There are various ways a departing employee could put your organization at risk of a data breach. How do you offboard employees the right way and ensure your data remains safe?
The COVID-19 pandemic has created the perfect conditions for insider risk. Financial crises have in the past led to a spike in fraud and nefarious activity, and it’s reasonable to assume that the wave of job losses and uncertainty that emerged in early 2020 did the same. At the same time, companies have never been more exposed, through extensive supply chains and partnerships, and their remote working and cloud infrastructure – much of which was built up in response to the pandemic.
The bottom line is that, by design or accident, employees on their way out of the door may end up causing significant financial and reputational damage if the risks are not properly mitigated. The cost of insider-related incidents spiked 31 percent between 2018 and 2020 to reach nearly US$11.5 million. That makes effective offboarding processes an essential part of any security strategy – yet one that’s too often overlooked.
Can (departing) employees be trusted?
The corporate attack surface is often viewed through a lens of external threat actors. But it can also be abused by internal employees. Cloud-based applications, data stores and other corporate networked resources can be accessed today in many organizations from virtually any device, anywhere. This has become essential to supporting productivity during the pandemic, but it can also make it easier for employees to circumvent policies unless the right controls are in place.
Unfortunately, research suggests that many (43 percent) organizations don’t even have a policy that forbids staff taking work data with them when they leave. Even more concerning, in the UK, only 47 percent revoke building access as part of offboarding and just 62 percent reclaim corporate devices.
Additionally, separate data finds that nearly half (45 percent) download, save, send or exfiltrate work-related documents before leaving employment. This happens most frequently in the tech, financial services and business, consulting and management sectors.
Why does it matter?
Whether they take data with them to impress a new employer, or steal or delete it as the result of a grudge, the potential impact on the organization is severe. A serious data breach could lead to:
- Investigation, remediation and clean-up costs
- Legal costs stemming from class action lawsuits
- Regulatory fines
- Brand and reputational damage
- Lost competitive advantage
In one recent case, a credit union employee pleaded guilty to destroying 21GB of confidential data after she was fired. Despite a colleague requesting that IT disable her network access during offboarding, it was not done in time and the individual was able to use her username and password to access the file server remotely for around 40 minutes. It cost the credit union US$10,000 to fix the unauthorized intrusion and deletion of documents.
How to create more secure offboarding
Many of these threats could have been better managed if the organizations involved had put in place more effective offboarding processes. Contrary to what you might think, these should begin well before an employee signals their intent to resign, or before they are fired. Here are a few tips:
Clearly communicate policy: An estimated 72 percent of office workers apparently think the data they create at work belongs to them. This could be anything from client lists to engineering designs. Helping them understand the limits of their ownership of IP, with clearly communicated and formally written policy, could prevent a great deal of pain down the line. This should be part of any onboarding process as standard, along with clear warnings about what will happen if staff break policy.
Put continuous monitoring in place: If an unscrupulous employee is going to steal information prior to leaving your company, they’re likely to begin doing so well before they notify HR of their job move. That means organizations must put in place monitoring technologies that continuously record and flag suspicious activity—whilst of course observing local privacy laws and any employee ethical concerns.
Have a policy and process ready and waiting: The best way to ensure seamless and effective offboarding of every employee is to design a clear process and workflow ahead of time. Yet while nearly all organizations have an onboarding process, many forget to do the same for departing staff. Consider including the following:
- Revoke access and reset passwords for all apps and services
- Revoke building access
- Exit interview to check for suspicious behavior
- Final review of monitoring/logging tools for evidence of unusual activity
- Escalate to HR/legal if suspicious activity is detected
- Reclaim any physical corporate devices
- Prevent email forwarding and file sharing
- Reassign licenses to other users
As organizations gear up to face the post-pandemic world, competition for customers will be fiercer than ever. They can little-afford valuable IP walking out of the door with departing employees, or the financial and reputational damage that could result from a serious security breach. Offboarding is one small piece of the security puzzle. But it’s a critically important one.
written by Phil Muncaster, ESET We Live Security