Intelligence in Defensive Security

Data Exfiltration: Why Prevention Fails and How to Fix It 

Posted on Jul 14 / 2026

Summary

Protecting data from leaving an organization sounds like a straightforward goal. In practice, it's one of the hardest problems in security to actually solve, and most prevention efforts fail because they try to fix it all at once. The difficulty comes down to three things:  

  1. The sheer number of channels data can move through 
  2. The technical challenge of telling a normal transfer from a malicious one 
  3. The organizational disagreements over what counts as sensitive in the first place.  

None of that means the problem is unsolvable. A layered, achievable approach to prevention doesn't require solving every piece before making real progress. 

Why One Control Isn't Enough

The instinct is to treat data exfiltration as a single choke point. Block the bad transfer, catch the suspicious email, done. That framing doesn't hold up once you look at how many ways data actually leaves an organization. 

Every company runs some kind of file-sharing platform, whether that's Box, OneDrive, or something similar. Each one is its own exit route, and each needs its own set of restrictions. Email is a separate surface entirely, and not just in the obvious sense of attachments. Features like direct send, often used to support legacy hardware like networked printers, can open communication paths that don't get the same scrutiny as a standard outbound email. 

Locking all of these down evenly is where organizations get stuck. Most platforms default to permissive settings:  

  • Broad access 
  • Few restrictions on who can be contacted 
  • Minimal limits on what can be uploaded.  
  • Tightening that means walking back conveniences that people have already built habits around, and that tends to generate friction long before it produces a security win anyone can point to. 

The Network Doesn't Make It Easier

Even when a transfer looks suspicious, proving it is a different challenge. Attackers who understand detection systems will often stagger data transfers at irregular intervals rather than sending it all at once, a technique designed specifically to blend into normal traffic patterns instead of standing out as a spike. 

Encrypted connections compound the problem. Without visibility into what's inside a transfer, a security team is often left guessing at the difference between a routine multi-gigabyte backup and a multi-gigabyte theft happening in plain sight. 

Classification tools exist to help close this gap. Platforms like Microsoft Purview can automatically flag files containing sensitive categories, such as payment card data or protected health information, and apply restrictions before those files leave the network. That's a meaningful step forward, but rolling it out across years of accumulated files and folders is its own significant undertaking, one most security teams don't have the bandwidth to complete quickly or all at once.

The Harder Problem Isn't Technical

The most difficult part of exfiltration prevention has less to do with tools and more to do with agreement. Before anything can be classified or restricted, an organization has to decide what counts as sensitive, and that decision rarely has one clear answer. 

Different business units tend to have different opinions about what matters. A sales team might consider a customer contact list critical. A finance team might feel the same way about payroll records or a set of vendor banking details. Getting every part of an organization to agree on a shared definition of "sensitive" is closer to a negotiation than a settings change, and it's a negotiation that must happen before any classification system can be effective. 

That negotiation doesn't stay settled for long, either. New hires, departing employees, new vendors, and new software all shift what data exists and who has access to it. Every one of those changes reopens the classification question a little further. 

Building a Realistic Defense, One Layer at a Time

The fact that data exfiltration can't be solved with a single control doesn't mean it can't be managed well. It means the approach has to be layered, and each layer is achievable on its own even before the others are in place.

Start with visibility, not perfection. Full file classification across an entire organization is a long-term project, but two specific behaviors are worth watching for immediately. The first is staging, where data starts accumulating in one place ahead of a transfer. The second is volume anomalies, where a transfer falls well outside what's normal for a given user or system. Neither requires a finished classification system to catch. They just require knowing what a baseline looks like and flagging what doesn't match it.

Apply classification where the risk is highest first. Rather than trying to tag every file an organization has ever created, tools that automatically identify categories like payment card data or protected health information can be pointed at the highest-risk repositories first. That gets meaningful protection in place around the data that would cause the most damage if it left, without waiting on a company-wide rollout. 

Tighten the platforms already in use. File-sharing tools like Box or OneDrive don't need to be replaced to be more secure. Moving from a permissive default, where broad access and uploads are allowed, to a restrictive one, where only specific users or trusted organizations can be contacted and where upload permissions are limited, closes off a meaningful amount of exposure without disrupting how people work day to day. 

Treat every recommendation as specific to the organization, not generic. A control that makes sense for one company's data, team structure, and risk tolerance won't automatically fit another's. The organizations that make the most progress here are the ones that treat this as an ongoing, tailored program rather than a one-time checklist, adjusting as new hires, new vendors, and new tools change what needs protecting. 

None of these steps depends on the others being finished first, and none of them requires solving the classification and ownership questions company-wide before showing results. The goal isn't to build a system that catches everything. It's to close the largest gaps first, build from there, and stay close enough to a constantly moving target that when something does start to leave, someone notices in time to act. 

See It for Yourself

Understanding why data exfiltration is difficult is one thing. Watching it play out against a live environment and seeing exactly where detection catches up and where it doesn't, is another.  

Echelon Risk + Cyber recently continued walking through a full purple team simulation covering data exfiltration and more, available now as an on-demand recording

If your organization wants to know how its own exfiltration detection and prevention would hold up under real adversarial pressure, learn more about Echelon's Purple Team services

Are you ready to get started?