Industry Insights

Mitigating Departing Employee Data Loss Threats

5 min Read

Mark Wojtasiak

Vice President, Portfolio Marketing


Brutal truth: most organizations don’t have a specific and consistent workflow to account for data exposure risks surrounding widespread workforce changes like layoffs, furloughs and reductions in pay. According to Gallup, 53% of Americans have been financially impacted by workforce changes as a result of COVID-19.

Workforce Change Creates Data Risk

Workforce change is an emotional time for employees both directly and indirectly impacted. Big organizational moves in the spirit of corporate survival can tempt even the best of us to take precautions with our work and our work product – company data. Well intentioned employees might simply be preparing for the unknown or preparing for what they feel is inevitable. Some may be simply trying to make landing their next job easier. In most cases, employees impacted by organizational change are not trying to do harm to the company. They are simply taking the same precautions that the very organizational change decisions were based on – survival.

Regardless of the motivation, two-thirds (63%) of employees who admit to taking data with them from one employer to the next are repeat offenders. The consequences of this behavior can be more damaging to a business when workers take data from a former employer and go to work for a competitor. Three in five (59%) employees move to a company in the same industry.

The Code42 2020 Data Exposure Report showed that 87% of employees report that no one ever approached them during the off-boarding process to verify that they hadn’t taken data.

It’s not black and white

The risk posed by departing employees tends to be viewed in absolute terms. Most organizations assume that 99.9% of employees would NEVER take anything or do anything risky. “They’re good people; they know better,” is something we hear all too often. On the flip side, most assume that any employee that does take data is doing so maliciously. The reality is that there’s a tremendous gray area. Most people aren’t outright stealing. They’re doing things like:

  • Pulling together their best work to help them land a new job
  • Taking the work they’re most proud of with them
  • Taking things like templates to use in their new gig
  • Taking “their” client info
  • Deleting files to “help” clean up their devices for the next user

Even just sharing work with colleagues, or pulling important working files onto thumb drive to give to a current colleague to ensure the project keeps moving forward after they leave
A vast majority of employees have the very best intentions, but regardless of intention – good, bad, indifferent – the actions put company data at risk.

Offboarding is just as important as onboarding

While most organizations dedicate significant time and resources to their employee onboarding program, offboarding gets far less attention. In fact, most organizations don’t have a specific and consistent workflow to account for the unique data exposure risks surrounding a departing employee much less involve the security team if they actually do have a process.

Building an employee offboarding workflow

With employee departures accelerating across the US workforce — you need to have a dedicated program to account for any and all associated data risks. So, what should that program look like? Here are a handful of best practices that simplify the task:

  • Have a corporate policy. Every organization needs an explicit, written policy around corporate data use and ownership with clear policies around what employees can and cannot take; where they can and can’t move data; and how they should go about getting permission to take files or data upon their departure.
  • Publicize the policy. Make data security best practices part of employee onboarding. But also make sure data exfiltration review is part of the offboarding process. A simple reminder can go a long way toward preventing well-intentioned employees from doing something they shouldn’t.
  • Create a departing employee trigger — and execute the workflow every time. Most organizations have a new employee trigger, owned by HR, that automatically sets in motion an onboarding process that includes everything from training to IT and security teams giving the new employee the access privileges they’ll need. HR should also have a departing employee trigger that automatically sets in motion an offboarding process that includes a security analysis of the employee’s data activity to account for potential risks. Just like onboarding, this departing employee workflow should be followed for every departing employee — not just those you consider high-risk. 
  • Go back in time. A common mistake is to think data risk comes right before employees leave. The reality is that the risky activity can occur much, much earlier — as they’re taking precautions or prepping for the inevitable. Remember, organizational change is an emotional time for all employees involved and can span days, weeks, even months. To account for this reality, best practice is to analyze an employee’s data activity going back months from the day of departure.

  • Build a “red flag” list with leaders. Engage line of business leaders to build a specific list of each department’s most valuable files and file types: source code for tech companies, CAD drawings at an engineering firm, Salesforce files and customer lists, spreadsheets with financial info, codenames for R&D projects, etc. Make sure your monitoring tools allow you search and filter activity by file type, category, name, etc., so you can quickly look for these red-flag activities.

A departing employee workflow example

Here’s a rough look at how a departing employee workflow…works:

1) TRIGGER
Employer or employee gives notice, triggering activity review by IT security.

2) ANALYZE
Security looks back at the past 90 days of employee data activity to identify data risk events.

3) FLAG
Security flags suspicious activity: a client list that was emailed to an personal email or uploaded via a browser to a personal cloud account.

4) REVIEW
Security restores the spreadsheet and notifies HR. HR brings it to the LOB manager. LOB manager confirms that the file activity in question was not authorized.

5) ESCALATION
Depending on the activity and severity of the risk, the issue may be escalated to legal by either HR or the LOB manager.

It all depends on visibility

Technology has made it easy for us to collaborate and get work done. The ease in which data can be accessed, moved and shared across an organization also poses immense data visibility and thus, data risk challenges. It has never been easier for us to put data like product ideas, source code and customer lists at risk. Regardless of an employee’s intention, the fact of the matter is that all it takes is one data leak, and an organization could be on the hook for millions of dollars in lost revenue, fines for non-compliance, a loss of intellectual property and damage to the brand. The scary truth is that today, it’s not one employee – it’s numerous employees both directly and indirectly impacted by workforce changes that introduce greater data risk. The first step for any organization trying to manage the inevitable data risks that comes with workforce change is ensuring they have visibility. Visibility to data risk across users, devices and clouds is critical to quickly detect data risk, and investigate and respond to it as fast as possible. If workforce change and data risks go hand in hand, then insider risk detection and response for workforce changes is hand in glove.

Mark Wojtasiak

As vice president of portfolio marketing at Code42, Mark leads the market research, competitive intelligence and product marketing teams. Mark joined Code42 in 2016 bringing more than 20 years of B2B data storage, cloud and data security experience with him, including several roles in marketing and product management at Seagate.