The average organization experiences 9 insider threats each month

After analyzing actual cloud usage across over 23 million employees, Skyhigh Networks uncovered how user behaviours put companies at risk and how catching and managing this behaviour can be the proverbial “canary in the coal mine” in reducing the risk of data loss.


This report exposes the types of sensitive data stored in cloud services, how that data is shared within organisations and with third parties; and how risky employee behaviours put corporate data at risk. It also examines the external threats that use the cloud to exfiltrate sensitive data pilfered from on-premises systems as well as attacks directed at corporate data stored in cloud services.

Insider threats include behaviours that unintentionally expose an organisation to risk, such as mistakenly sharing a spreadsheet with employee Social Security numbers externally. They also include malicious activity, such as exfiltrating proprietary data.

  • 89.6% of organisations experience at least one insider threat each month – that is up from 85% for the same quarter last year
  • 55.6% of organisations experience unusual behaviour by privileged users, such as administrators accessing data they should not, each month
  • The average organisation experiences 9.3 insider threats each month.

Slightly more than half of all organisations experience account compromises each month. Many business-critical cloud services support multi-factor authentication, and companies can reduce their exposure to account compromise by enabling this feature.

  • On average, organisations experience 5.1 incidents each month in which an unauthorised third party exploits stolen account credentials to gain access to corporate data stored in a cloud service
  • Earlier research by Skyhigh showed that 92% of companies have cloud credentials for sale on the Darknet.

In order to extfiltrate stolen data from on-premises systems of record, hackers are increasingly turning to public cloud services.

  • The average organisation experiences 2.4 cloud-enabled data exfiltration events each month
  • The average incident involves 410.0 MB of data.

The percentage of documents that are shared via file sharing services hit an all-time high in Q3 of 2015. While enhanced collaboration between colleagues and business partners is a positive development, the ease with which data can be shared also carries the risk that a sensitive file may be unintentionally shared too broadly or outside the organisation, violating company policies.

  • 28.1% of employees have uploaded a file containing sensitive data to the cloud
  • The average organisation shares documents with 849 external domains via these services
  • Of all documents stored in file sharing services, 37.2% are shared with someone other than the document’s owner
  • 71.6% of shared documents are shared internally with select users
  • 12.9% of shared documents are shared with all employees within an organisation
  • 28.2% of shared documents are shared with business partners
  • 5.4% of shared documents are accessible by anyone with a link
  • 2.7% of shared documents are actually publicly accessible and indexed by Google.

As recent high-profile data breaches demonstrate, cyber criminals are seeking out documents containing company budgets, employee salaries and employee Social Security numbers. Their goal is often to disrupt the operations of these companies or to use this information for financial gain. It’s not uncommon for employees to use words like “bonus”, “budget” or “salary” in file names. The average enterprise has:

  • 7,886 docs with “budget” in the file name
  • 6,097 docs with “salary” in the file name
  • 2,681 docs with “bonus” in the file name
  • 2,217 docs with “confidential” in the file name
  • 1,156 docs with “password” in the file name
  • 1,384 docs with “passport” in the file name
  • 248 docs with “confidential” in the file name
  • 156 docs with “press release” in the file name.