The Top 7 Data Exfiltration Risks (And How to Prevent Them)

Protecting sensitive data must be a top priority for any business. Unfortunately, the multitude of techniques available to threat actors makes detection and prevention of attacks a full-time job. To help make that job easier this article will teach you how to prevent data exfiltration by addressing the most common techniques used in attempts.

Table of Contents

Click to Show / Collapse

What is Data Exfiltration?
How Threat Actors Exfiltrate Data

1) Unsanctioned Cloud Storage Accounts
2) Portable Storage Devices (USB, Mobile Phones, etc)
3) Email & Phishing
4) Unsecured Servers
5) Social Media & Forums
6) Malware
7) Printers

How to Prevent Data Exfiltration
Conclusion & More Resources to Protect Sensitive Data

What is Data Exfiltration?

Data exfiltration, also known as data extrusion, data exportation, or data theft, is the unauthorized transfer of data from one computer, network, or server to another without authorization. Data exfiltration most commonly occurs when malware or a malicious actor executes an unauthorized data transfer.

The most desirable data to exfiltrate include passwords, intellectual property, and personally identifiable information (PII). These types of data can be readily sold for financial gain.

How Threat Actors Exfiltrate Data

When trying to understand how hackers exfiltrate data from a network, it’s important to realize that data exfiltration isn’t exclusive to external threats; employees are just as capable of making unauthorized data transfers.

In fact, malicious insider threats are in the optimal position; they do not need to work as hard to gain access to a device with a connection to system resources as an external attacker would.

For optimal protection, be prepared to mitigate both internal and external attacks. Otherwise, the data of your customers can be readily exfiltrated with far fewer resources and without detection thanks to their trusted access to the network.

1) Unsanctioned Cloud Storage Accounts

Data loss prevention cloud storage DLP security tips

Cloud storage makes the transfer of data as simple as dragging and dropping files into a folder. Unfortunately, the very simplicity that makes cloud storage an excellent collaboration tool also makes it a prime tool for data extrusion.

As a part of your cloud data loss prevention strategy, your organization needs web filtering software to restrict access to unsanctioned cloud storage providers.

With new cloud storage vendors regularly emerging, manual URL filtering isn’t enough for organizations to address this exfiltration risk. BrowseControl’s category filtering system is regularly updated with new websites as they emerge, making the blocking of millions of websites as easy as a few clicks. Simply add the File Hosting category to your block list, then add the services you would like to allow in your network to the Allow List.

To help detect other exfiltration threats in the network, organizations must monitor employee internet use; network traffic data could reveal visits to high-risk sites that need to be blocked from the network.

Start Blocking Websites Today Learn More

2) Portable Storage Devices (USB, Mobile Phones, etc)

A 32 gigabyte USB flash drive sitting on top of a computer keyboard

A 2018 study from cyber security software company McAfee found that the overall top three vectors used to exfiltrate data are database leaks, cloud applications, and USB drives.

According to the study, USB drives are the number one data exfiltration vector in European and Asia-Pacific countries.

When you think of it, this is of little surprise. After all, portable storage devices are, well…portable. And thus easy to conceal and hard to detect.

These devices can store terabytes of data, making them capable of storing millions of database records, spreadsheets, and other proprietary information.

So long as there’s an available port, data can be readily exfiltrated, leading to a serious data breach.

Employees are the most prevalent data exfiltration threats here. They’re trusted with physical access to company systems, making data exfiltration attempts laughably simple. All it takes is sneaking in a personal USB flash drive and transferring files from the network before they walk out of the office.

Back to Table of Contents

So, how do companies prevent this? Simple: They disable USB ports with device control software such as AccessPatrol.

Naturally, blocking ports entirely also prevents legitimate usage. That’s why AccessPatrol has an Allowed List to grant access to authorized users. To help mitigate the risk that trusted devices will be misused, AccessPatrol allows you to restrict file transfers based on filename and extension.

To assist with detection on target systems, It also has alerts that can notify security teams each time data is exfiltrated to a portable storage device. These real-time alerts are essential for the protection of data; should data be stolen, there will be an auditable record of who is responsible.

“We never have to worry about what may happen when someone plugs a device into one of our machines. AccessPatrol has made our lives easy. We just set it, forget it, and it works!”
CurrentWare Customer Nicholas Scheetz, IT Service Desk Supervisor, First Choice Health

FREE Trial: AccessPatrol USB Device Control Software

Back to Table of Contents

3) Email & Phishing

Personal data phishing concept background. Cartoon illustration of personal data phishing vector

In North America the number one vector for data exportation is email.

