Keep Data Safe When Offboarding Employees

Insider threat management strategies for IT & HR professionals

Executive Summary

The employee offboarding process presents significant data security risks. Employees have intimate access to corporate data, insider knowledge of the organization’s systems, and a level of trust that can allow them to steal data undetected.

  • 70% of intellectual property theft occurs within the 90 days before an employee’s resignation announcement 1
  • 88% of IT workers have stated that they would take sensitive data with them if they were fired 2
  • 72% of CEOs admit they’ve taken valuable intellectual property (IP) from a former employer 3
  • 50% of respondents in a Symantec survey say they have taken information, and 40% say they will use it in their new jobs 4

These vulnerabilities need to be addressed as part of any insider threat management program.

This white paper will provide organizations with the information they need to address the data security risks of offboarding employees. It will outline the best practices for managing insider threat risks, offer guidance for securely offboarding employees, and provide a checklist of key items that security teams need to include in their offboarding process.

1 “Your Employees are Taking Your Data – Infosecurity Magazine.” 10 Oct. 2019, Accessed 30 Dec. 2020.
2 “CyberArk Survey Shows Majority of Organizations ….” Accessed 30 Dec. 2020.
3  “Survey: CEOs Admit Taking Data from Former Employer ….” 24 Jul. 2018, Accessed 30 Dec. 2020.
4 “What is Yours is Mine: How Employees are Putting Your ….” Accessed 4 Jan. 2021. 

Table of Contents

Chapter 1

Risks, Motivations, and Warning
Signs of Insider Data Theft

Chapter 2

The Top 10 Best Practices for Mitigating Insider Data Theft

Chapter 3

Employee Offboarding Checklist For Information Technology Admins

The Risks Associated With a Data Loss Event

Preventing data loss is of utmost importance for companies with sensitive information. Depending on their industry a given organization could be responsible for the confidentiality and integrity of personally identifiable information (PII), client data, trade secrets, passwords, and regulated data such as electronic health records (EHRs). 

Regulatory Violations: Organizations that fail to adequately protect regulated forms of data can be liable for significant fines and other penalties associated with a data breach. In 2017 Equifax agreed to pay a settlement between $575-700M after the personal and financial information of nearly 150 million people was leaked from an unpatched database. 5

Exposure of Trade Secrets: The unintended disclosure of trade secrets, customer lists, and other proprietary information may give competing companies valuable insider information, causing the affected organization to lose their competitive advantage.

Damage to Reputation: When sensitive data such as customer information is breached it leads to negative publicity and a loss of trust that severely damages the offending organization’s reputation. Organizations must do all they can to protect sensitive data from misuse and exfiltration to maintain their trustworthiness as a data controller.

5 “Equifax to Pay $575 Million as Part of Settlement with FTC ….” 22 Jul. 2019, Accessed 4 Jan. 2021.

Causes and Motivations of Insider Data Theft

Financial Gain

The 2020 Verizon Data Breach Investigations Report found that 86% of data breaches are motivated by money.

Confidential data can be a significant windfall for departing employees thanks to its inherent value for competitors and identity thieves. Furthermore, 63% of employees in a Code42 report indicated that they brought data from their previous employer to their current employer.

Employees that are seeking to transition to a new role may be motivated to use their current employer’s trade secrets to gain an advantage over other applicants. 

Feeling Entitled to Intellectual Property

72% of business decision-makers in the Code42 report believe they are entitled to corporate data that they contributed to8

This data includes IP such as source code for developers, renders of creative projects for designers, and contact information of clients for salespeople.

To protect against this, organizations need to establish clear policies regarding ownership of intellectual property. They must also closely monitor how their employees engage with the company’s intellectual property, especially within the 90-day window leading up to their resignation or termination.


Employees that are being involuntarily terminated from their roles, passed over for a promotion, or denied a desired raise are more likely to steal or sabotage corporate data and related systems as a way of “getting back” at the company.

For this reason organizations need to be extra vigilant when employees are being offboarded as a result of an involuntary termination. They must also establish HR processes that measure employee satisfaction over time to ensure an employee does not become disgruntled during the course of their employment.

Accidental Retention

Organizations without critical security controls for managing the flow of data risk having sensitive information retained on employee-managed resources such as cloud storage accounts, personal devices, and email accounts.

This retention is not necessarily malicious in nature; departing employees may simply be unaware that the data is even there, or they may be unaware of the risks associated with having that data in their possession. The possibility of accidental retention further emphasizes the need for an IT employee offboarding process that truly revokes an ex-employee’s access to corporate systems.

