What has always surprised me is that companies don't seem to be using DLP solutions with rate limiters. Or better yet, is there a DLP or other solution that required approval to exfiltrate data above a set amount? It seems like it would be very hard to request that access if I person knows they will need it and it wouldn't seem like it would be a regular occurrence. And yes, you things like streaming services that do more large amounts of data but there again you could have things locked down so data could only be sent out certain addresses and ports by certain processes. Who am I kidding if we can't get places to do simple updates and backups how would this ever happen!
I've had this discussion many times with many clients, their designers aka "architects", engineers and business executives all with similar excuses. That is until I am conducting a post mortem from the last time this happened and now they need help.