify the individuals most likely to steal sensitive data. Knowing which personae to watch for could help an organization avoid a costly breach.

1. HowtoSpottheSixArchetypes
of Insider Exfiltration
The key to stopping insider exfiltration is recognizing the threat and learning to
identify the individuals most likely to steal sensitive data. Knowing which personae
to watch for could help an organization avoid a costly breach.

2. The Ship Jumper
is looking for or just accepted a new job.
WARNING SIGNS:
Frequent absences, unexplained disappearances or
unexpected medical appointments can be signs of a Ship
Jumper. Workers who have accepted a new job are the most
likely to give data to a competitor, especially in positions such
as sales, product development, and business intelligence.
BEHAVIORAL CLUES:
• Dissatisfaction with current position
• Negative attitude
• Talks trash about goings on at the company

3. The Unhappy Camper
may have received a poor performance review,
been passed over for promotion or been placed
on a performance improvement plan.
WARNING SIGNS:
Employee may be consistently out sick the day after receiving
news of poor performance or reprimand. He or she keeps
score and may show a propensity toward revenge or
vindictive behavior.
BEHAVIORAL CLUES:
• Negative affect
• “Out-to-get-me” attitude
• Quick to point the finger, blames others
• Poisons the well

4. The Spendthrift
is experiencing acute or chronic
financial problems.
WARNING SIGNS:
Employee talks excessively about money and how much
things cost in a negative light. He or she always seems to be in
a financial jam, may get calls from collection agencies at work
or talk about taking on a second job to increase cash flow.
BEHAVIORAL CLUES:
• Admission of financial problems
• Talking about needing to find a new source of income
• Lifestyle doesn’t match income level
• Borrowing money from coworkers

5. The Angler
is always working schemes to exploit
perceived weaknesses or vulnerabilities
in people and systems.
WARNING SIGNS:
The Angler is often a fast talker who brags about working or
gaming the system at work and/or in his or her personal life.
He or she has no qualms with breaking the rules or cutting
corners if it means getting ahead.
BEHAVIORAL CLUES:
• Inappropriately charming, fast-talker
• Tendency of taking things a little too far
• Willing to break the rules to get ahead
• Always on the lookout for a new angle

6. The Uploader
saves all of their work to a personal
cloud software account, regardless
of company policy.
WARNING SIGNS:
Whether deliberate or unintentional, the Uploader saves
everything to a personal cloud account. He or she refuses to
use network drives or company-sanctioned cloud stores.
BEHAVIORAL CLUES:
• Lacks trust in corporate systems and software
• Virtually no files saved to computer or personal
network files
• May be hesitant to share his or her work

7. The Ex
was romantically involved with a coworker
and recently experienced a breakup or
an existing relationship is on the rocks.
WARNING SIGNS:
The Ex constantly obsesses about a coworker he or she used
to date. He or she may attempt to access business accounts or
personal files of the former partner, often triggering multiple
failed password attempts as a result.
BEHAVIORAL CLUES:
• Stalker-like behavior
• Propensity toward revenge or vindictive behavior
• Comments like “they’ll be sorry”

8. Red Flags
• Exporting abnormally large amounts of contact data
out of CRM or other databases.
• Sudden interest in the company’s network and
databases outside the scope of official job role.
• Failed password attempts.
• Attempts to access other employee accounts.
• Sudden increase in free space on employee’s computer.
• Deleting large numbers of files or emails.
• Changing computer configurations.
• Repeated attempts to access privileged folders
on the Intranet or shared drive.
• Sudden appearance of external drives to back up data.
• Sudden change in behavior around taking a laptop home at night.
• Installation of unsanctioned sync and share software like Box,
Google Drive, or Dropbox.

9. Mitigate the Risk
• Implement endpoint backup to monitor the movement
of data on the endpoint.
• Monitor access to secured databases and software.
• Follow up with employees who repeatedly attempt to
access secured resources.
• Remind employees that resign of the non-compete and
non-disclosure agreements they signed when they were hired.
• Connect the ability to receive severance to the promise
not to steal or use IP or other company data.
• Follow through when a breach occurs.
• Foster communication between Human Resources, IT and
the employee’s supervisor to monitor possible bad actors.

10. Userbehavioris
a businessblindspot
Weseewhatyoucan’t
www.code42.com/contact