Skip to content

Case Study

Protecting IP, Stopping Data Exfiltration & Mitigating Insider Risk During Employee Offboarding


Increased data risk due to gaps in the employee offboarding process

The COVID-19 pandemic had a significant impact on the travel and hospitality industries. Throughout the world, people cancelled vacation plans and indoor dining was ground to a halt. For one travel technology company, this slowdown led to a dramatic drop in usage of their platform—ultimately forcing the company to lay off a significant portion of its workforce.

As the company prepared for this unfortunate situation, their security team quickly recognized that intellectual property exfiltration from insiders—amplified by the staff reduction—was not well-considered within their existing employee offboarding process. Lacking the necessary visibility over file movement within their environment, the security team feared they simply wouldn’t know if departing employees were inadvertently or intentionally walking out the door with valuable company data. “We felt there was a good chance that we would miss something,” said the company’s security analyst.


An urgent need to protect an uncertain environment

With the increased risk of data like customer information and technology roadmaps leaving the organization, the company’s security team understood the urgency around building a stronger Insider Risk program. Yet, the company was initially hesitant to invest in strengthening its Insider Risk posture around employee offboarding during the pandemic. After all, the market was contracting and the company-wide directive was to save, not spend. To move forward, the security team needed to gain buy-in from other departments — legal, human resources and the SecOps teams — by demonstrating how the right Insider Risk management solution would deliver business value across the organization.


A simple deployment with a supportive team

While the company had worked with Code42 for a number of years, they had not yet explored all the data risk detection and response features Incydr had to offer. After learning about the planned layoffs, Code42 and the company’s security leaders discussed additional support to prevent data loss during their employee offboarding process. The company decided to purchase Incydr after determining that the increased risk of malicious and/or unintentional exfiltration associated with offboarding a large number of employees was significant enough to invest in taking immediate steps to improve their risk posture.

The solution was not only easy to deploy, but proved to be intuitive and natural for employees to learn. “We’ve been able to use the system very easily. It’s been a great point of investigation,” said their security analyst.


A high-value addition to their security stack

Incydr also complemented the CrowdStrike Falcon endpoint security platform that the company already used to combat external risks to data. Falcon would provide alerts to a data movement event and Incydr would provide detail of the files, users, and vectors of movement involved, along with remediation workflows to stop the threat. With these details, the company could prioritize the riskiness of data movement across their company, and get high-fidelity alerts to exfiltration happening in real time.

“We not only saw the value of having a ‘paper trail’ of how someone gained access and/or exfiltrated data, but we appreciated the ability to have the actual file,” said the security analyst. The Incydr product was also set up to provide the company’s human resources and legal teams with a fuller picture to inform any investigations during the offboarding processes — helping the company realize the organization-wide value to gain broad buy-in.

The seamless integration of the Incydr and CrowdStrike solutions was an ideal match for the open, collaborative culture of the company, allowing them to adopt a “trust but verify” approach that protected data, without blocking or slowing its users.


An effective offboarding strategy that protects culture and competitive advantage

Today, the company can investigate data exfiltration events faster — with detailed information at the file, vector, and user levels so they can accurately detect and respond to insider threat. The security team can see where their data is moving, whether it’s with remote users, on off-network devices, or in cloud- and web-based apps. They have a high-fidelity risk signal that they can trust — without the need to sort through false positives. And security has immediate access to the context they need to investigate events quickly and determine a right-sized response alongside their business partners, like those in HR or Legal.

The company leverages this increased understanding of their environment, high-fidelity alerting and additional context to drive a revamped employee offboarding process that gives them confidence that valuable intellectual property won’t slip through the cracks or walk out the door with departing employees. Just as importantly, they’ve dramatically enhanced data security in their organization, without damaging their open, collaborative workplace culture — allowing them to continue attracting top talent and fostering innovation that powers their competitive advantage.

According to the company’s security analyst, the entire experience of implementing Incydr stands as proof that “you can have a collaborative culture and still protect data from leaving the organization.”

Can you put a price tag on your company’s IP?

Don’t be the next company to hit headlines for a data breach. Our customers remediate massive insider incidents before major damage is done.

Connect With Sales


worth of deleted files helped disprove lawsuit accusations – thanks to Incydr.