The fact that email is one of the top greatest data exfiltration risks is of little surprise. Without security controls in place, insiders can easily send sensitive information to personal email addresses that aren’t managed by the organization.

Email is a data exfiltration issue even outside of malicious insider threats. A data breach could be as simple as a misaddressed email or inadvertently including customer data in an attachment.

These factors are enough of a risk on their own; what about the innumerable amount of phishing emails?

Don’t assume that employees won’t fall for them. Tessian found that a staggering 1 in 4 employees admitted to clicking on a phishing email at work. Worse yet, a report from PhishMe found that employees who have opened a phishing email in the past are 67% more likely to fall for a future attempt.

Naturally, no amount of data exfiltration prevention solutions are going to completely solve what is fundamentally a human problem. But there are things you can do to reduce the risks associated with email.

Protection techniques to handle this threat:

Configure network email filtering tools to detect malicious emails and restrict unauthorized attachments in your organization
Implement corporate data security policies
Provide employees with security awareness training
Block access to unsanctioned email platforms

4) Unsecured Servers

cybersecurity expert on a laptop ion front of servers

“In general, any misconfigured or unsecured server operating on a business network on which sensitive data is stored or processed exposes the business to data theft and compromise by cyber criminals who can use the data for criminal purposes such as blackmail, identity theft, or financial fraud.”
The Federal Bureau of Investigation (FBI)

Research conducted by the University of Michigan found that over 1 million FTP servers were configured to allow anonymous access, posing a serious data exfiltration risk.

Naturally, organizations that allow anonymous access to their services are at risk of having their systems compromised and data stolen without the detection of the hackers responsible.

While the nuances of keeping the data in servers safe from attacks is a complex subject, there are a few steps your organization can take to defeat the most common vulnerabilities.

Don’t make a server public-facing unless absolutely necessary
Protect servers from a brute force attack with multi factor authentication
Use a firewall to limit the server to authorized traffic
Secure the physical area that houses the hardware
Separate database servers from everything else
Ensure that sensitive data is encrypted

And while we’re on the subject of FTP…use a port filter to close any unused ports in your company, including default FTP ports. This will greatly reduce your attack surface.

Back to Table of Contents

Restricting internet access is crucial for preventing data exfiltration but unfortunately, there isn’t a definitive guide on what websites to block at work.

For optimal security, you could only allow access to specific websites, but that can quickly become cumbersome to manage.

If an explicit-deny approach isn’t a feasible data exfiltration prevention measure for your environment, you should block the most common egress points.

Websites most commonly used for data exfiltration

File sharing websites
Instant messaging
Social media
Forums
Email

Naturally, this list isn’t exhaustive. There’s also the risk that legitimate domains will become compromised and used as a repository for data exfiltration.

Start Blocking Websites Today Learn More

6) Malware

Most external threats will use a combination of phishing and malware to gain remote access to their target system. A search of security industry trends shows that businesses of all sizes are at risk of being the target of a cyber attack.

When it comes to preventing malicious software you need to implement a defense-in-depth approach. Lone antimalware solutions aren’t always going to be enough to stop malware, but you’ll be grateful that it’s there if a malicious program manages to slip past your other security measures.

7) Printers

According to a Quocirca Report, 68% of businesses in the US and Europe suffered a print-related data breach from 2020-2021. The data loss related to these breaches costs companies an average of more than $400K.

The data exfiltration risks associated with printers aren’t exclusive to traditional office buildings, either. In the age of remote work it’s easier than ever for an employee to connect a printer to their computer and print off sensitive documents.

Protection techniques to handle this threat:

Encrypt any internal storage drives that the printer has
Enforce Secure Printing modes that force users to enter a PIN to retrieve sensitive documents
Ensure that all sensitive documents are securely stored and disposed of
Monitor printer logs for evidence of sensitive files
Train employees to immediately retrieve printed documents
Use USB control software to block high-risk users from connecting printers to their computers

Back to Table of Contents

How to Prevent Data Exfiltration

Insider Threats - How to Stop Data Theft - CurrentWare

In addition to the risk-specific tips I’ve covered above, there are a number of other ways to prevent data exfiltration. This next section will broadly cover best practices for mitigating the risk of data security incidents.

How to Prevent Data Exfiltration

Following a thorough employee offboarding security process that monitors and restricts what data departing employees can access.
Monitor employees for common insider threat risk indicators
Only provide employees with the access and permissions they need for their roles
Monitor employee computer activity and network traffic for high-risk and anomalous behavior
Implement a zero-trust framework to reduce the risks of compromised accounts
Ensure that data is encrypted; such a measure could have prevented the potential leak of 15 million sensitive customers records
Block USB devices to prevent unauthorized data transfers

Removable Media
Policy Template

Set data security standards for portable storage
Define the acceptable use of removable media
Inform your users about their security responsibilities

Get started today—Download the FREE template and customize it to fit the needs of your organization.

