Skip to content

The Incydr™ Scoop: Insider Risk by the Numbers – Q4 2021

Three key Insider Risk findings emerged in Q4 2021:

  • Data exfiltration via cloud trending up
  • Data exposure risk severity trending riskier
  • Critical severity data exposure events on the rise

There’s one thing about Insider Risk – it’s constantly changing, thus so is the research and analysis we do with Incydr product telemetry.  Over the course of the last four quarters, we’ve analyzed everything from file exposure by category and exfiltration vector to breaking down data exposure events by Incydr Risk Indicator (IRI) to the likelihood and impact of the Great Resignation on data exposure and exfiltration. No doubt, data exposure and exfiltration – what we call Insider Risk – ebbs and flows as remote-hybrid work, collaboration technology adoption and workforce turnover dynamics evolve. 

With all of this change, we decided to go back to basics and answer one simple question: what is the state of Insider Risk? To answer that, we analyzed 3 things:

  1. What are the most common data exfiltration methods?
  2. What level of data exposure, aka insider risk, exists?
  3. What insider risk indicators signal the highest potential impact?

The most common data exfiltration methods

We asked Incydr – of all of the data exposure events, regardless of severity level, what are the most common insider risk indicators?  Answering this question provides a clearer picture of the likelihood and frequency of specific data exposure or exfiltration events occurring across organizations. It also helps us understand what opportunities exist for Insider Risk awareness and employee education.  

What we found is that data exfiltration via removable media remains common, but is trending down (-15%).  In terms of what’s trending up, the largest change in exfiltration vector use across all data exposure events regardless of risk severity were file uploads to cloud drives (up 51%) We predict that exfiltration via cloud services will become the exfiltration vector of choice in early 2022. To add, movement of source code files increased the most (up 28%) of all file categories. What this tells us is that employees are increasingly turning to cloud services to move source code.  Given source code is considered a critical file category, we asked Incydr for Q4 trends in critical data exposure and exfiltration.

What level of data exposure exists?

To answer this question, we asked our product – Incydr™ – to tell us the mix of data exposure events by level of severity. We measure severity based on Insider Risk Indicators (IRIs). Incydr comes with default severity levels for IRIs related to file, user and vector activity. Customers can adjust IRI severity based on their own risk tolerance. To read more about how Incydr calculates risk severity based on a customer’s risk tolerance, we have a great technical white paper and demo video.

In Q4 2021, 22% of data exposure events were high to critical severity compared to 18% in Q3. Low severity data exposure events dropped from 12% to 6% in Q4.

  • Critical severity data exposure events:  increased Q3: 6% vs Q4: 10%
  • High severity data exposure events: increased Q3: 11% vs Q4: 12%
  • Medium severity data exposure events: increased Q3: 70% vs Q4 72%
  • Low severity data exposure events: decreased Q3: 12% vs Q4: 6%

What this tells us is data exposure is getting worse and by worse, we mean riskier. The mix of data exposure events detected by Incydr trended riskier in Q4 versus Q3 2021. 

Critical severity data risk exposure events on the rise

What we found is that critical severity data risk exposure events were on the rise in Q4 2021. The percentage of critical severity data exposure events increased 61% from Q3 to Q4 2021. By comparison, high and moderate severity events remained flat, whereas low severity events decreased 48%.

  • Critical severity events increased 61%
  • High severity events remained flat, only increasing 2%
  • Moderate severity events also remained flat, increasing 2%
  • Low severity events decreased 48%

Naturally, we wanted to know what file, vector and user IRIs were triggering the increase in critical events.  The top three risk indicators for critical severity events in Q4 were:

  • Uploads to cloud, including OneDrive, iCloud, Google, Box, Dropbox, etc. We saw a 44% increase of this risk indicator in critical to high severity events.
  • Multimedia files represented the largest increase (23%) in risk indicators triggered of all file types from Q3 to Q4. Multimedia includes any video, images or audio files. 
  • Source code file exfiltration increased 22%. 

It’s important to note that removable media was used less than cloud services in critical to high severity data exposure events. In fact, the largest decrease in IRIs triggered for critical to high severity data exposure was removable media (-14%) from Q3 to Q4 2021. Further indicating that cloud services are becoming the exfiltration vector of choice. To make matters worse, early data on our latest user IRI focused on first time use and rare use of a service finds that the cloud services employees use are abnormal. This may be indicative of remote workforces using shadow IT. We will know more as we collect more data in 2022.


We asked a lot of Incydr in Q4, here are three predictions we have for 2022:

  1. Cloud will become the primary data exfiltration method by the end of Q2 2022 replacing removable media. 
  2. Efforts to block critical data risk exfiltration from happening (i.e. Data Loss Prevention) will keep falling short. Critical to high severity data risk exposure events will continue to rise in the absence of well-defined Insider Risk Programs and processes.
  3. Employees will continue to find new and creative ways to get their jobs done.  We will see rapid growth in rare use and/or first time use of a destination. 

Additional Resources:

If you would like to better understand what level of data exposure exists at your organization and how to improve your organization’s insider risk posture through automated controls and education, we can help. Contact our sales team to discuss running an insider risk assessment or to learn more about advisory services around developing an Insider Risk Management program. 

You might also like: