INSIDER THREAT

How Business Leaders Can Help Stop Departing Employee Risk

5 MIN READ

Todd Thorsen

Director, Governance, Risk Mgmt & Compliance

With insider threat in the headlines every day, how are companies still letting departing employees walk out the door—and right to a competitor—with stolen trade secrets and other valuable information? Because the typical employee offboarding process is riddled with gaps that let the data loss risk fall through unnoticed.

Here’s an all-too-common scenario: As the departing employee waves goodbye on his last day, HR pats themselves on the back for orchestrating a smooth exit. They have a new hire ready to take his place—and they even caught him trying to take a company stapler. But they weren’t looking when he moved customer lists to his personal Google Drive account a few hours ago. IT might have been able to see that data movement, but they’re busy decommissioning his laptop and removing network access privileges. And besides, data risk is aecurity’s job. Security knows that departing employees present their biggest data loss risk. But they’re not connected with HR’s offboarding process, so they don’t know who to be watching closely—and they don’t have the tools to see everything that IT can see anyway.

Shared accountability is critical for stopping insider threat

Security ultimately holds accountability for data risk and insider threat. But as you can see in the example above, security cannot do it alone. Without partnerships with HR, IT and legal, security is flying blind.

HR needs to align with security, so they know who to watch.
IT needs to align with security, so they can watch what really matters: the data.
Legal needs to align with security, so they’re ready to respond immediately and with full information on the incident.

5 Steps to Stopping the Departing Employee Risk

What does the employee offboarding process look like when each team fully understands their discrete responsibilities and shared accountabilities? Take a look:

To Continue Reading…

Share a few pieces of information and we’ll personalize your experience with us

1. TRIGGER

As soon as the departing employee gives his notice, HR immediately triggers an alert to both IT and security. HR could also trigger an alert for other data loss situations, such as a high-risk termination or an employee being placed on a performance improvement plan.

2. ANALYSIS

The security team uses a data visibility tool that’s integrated with IT to ensure full, real-time visibility of all data—across every device, network and cloud, whether online or offline. This enables security to look back up to 90 days before the employee gave notice—when the majority of data loss incidents happen. If you don’t have visibility to this historical activity or if your process doesn’t include analysis of this historical activity, then you have a huge blind spot.

3. ACTIVITY FLAGGED

Security identifies suspicious or risky activity pertaining to a potentially valuable spreadsheet file. Thanks to that comprehensive visibility, including the ability to immediately see the actual contents of the file in question, security can now work with IT and line-of-business (LOB) leaders to dive into exactly what happened and what risk it poses to the business.

4. HR AND LINE OF BUSINESS REVIEW

Security instantly restores the spreadsheet in question and brings it to HR and the LOB manager. The LOB manager confirms that the spreadsheet is a recent customer list—a highly valuable and sensitive document that the employee was not authorized to take with them.

5. ESCALATION

Security reports the confirmed risk to legal, including all relevant contextual information. Depending on company protocol, security, legal or representatives from both teams will confront the departing employee before he walks out the door—armed with full information on exactly what happened, right down to the name on the Google account and the time when the customer list file was uploaded. The employee deletes the file from his Google account under legal supervision, and the data risk is averted.

The critical ingredient in this entire process is shared accountability. Everyone in this scenario—HR, IT, security and legal—has made insider threat a priority. They understand exactly what they’re accountable for and who they’re accountable to. They’re working together to protect the business—and they’re living happily ever after, with both their data and their staplers confidently protected.

Todd Thorsen

Todd Thorsen, CISSP, CISM and CIPP/US, is a director of governance, risk mgmt and compliance at Code42. Previously, Todd led the enterprise third-party security team, where he was responsible for third-party security, privacy and compliance across all retail, banking and healthcare operations.