Get the FREE Template

FREE Employee Offboarding Checklist Template—Prevent Data Theft by Departing Employees

employee offboarding checklist with fields for employee information, checkboxes, date, signature, and comments.

Concerned about the damage a soon-to-be-ex-employee could cause with access to IP, passwords, and other sensitive data?

Follow this employee offboarding checklist to protect your organization against insider data theft.

Get the Checklist

Conclusion & More Resources to Protect Sensitive Data

Preventing data exfiltration requires a robust mix of data loss prevention tools, security training, user activity monitoring, and deep knowledge of internal vulnerabilities. By following the tips in this article you can mitigate the most common data exfiltration risks.

Dale Strickland

Dale Strickland is the Digital Marketing Manager for CurrentWare, a global provider of user activity monitoring, web filtering, and device control software. Dale’s diverse multimedia background allows him the opportunity to produce a variety of content for CurrentWare including blogs, infographics, videos, eBooks, and social media shareables.

Cookie	Duration	Description
__cfruid	session	Cloudflare sets this cookie to identify trusted web traffic.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
JSESSIONID	session	The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application.
LS_CSRF_TOKEN	session	Cloudflare sets this cookie to track users’ activities across multiple websites. It expires once the browser is closed.
OptanonConsent	1 year	OneTrust sets this cookie to store details about the site's cookie category and check whether visitors have given or withdrawn consent from the use of each category.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
_zcsr_tmp	session	Zoho sets this cookie for the login function on the website.

Cookie	Duration	Description
_calendly_session	21 days	Calendly, a Meeting Schedulers, sets this cookie to allow the meeting scheduler to function within the website and to add events into the visitor’s calendar.
_gaexp	2 months 11 days 7 hours 3 minutes	Google Analytics installs this cookie to determine a user's inclusion in an experiment and the expiry of experiments a user has been included in.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_GY6RPLBZG0	2 years	This cookie is installed by Google Analytics.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Cookie	Duration	Description
_opt_expid	past	Set by Google Analytics, this cookie is created when running a redirect experiment. It stores the experiment ID, the variant ID and the referrer to the page that is being redirected.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
NID	6 months	NID cookie, set by Google, is used for advertising purposes; to limit the number of times the user sees an ad, to mute unwanted ads, and to measure the effectiveness of ads.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
_dc_gtm_UA-6494714-6	1 minute	No description
_gaexp_rc	past	No description available.
34f6831605	session	No description
383aeadb58	session	No description available.
663a60c55d	session	No description available.
6e4b8efee4	session	No description available.
c72887300d	session	No description available.
cookielawinfo-checkbox-tracking	1 year	No description
crmcsr	session	No description available.
currentware-_zldp	2 years	No description
currentware-_zldt	1 day	No description
et_pb_ab_view_page_26104	session	No description
gaclientid	1 month	No description
gclid	1 month	No description
handl_ip	1 month	No description available.
handl_landing_page	1 month	No description available.
handl_original_ref	1 month	No description available.
handl_ref	1 month	No description available.
handl_ref_domain	1 month	No description
handl_url	1 month	No description available.
handl_url_base	1 month	No description
handlID	1 month	No description
HandLtestDomainName	session	No description
HandLtestDomainNameServer	1 day	No description
isiframeenabled	1 day	No description available.
m	2 years	No description available.
nitroCachedPage	session	No description
organic_source	1 month	No description
organic_source_str	1 month	No description
traffic_source	1 month	No description available.
uesign	1 month	No description
user_agent	1 month	No description available.
ZCAMPAIGN_CSRF_TOKEN	session	No description available.
zld685336000000002056state	5 minutes	No description

What is Data Exfiltration?

How Threat Actors Exfiltrate Data

1) Unsanctioned Cloud Storage Accounts

2) Portable Storage Devices (USB, Mobile Phones, etc)

3) Email & Phishing

4) Unsecured Servers

5) Social Media & Forums

6) Malware

7) Printers

How to Prevent Data Exfiltration

Removable MediaPolicy Template

FREE Employee Offboarding Checklist Template—Prevent Data Theft by Departing Employees

Conclusion & More Resources to Protect Sensitive Data

Dale Strickland

Related posts

The Cybersecurity Risks of AI & How to Safeguard Sensitive Data

Why Your Business Needs a Data Loss Prevention Strategy

Removable Media
Policy Template