Keep Data Safe When Offboarding Employees
Insider threat management strategies for IT & HR professionals
The employee offboarding process presents significant data security risks. Employees have intimate access to corporate data, insider knowledge of the organization’s systems, and a level of trust that can allow them to steal data undetected.
- 70% of intellectual property theft occurs within the 90 days before an employee’s resignation announcement 1
- 88% of IT workers have stated that they would take sensitive data with them if they were fired 2
- 72% of CEOs admit they’ve taken valuable intellectual property (IP) from a former employer 3
- 50% of respondents in a Symantec survey say they have taken information, and 40% say they will use it in their new jobs 4
These vulnerabilities need to be addressed as part of any insider threat management program.
This white paper will provide organizations with the information they need to address the data security risks of offboarding employees. It will outline the best practices for managing insider threat risks, offer guidance for securely offboarding employees, and provide a checklist of key items that security teams need to include in their offboarding process.
1 “Your Employees are Taking Your Data – Infosecurity Magazine.” 10 Oct. 2019, https://www.infosecurity-magazine.com/opinions/employees-taking-data/. Accessed 30 Dec. 2020.
2 “CyberArk Survey Shows Majority of Organizations ….” https://www.cyberark.com/press/cyberark-survey-shows-majority-organizations-underestimate-scope-privileged-account-security-risk/. Accessed 30 Dec. 2020.
3 “Survey: CEOs Admit Taking Data from Former Employer ….” 24 Jul. 2018, https://www.code42.com/news-releases/ceos-admit-taking-data-from-former-employer/. Accessed 30 Dec. 2020.
4 “What is Yours is Mine: How Employees are Putting Your ….” https://www.itworldcanada.com/assets/whats-yours-is-mine-how-employees-are-putting-your-intellectual-property-at-risk Accessed 4 Jan. 2021.
Table of Contents
Risks, Motivations, and Warning
Signs of Insider Data Theft
The Top 10 Best Practices for Mitigating Insider Data Theft
Risks, Motivations, and Warning Signs of Insider Data Theft
Non-public, confidential, and regulated data needs to be kept safe from your soon-to-be ex-employees. This first chapter will overview the importance of including insider threat management as part of employee offboarding plan.
The Risks Associated With a Data Loss Event
Preventing data loss is of utmost importance for companies with sensitive information. Depending on their industry a given organization could be responsible for the confidentiality and integrity of personally identifiable information (PII), client data, trade secrets, passwords, and regulated data such as electronic health records (EHRs).
Regulatory Violations: Organizations that fail to adequately protect regulated forms of data can be liable for significant fines and other penalties associated with a data breach. In 2017 Equifax agreed to pay a settlement between $575-700M after the personal and financial information of nearly 150 million people was leaked from an unpatched database. 5
Exposure of Trade Secrets: The unintended disclosure of trade secrets, customer lists, and other proprietary information may give competing companies valuable insider information, causing the affected organization to lose their competitive advantage.
Damage to Reputation: When sensitive data such as customer information is breached it leads to negative publicity and a loss of trust that severely damages the offending organization’s reputation. Organizations must do all they can to protect sensitive data from misuse and exfiltration to maintain their trustworthiness as a data controller.
5 “Equifax to Pay $575 Million as Part of Settlement with FTC ….” 22 Jul. 2019, https://www.ftc.gov/news-events/press-releases/2019/07/equifax-pay-575-million-part-settlement-ftc-cfpb-states-related. Accessed 4 Jan. 2021.
Causes and Motivations of Insider Data Theft
The 2020 Verizon Data Breach Investigations Report found that 86% of data breaches are motivated by money.6
Confidential data can be a significant windfall for departing employees thanks to its inherent value for competitors and identity thieves. Furthermore, 63% of employees in a Code42 report indicated that they brought data from their previous employer to their current employer.7
Employees that are seeking to transition to a new role may be motivated to use their current employer’s trade secrets to gain an advantage over other applicants.