Organizations need control over how employees access, store, and interact with data. This includes limiting their ability to transfer data to external storage devices, ensuring that sensitive data remains on company-managed servers, and limiting the file retention abilities of mobile endpoints.

6 “2020 Data Breach Investigations Report ….” Accessed 6 Jan. 2021.
7 “Code42 2019 Global Data Exposure Report.” 3 Oct. 2019, Accessed 30 Dec. 2020.
8 “Survey: CEOs Admit Taking Data from Former Employer ….” 24 Jul. 2018, Accessed 30 Dec. 2020.

Warning Signs of Insider Data Theft

Organizations need to be diligent in monitoring employee computer activity for anomalous behavior. The 90 days leading up to an employee’s resignation or termination require particularly stringent monitoring for warning signs of data theft.

The following events may indicate that a departing employee is attempting to bring company-owned data with them:

  • Unexpected spikes in data transfers to USB devices, cloud storage accounts, and other data egress points.
  • Anomalous fluctuations in email activity such as a higher volume of emails, emails sent to unfamiliar accounts, and an increased prevalence of attachments.
  • Anomalous timing of logins to corporate accounts or interactions with files, including after standard office hours or other periods where the employee would typically be inactive.
  • Attempts to connect unauthorized and/or unfamiliar USB devices to company-owned devices.
  • An increase in web activity to cloud storage sites such as Dropbox or Google Drive, particularly if these services are not typically used for work-related purposes.


The Top 10 Best Practices
for Mitigating Insider Data Theft

Effective insider threat prevention strategies must prioritize data security well before an employee resigns. This next chapter will outline the best practices that organizations must follow both during and before the employee offboarding process.

  1. Maintain Collaboration Between HR & IT
  2. Implement Automation Wherever Possible
  3. Adhere to the Principle of Least Privilege
  4. Have Separate Accounts for Each User
  5. Monitor and Control the Flow of Data
  6. Perform a Digital Forensics Investigation
  7. Implement Risk-Based Authentication
  8. Limit (Or Eliminate) BYOD
  9. Maintain and Validate Backups of Critical Data
  10. Combine Technical and Administrative Safeguards

1. Maintain Collaboration Between HR & IT

While the offboarding process is generally spearheaded by the human resources (HR) department, it is paramount that information technology (IT) staff are proactively involved as soon as possible. 

As soon as the employee’s resignation notice is submitted, human resources and information technology staff need to begin their respective offboarding processes. This ensures that as the ex-employee is leaving the premises they are also leaving your network. 

If IT is not informed of the resignation or termination, the ex-employee may be able to access sensitive corporate systems well after their departure. This provides ample opportunity for a disgruntled ex-employee to steal corporate data or harm its integrity.

2. Implement Automation Wherever Possible

An Osterman Research study found that 89% of employees were able to access sensitive corporate applications well after their departure. 9

Automating the deprovisioning process reduces the possibility for human error and ensures that deprovisioning processes are properly executed. Reliance on manual processes increases the possibility that offboarding items are missed, incomplete, or not executed in a timely manner. 

The use of an identity and access management (IAM) solution allows for the automation of deprovisioning and ensures that the ex-employee’s access to all corporate assets is revoked simultaneously. The access logs created through these tools also provide a valuable audit trail of employee account activity. 

Services that cannot be managed via IAM must be thoroughly documented to ensure that the ex-employee’s access is revoked as any level of access to corporate accounts has the potential to escalate into a security breach.

“Do Ex-Employees Still Have Access to Your … – Intermedia.” Accessed 1 Jan. 2021.

3. Adhere to the Principle of Least Privilege

The principle of least privilege dictates that employees should only be provided with the minimum access privileges that are required for their role.

Adhering to this principle reduces the risk of threat actors gaining unauthorized access to critical systems through low-level accounts, devices, or applications.

This includes not providing employees with administrative privileges, having IT personnel use non-privileged accounts when admin credentials are not required, and restricting access to network drives on as-needed basis. 

This principle not only applies to corporate accounts; it also includes applications, data, functions, and other resources or permissions related to the role.

By proactively adhering to the principle of least privilege a disgruntled ex-employee will have limited opportunities to steal data or vandalize critical systems prior to their departure.

Throughout the employee lifecycle it is critical that security teams are cognizant of access creep – the tendency for employees to accumulate varying levels of access over their career without being deprovisioned when that access is no longer required.

To prevent access creep the levels of access that a given employee has must be audited during role changes and other events that require modifications to access permissions.

4. Have Separate Accounts for Each User

Permitting the use of shared accounts reduces visibility and control over the access that individual users have to corporate resources.

Shared accounts are easier to breach by attackers as they cannot be readily secured with multi-factor authentication (MFA). The abuse of the account’s resources also cannot be definitively traced to an individual employee.

As each user shares the same credentials it is impossible to know how many current and former employees (or attackers) have access to the accounts. 

11 “Gartner’s Top 10 Security Predictions 2016” 15 Jun. 2016, Accessed 3 Sep. 2020.

5. Monitor and Control the Flow of Data

To enforce the principle of least privilege an organization needs to limit an employee’s access to data according to their legitimate work-related needs.

This includes:

  • Data access control systems
  • Restricting the use of unauthorized portable storage devices
  • Enforced encryption standards
  • Web filtering software to block unauthorized cloud storage use
  • Monitoring all data-related activities of employees

The monitoring of employee computer activity is critical for detecting data theft attempts. An employee’s computer activity must be closely monitored during the 90 day period before their departure as this is the period where data theft is most likely to occur. 

To automate the data risk monitoring process, organizations can implement data security software such as data loss prevention (DLP) and security information and event management (SIEM) solutions that trigger alerts when high-risk activities are detected. 

12 “2020 Data Breach Investigations Report – Verizon” Accessed 3 Sep. 2020.
13 “Cost of a Data Breach Study | IBM.” Accessed 3 Sep. 2020.
14 “Survey Reveals 72 Percent of CEOs Admit to Taking IP, Ideas and Data with Them from a Former Employer” 24 Jul. 2018, Accessed 3 Sep. 2020.

6. Perform a Digital Forensics Investigation

A formal digital forensics investigation is not necessarily required for every terminated employee. However, in the event that a breach of protected data is suspected professional services may be required to analyse the root cause of the breach.

If anomalies in an employee’s behavior warrant further investigation by a digital forensics professional, it is a best practice to turn off their computer and have it forensically imaged to maintain the integrity of the evidence.

Digital forensics investigators will analyze the artifacts that are present on the ex-employee’s computer. These digital artifacts may serve as valuable evidence of data exfiltration.

Common artifacts they will search for include evidence of the use of unauthorized USB devices, anomalous interactions with sensitive data, and suspicious web browsing activity.

7. Implement Risk-Based Authentication

Even with a well-documented employee offboarding process there is the potential for items to be missed during deprovisioning.

Risk-based authentication provides an added layer of security by varying the degree of authentication required to access a given resource. If the context of the authentication request is moderate-to-high risk the solution will request additional factors for authentication such as biometric data, one-time passwords, or a PIN number.

The robustness of the requested authentication measures is based on a variety of risk factors, such as:

  • The geolocation data of the request
  • Previous high-risk account activity
  • The general risk level of the individual account
  • The sensitivity of the resources being accessed
  • The type of device requesting access

In the event that an ex-employee attempts to regain access to corporate systems the risk-based authentication solution will log the access attempts for further investigation.

Implementing risk-based authentication helps balance security and productivity by requiring less stringent authentication for low-risk activity, which improves employee experiences with the organization’s security measures while providing sufficient authentication measures for data that needs to be kept confidential.


8. Limit (Or Eliminate) BYOD

Bring Your Own Device – also known as BYOD – is the practice of allowing employees to use their own personal devices for work-related tasks. 

As a best practice, employee-owned devices should not be provided with access to systems that contain sensitive data. An employee’s personal device simply cannot be monitored and managed with the same degree of granularity as company-owned devices.

In the context of offboarding an employee-owned device may retain company data well after the device has been remotely wiped and blocked from use in the company. 

Devices that are used for personal activities are also more likely to participate in high-risk web browsing, file downloads, and software usage than a device that is exclusively used for work-related purposes. For optimal data security, employees should be provided with devices that are owned and controlled by the company.

The ownership of company-owned devices should be intimately tracked with an IT inventory management system so terminated employees can be held accountable for returning these assets prior to their departure.

9. Maintain and Validate Backups of Critical Data

To maintain the integrity of data it must be regularly backed up to both on-site and off-site locations. These backups must be regularly validated to ensure that business continuity is possible should an ex-employee engage in malicious data deletion, the destruction of data storage devices, or other acts that would compromise the integrity of critical data.

While data backup programs may include automated validation checks it is a best practice to test the entire data recovery process manually. This verification process must include testing the operational functionality of the data once it has been restored.

10. Combine Technical & Administrative Safeguards

Employee training is a critical component of insider threat prevention. Employees must be trained to recognize the warning signs of insider threats and provided with a channel to anonymously report suspected threats.

Furthermore, company policies such as an acceptable use policy, cybersecurity policy, and non-disclosure agreements ensure that employees are aware of their duty of care to sensitive data. Policies also provide a precedent for litigation should an employee exfiltrate company-owned data prior to their departure.

To maximize the effectiveness of company policies, employees must be kept aware of their data security obligations and their employer’s intellectual property rights throughout their careers, especially during the offboarding process.


Employee Offboarding Checklist for IT Admins

These critical employee offboarding items focus on the unique tasks that IT admins need to perform when deprovisioning an ex-employee from the company network. 

This employee offboarding checklist will cover items within these 4 key categories:

  1. Human Resources & Administrative Controls
  2. Account and Access Deprovisioning
  3. Information Technology Asset Management (ITAM)
  4. Employee Monitoring, Compliance, & Auditing

Human Resources & Administrative Controls


  1. Remove mentions of the ex-employee from internal documentation such as authorized contacts lists and organizational charts.
  2. Remove any mentions of the ex-employee from company websites to prevent social engineering attacks.
  3. Have the ex-employee sign statements acknowledging that all company-owned assets have been returned and that their access to company systems has been revoked.
  4. Announce the ex-employee’s departure to relevant parties, including clients and vendors that the employee worked with. Ensure that IT personnel are aware of the departure in advance so they can monitor employee computer activity for evidence of data theft and revoke access to the company’s resources and facilities. 
  5. Perform an exit interview that assesses potential risk factors. Overview all policies that the employee has previously agreed to such as non-disclosure agreements and intellectual property rights.

Account and Access Deprovisioning

  1. Provide designated individual(s) with access to the ex-employee’s files following their departure.

  2. Revoke the employee’s access to any corporate accounts and assets, such as social media accounts, remote access tools, and identity and access management (IAM) systems.

  3. Suspend or disable the employee’s accounts on all platforms (SaaS, domain logins, etc). Make any required backups of their account data, then delete the account after a predetermined retention period.
  4. Change passwords on any shared accounts and take steps towards removing the need for shared accounts in the future.
  5. Disable the employee’s email access. Forward their emails to a designated individual and place their mailbox on Litigation Hold if there is a need to preserve all mailbox content, including deleted items and original versions of modified items.
  6. If the employee was the owner of any systems, ensure that ownership is transferred to the IT department and that the employee’s access methods are revoked. Take steps towards removing the need for employees to have ownership over corporate systems in the future.
  7. Ensure the employee’s telephone is not forwarded to any external numbers they can access, such as their cell phone.
  8. Delete the employee’s voicemail account and/or change their voicemail password.
  9. Modify physical access control devices such as door codes to prevent the ex-employee from physically accessing the premises.

Information Technology Asset Management (ITAM)

  1. Obtain custody of company assets including computers, mobile devices, external storage devices, security access cards, and company credit cards. Update IT inventory databases with any relevant information.
  2. Before reimaging the employee’s computer, consider making a complete backup and retaining it for at least 30 days. 
  3. Backup and wipe any corporate data that is stored on employee personal devices.
  4. Take an inventory of all of the files and projects the ex-employee was working on and ensure that any related materials have been returned. 
  5. Ensure that any files that have been stored outside of primary file repositories are moved to a designated secure location. Take steps to mitigate improper data storage practices in the future.

Employee Monitoring, Compliance, & Auditing

  1. In the event of a suspected data breach, retain a forensic image of the employee’s computer for an appropriate length of time as determined by relevant laws, policies, and regulations.
  2. Review access logs for firewalls, VPNs, and network servers for any suspicious or high-risk such as anomalous access of sensitive data, higher frequency of access, or accessing files that are unrelated to their position. Continue monitoring access logs on an ongoing basis.
  3. Monitor employee computer activity during and after employment, including web usage (visits to unauthorized cloud storage sites, suspicious search engine queries, etc), file downloads, and USB activity (large file transfers, exfiltration of sensitive data, the use of unauthorized devices, etc.).
  4. Review network printer activity for the anomalous printing of sensitive files.
  5. Monitor emails that are being sent to personal email accounts and scan file attachments for evidence of sensitive data.

Conclusion & Further Reading

Insider data theft is a pervasive issue that threatens an organization’s reputation, business continuity, and competitive edge.

The employee offboarding process presents one of the greatest opportunities for insider threats to steal sensitive information, intellectual property, and other crucial data. 

By combining a planned offboarding process with advanced monitoring and control over data egress points an organization can protect their sensitive data against theft by terminated employees.

Ready to protect data against insider threats?

Try a free trial of CurrentWare today

  • Monitor & control USB devices to protect against illicit transfers
  • Monitor employee internet use for evidence of high-risk web browsing
  • Block dangerous websites to improve the security of your network

CurrentWare’s data security software solutions are advantageously priced, simple to use, and scalable for organizations of all sizes. Want to learn more? Contact our team by phone, email, or live chat.

About CurrentWare

CurrentWare is a software company that provides a suite of workforce management solutions for computer monitoring, content filtering, data loss prevention, and remote power management.

CurrentWare’s solutions are adopted by a wide array of government and private organizations including schools, hospitals, libraries, and for-profit businesses.

CurrentWare customers improve their user productivity, data security, and business intelligence with advanced awareness and control over how technology is used in their organization. 

CurrentWare’s Software Solutions


Restrict Endpoint Devices & Prevent Data Loss

AccessPatrol is a data loss prevention solution that allows administrators to easily manage device restriction policies in their network. Block unauthorized USBs to protect sensitive data against theft.



Restrict Internet & Application Access

BrowseControl is an easy to use Internet control and application blocking software that restricts Internet access and enforces web and application usage policies across your network.



Track Internet & Application Usage

BrowseReporter is a powerful employee monitoring software that enables companies to track their employees’ internet and application usage.



Remote Power Management

enPowerManager is an effective solution for managing power policies across the network. With a simple click of the mouse computers can be remotely shut down or rebooted, all from the convenience of CurrentWare’s centralized console.


More From CurrentWare

Internet Usage Statistics – How Do Employees Use The Internet At Work?

Are you curious about internet usage statistics? This article will highlight interesting research, surveys, and data about how employees use the internet at work. It will also explore global trends...

How to Disable USB Ports & Block USB Mass Storage Devices

Want to control the use of unauthorized USB devices in your network? In this guide I will show you how to disable USB ports with three different methods: Using dedicated software to block USB ports,...

The California Privacy Rights Act vs Employee Monitoring in 2021

Considered to be the “toughest data privacy law in the United States”, the California Consumer Privacy Act (CCPA) originally came into effect on January 1st, 2020, only a year and a half after it...

Tips for Starting, Securing, and Growing a Remote Team During COVID-19

The rise of remote workers has been further propelled by the COVID-19 pandemic. If you want your business to stay competitive in the new year you need to master these key remote workforce management...

Top 16 Tips for Preventing Insider Data Theft

The damage that trusted insiders can cause is extraordinary. According to the 2020 Ponemon Institute Cost of Insider Threats report the average cost per insider incident was a staggering $11.5...

Insider Threat Management – Is Your Data Safe? (Critical Tips)

Insider threat management is critical for protecting sensitive data against theft, misuse, and loss. The privileged access that insider threats have give them the ability to cause significant...

Phishing Awareness 101: How to Email Test Your Employees

Phishing is a constant threat to data security. Cybercriminals use phishing attacks to break into accounts, steal company funds, and compromise sensitive data. In this article I will introduce you...

19 Cyber Security Tips for Working From Home in 2020

Working from home presents unique security challenges. If you’re working from home you can improve the security of sensitive data and protect yourself against cyber security threats by...

5 Data Security Tips For Offboarding Employees

Offboarding employees presents serious data security risks: 70% of intellectual property theft occurs within the 90 days before an employee’s resignation announcement. Worse yet, insider data theft...

How to block employees from using TikTok on their computers?

Data security and privacy concerns have led the US Military, India, and other government entities to ban the use of the app on their devices.  Why is United States banning TikTok? The US issued...

The Top 6 Software Solutions for Manufacturing

Looking for software solutions for manufacturers? This article highlights the top software solutions for the manufacturing industry across 6 key categories – DLP, ERP, MES, QMS, PLM, and...

DNS over HTTPS (DoH): How to Stop Users From Bypassing Your Web Filter

Web browsers that support DNS over HTTPS (DoH) can allow employees and students to bypass network-level web filtering policies. In this article I will overview what DoH is and provide solutions for...

How to Protect Employees Working From Home – CurrentWare in SCMag

Looking to improve the cybersecurity of your employees while they work from home?CurrentWare’s managing director Neel Lukka provides insights in his guest article for SC Magazine –...

Best Practices for Managing Productivity and Security of Remote Workers (Video)

Video Transcript Welcome to the webinar best practices for managing productivity and security of remote workers. Myself my name is Neel Lukka and I’m the managing director here at CurrentWare...

How to Block USB Devices – USB Access Control (Video)

This tutorial will show you how to block USB devices such as external hard drives, flash drives, and other removable media using AccessPatrol, an endpoint security software developed by CurrentWare...