Feeling Entitled to Intellectual Property
72% of business decision-makers in the Code42 report believe they are entitled to corporate data that they contributed to. 8
This data includes IP such as source code for developers, renders of creative projects for designers, and contact information of clients for salespeople.
To protect against this, organizations need to establish clear policies regarding ownership of intellectual property. They must also closely monitor how their employees engage with the company’s intellectual property, especially within the 90-day window leading up to their resignation or termination.
Employees that are being involuntarily terminated from their roles, passed over for a promotion, or denied a desired raise are more likely to steal or sabotage corporate data and related systems as a way of “getting back” at the company.
For this reason organizations need to be extra vigilant when employees are being offboarded as a result of an involuntary termination. They must also establish HR processes that measure employee satisfaction over time to ensure an employee does not become disgruntled during the course of their employment.
Organizations without critical security controls for managing the flow of data risk having sensitive information retained on employee-managed resources such as cloud storage accounts, personal devices, and email accounts.
This retention is not necessarily malicious in nature; departing employees may simply be unaware that the data is even there, or they may be unaware of the risks associated with having that data in their possession. The possibility of accidental retention further emphasizes the need for an IT employee offboarding process that truly revokes an ex-employee’s access to corporate systems.
Organizations need control over how employees access, store, and interact with data. This includes limiting their ability to transfer data to external storage devices, ensuring that sensitive data remains on company-managed servers, and limiting the file retention abilities of mobile endpoints.
6 “2020 Data Breach Investigations Report ….” https://enterprise.verizon.com/resources/reports/dbir/. Accessed 6 Jan. 2021.
7 “Code42 2019 Global Data Exposure Report.” 3 Oct. 2019, https://www.code42.com/news-releases/code42-global-data-exposure-report/. Accessed 30 Dec. 2020.
8 “Survey: CEOs Admit Taking Data from Former Employer ….” 24 Jul. 2018, https://www.code42.com/news-releases/ceos-admit-taking-data-from-former-employer/. Accessed 30 Dec. 2020.
Warning Signs of Insider Data Theft
Organizations need to be diligent in monitoring employee computer activity for anomalous behavior. The 90 days leading up to an employee’s resignation or termination require particularly stringent monitoring for warning signs of data theft.
The following events may indicate that a departing employee is attempting to bring company-owned data with them:
- Unexpected spikes in data transfers to USB devices, cloud storage accounts, and other data egress points.
- Anomalous fluctuations in email activity such as a higher volume of emails, emails sent to unfamiliar accounts, and an increased prevalence of attachments.
- Anomalous timing of logins to corporate accounts or interactions with files, including after standard office hours or other periods where the employee would typically be inactive.
- Attempts to connect unauthorized and/or unfamiliar USB devices to company-owned devices.
- An increase in web activity to cloud storage sites such as Dropbox or Google Drive, particularly if these services are not typically used for work-related purposes.
The Top 10 Best Practices
for Mitigating Insider Data Theft
Effective insider threat prevention strategies must prioritize data security well before an employee resigns. This next chapter will outline the best practices that organizations must follow both during and before the employee offboarding process.
1. Maintain Collaboration Between HR & IT
While the offboarding process is generally spearheaded by the human resources (HR) department, it is paramount that information technology (IT) staff are proactively involved as soon as possible.
As soon as the employee’s resignation notice is submitted, human resources and information technology staff need to begin their respective offboarding processes. This ensures that as the ex-employee is leaving the premises they are also leaving your network.
If IT is not informed of the resignation or termination, the ex-employee may be able to access sensitive corporate systems well after their departure. This provides ample opportunity for a disgruntled ex-employee to steal corporate data or harm its integrity.
2. Implement Automation Wherever Possible
An Osterman Research study found that 89% of employees were able to access sensitive corporate applications well after their departure. 9
Automating the deprovisioning process reduces the possibility for human error and ensures that deprovisioning processes are properly executed. Reliance on manual processes increases the possibility that offboarding items are missed, incomplete, or not executed in a timely manner.
The use of an identity and access management (IAM) solution allows for the automation of deprovisioning and ensures that the ex-employee’s access to all corporate assets is revoked simultaneously. The access logs created through these tools also provide a valuable audit trail of employee account activity.
Services that cannot be managed via IAM must be thoroughly documented to ensure that the ex-employee’s access is revoked as any level of access to corporate accounts has the potential to escalate into a security breach.
9 “Do Ex-Employees Still Have Access to Your … – Intermedia.” https://www.intermedia.net/assets/pdf/do_ex-employees_still_have_access_to_your_corporate_data.pdf. Accessed 1 Jan. 2021.
3. Adhere to the Principle of Least Privilege
The principle of least privilege dictates that employees should only be provided with the minimum access privileges that are required for their role.
Adhering to this principle reduces the risk of threat actors gaining unauthorized access to critical systems through low-level accounts, devices, or applications.
This includes not providing employees with administrative privileges, having IT personnel use non-privileged accounts when admin credentials are not required, and restricting access to network drives on as-needed basis.
This principle not only applies to corporate accounts; it also includes applications, data, functions, and other resources or permissions related to the role.
By proactively adhering to the principle of least privilege a disgruntled ex-employee will have limited opportunities to steal data or vandalize critical systems prior to their departure.
Throughout the employee lifecycle it is critical that security teams are cognizant of access creep – the tendency for employees to accumulate varying levels of access over their career without being deprovisioned when that access is no longer required.
To prevent access creep the levels of access that a given employee has must be audited during role changes and other events that require modifications to access permissions.
4. Have Separate Accounts for Each User
Permitting the use of shared accounts reduces visibility and control over the access that individual users have to corporate resources.
Shared accounts are easier to breach by attackers as they cannot be readily secured with multi-factor authentication (MFA). The abuse of the account’s resources also cannot be definitively traced to an individual employee.
As each user shares the same credentials it is impossible to know how many current and former employees (or attackers) have access to the accounts.
11 “Gartner’s Top 10 Security Predictions 2016” 15 Jun. 2016, https://www.gartner.com/smarterwithgartner/top-10-security-predictions-2016/. Accessed 3 Sep. 2020.
5. Monitor and Control the Flow of Data
To enforce the principle of least privilege an organization needs to limit an employee’s access to data according to their legitimate work-related needs.
- Data access control systems
- Restricting the use of unauthorized portable storage devices
- Enforced encryption standards
- Web filtering software to block unauthorized cloud storage use
- Monitoring all data-related activities of employees
The monitoring of employee computer activity is critical for detecting data theft attempts. An employee’s computer activity must be closely monitored during the 90 day period before their departure as this is the period where data theft is most likely to occur.
To automate the data risk monitoring process, organizations can implement data security software such as data loss prevention (DLP) and security information and event management (SIEM) solutions that trigger alerts when high-risk activities are detected.
12 “2020 Data Breach Investigations Report – Verizon” https://enterprise.verizon.com/resources/reports/dbir/. Accessed 3 Sep. 2020.
13 “Cost of a Data Breach Study | IBM.” https://www.ibm.com/security/data-breach. Accessed 3 Sep. 2020.
14 “Survey Reveals 72 Percent of CEOs Admit to Taking IP, Ideas and Data with Them from a Former Employer” 24 Jul. 2018, https://www.code42.com/news-releases/ceos-admit-taking-data-from-former-employer/. Accessed 3 Sep. 2020.
6. Perform a Digital Forensics Investigation
A formal digital forensics investigation is not necessarily required for every terminated employee. However, in the event that a breach of protected data is suspected professional services may be required to analyse the root cause of the breach.
If anomalies in an employee’s behavior warrant further investigation by a digital forensics professional, it is a best practice to turn off their computer and have it forensically imaged to maintain the integrity of the evidence.
Digital forensics investigators will analyze the artifacts that are present on the ex-employee’s computer. These digital artifacts may serve as valuable evidence of data exfiltration.
Common artifacts they will search for include evidence of the use of unauthorized USB devices, anomalous interactions with sensitive data, and suspicious web browsing activity.
7. Implement Risk-Based Authentication
Even with a well-documented employee offboarding process there is the potential for items to be missed during deprovisioning.
Risk-based authentication provides an added layer of security by varying the degree of authentication required to access a given resource. If the context of the authentication request is moderate-to-high risk the solution will request additional factors for authentication such as biometric data, one-time passwords, or a PIN number.
The robustness of the requested authentication measures is based on a variety of risk factors, such as:
- The geolocation data of the request
- Previous high-risk account activity
- The general risk level of the individual account
- The sensitivity of the resources being accessed
- The type of device requesting access
In the event that an ex-employee attempts to regain access to corporate systems the risk-based authentication solution will log the access attempts for further investigation.
Implementing risk-based authentication helps balance security and productivity by requiring less stringent authentication for low-risk activity, which improves employee experiences with the organization’s security measures while providing sufficient authentication measures for data that needs to be kept confidential.
8. Limit (Or Eliminate) BYOD
Bring Your Own Device – also known as BYOD – is the practice of allowing employees to use their own personal devices for work-related tasks.
As a best practice, employee-owned devices should not be provided with access to systems that contain sensitive data. An employee’s personal device simply cannot be monitored and managed with the same degree of granularity as company-owned devices.
In the context of offboarding an employee-owned device may retain company data well after the device has been remotely wiped and blocked from use in the company.
Devices that are used for personal activities are also more likely to participate in high-risk web browsing, file downloads, and software usage than a device that is exclusively used for work-related purposes. For optimal data security, employees should be provided with devices that are owned and controlled by the company.
The ownership of company-owned devices should be intimately tracked with an IT inventory management system so terminated employees can be held accountable for returning these assets prior to their departure.
9. Maintain and Validate Backups of Critical Data
To maintain the integrity of data it must be regularly backed up to both on-site and off-site locations. These backups must be regularly validated to ensure that business continuity is possible should an ex-employee engage in malicious data deletion, the destruction of data storage devices, or other acts that would compromise the integrity of critical data.
While data backup programs may include automated validation checks it is a best practice to test the entire data recovery process manually. This verification process must include testing the operational functionality of the data once it has been restored.
10. Combine Technical & Administrative Safeguards
Employee training is a critical component of insider threat prevention. Employees must be trained to recognize the warning signs of insider threats and provided with a channel to anonymously report suspected threats.
Furthermore, company policies such as an acceptable use policy, cybersecurity policy, and non-disclosure agreements ensure that employees are aware of their duty of care to sensitive data. Policies also provide a precedent for litigation should an employee exfiltrate company-owned data prior to their departure.
To maximize the effectiveness of company policies, employees must be kept aware of their data security obligations and their employer’s intellectual property rights throughout their careers, especially during the offboarding process.
Employee Offboarding Checklist for IT Admins
These critical employee offboarding items focus on the unique tasks that IT admins need to perform when deprovisioning an ex-employee from the company network.
This employee offboarding checklist will cover items within these 4 key categories:
- Human Resources & Administrative Controls
- Account and Access Deprovisioning
- Information Technology Asset Management (ITAM)
- Employee Monitoring, Compliance, & Auditing
Concerned about the damage a terminated employee could cause with access to sensitive corporate information, account passwords, and other sensitive data?
Follow this employee offboarding checklist to protect your network following a termination
Human Resources & Administrative Controls
- Remove mentions of the ex-employee from internal documentation such as authorized contacts lists and organizational charts.
- Remove any mentions of the ex-employee from company websites to prevent social engineering attacks.
- Have the ex-employee sign statements acknowledging that all company-owned assets have been returned and that their access to company systems has been revoked.
- Announce the ex-employee’s departure to relevant parties, including clients and vendors that the employee worked with. Ensure that IT personnel are aware of the departure in advance so they can monitor employee computer activity for evidence of data theft and revoke access to the company’s resources and facilities.
- Perform an exit interview that assesses potential risk factors. Overview all policies that the employee has previously agreed to such as non-disclosure agreements and intellectual property rights.
Account and Access Deprovisioning
- Provide designated individual(s) with access to the ex-employee’s files following their departure.
- Revoke the employee’s access to any corporate accounts and assets, such as social media accounts, remote access tools, and identity and access management (IAM) systems.
- Suspend or disable the employee’s accounts on all platforms (SaaS, domain logins, etc). Make any required backups of their account data, then delete the account after a predetermined retention period.
- Change passwords on any shared accounts and take steps towards removing the need for shared accounts in the future.
- Disable the employee’s email access. Forward their emails to a designated individual and place their mailbox on Litigation Hold if there is a need to preserve all mailbox content, including deleted items and original versions of modified items.
- If the employee was the owner of any systems, ensure that ownership is transferred to the IT department and that the employee’s access methods are revoked. Take steps towards removing the need for employees to have ownership over corporate systems in the future.
- Ensure the employee’s telephone is not forwarded to any external numbers they can access, such as their cell phone.
- Delete the employee’s voicemail account and/or change their voicemail password.
- Modify physical access control devices such as door codes to prevent the ex-employee from physically accessing the premises.
Information Technology Asset Management (ITAM)
- Obtain custody of company assets including computers, mobile devices, external storage devices, security access cards, and company credit cards. Update IT inventory databases with any relevant information.
- Before reimaging the employee’s computer, consider making a complete backup and retaining it for at least 30 days.
- Backup and wipe any corporate data that is stored on employee personal devices.
- Take an inventory of all of the files and projects the ex-employee was working on and ensure that any related materials have been returned.
- Ensure that any files that have been stored outside of primary file repositories are moved to a designated secure location. Take steps to mitigate improper data storage practices in the future.
Employee Monitoring, Compliance, & Auditing
- In the event of a suspected data breach, retain a forensic image of the employee’s computer for an appropriate length of time as determined by relevant laws, policies, and regulations.
- Review access logs for firewalls, VPNs, and network servers for any suspicious or high-risk such as anomalous access of sensitive data, higher frequency of access, or accessing files that are unrelated to their position. Continue monitoring access logs on an ongoing basis.
- Monitor employee computer activity during and after employment, including web usage (visits to unauthorized cloud storage sites, suspicious search engine queries, etc), file downloads, and USB activity (large file transfers, exfiltration of sensitive data, the use of unauthorized devices, etc.).
- Review network printer activity for the anomalous printing of sensitive files.
- Monitor emails that are being sent to personal email accounts and scan file attachments for evidence of sensitive data.
Conclusion & Further Reading
Insider data theft is a pervasive issue that threatens an organization’s reputation, business continuity, and competitive edge.
The employee offboarding process presents one of the greatest opportunities for insider threats to steal sensitive information, intellectual property, and other crucial data.
By combining a planned offboarding process with advanced monitoring and control over data egress points an organization can protect their sensitive data against theft by terminated employees.
CurrentWare’s data security software solutions are advantageously priced, simple to use, and scalable for organizations of all sizes. Want to learn more? Contact our team by phone, email, or live chat.
- Monitor & control USB devices to protect against illicit transfers
- Monitor employee internet use for evidence of high-risk web browsing
- Block dangerous websites to improve the security of your network
Ready to protect data against insider threats?
CurrentWare’s Security Software
Restrict Endpoint Devices & Prevent Data Theft
Data loss prevention software. Block USBs and use file operations reports to collect evidence of file transfers to portable storage devices.
Restrict Internet & Application Access
Internet and application blocking software. Block websites to enforce internet use policies and secure your network against malicious websites.
Track Internet & Application Usage
Employee monitoring software for tracking internet and application usage. Generate graphical and tabular reports from a convenient central console.
Remote Device Manager
Remote device management software for managing endpoint device settings. Remotely shut down computers and audit logon activity.