Why Departing Employees Could Mean Departing Data (But Doesn’t Have To)


By Tim Bandos, Vice President of Cyber Security at Digital Guardian

Many modern businesses are so preoccupied with keeping malicious adversaries out of their sensitive networks that they forget about another, potentially even bigger danger from within – insider threats. Every year, the comprehensive Verizon Data Breach Investigations Report (DBIR) provides a deep dive into the latest trends in cybersecurity incidents. The 2019 report found that insider threat incidents have been on the rise again for the last four years and worryingly, are now responsible for 34 percent of all data breaches.

Insider threats can range from absent minded employees to disgruntled third parties, meaning organisations have to be extremely vigilant for any signs of wrongdoing. However, perhaps the most potent threat comes from one particular subset – departing employees. This article looks to answer some of the most common security questions surrounding departing employees including the risks they pose, the motivations behind their behaviour and importantly, what organisations can do to mitigate the threat.

What makes departing employees particularly dangerous?

Departing employees have always posed big problems for organisations of all sizes and for good reason. Not only do they have the necessary access and knowledge of where sensitive data resides, in many cases they also have a motive. Of course, not all motives are malicious in nature. In some instances, it may just be a desire to take copies of their work with them for posterity or future reference, but in other cases it could be to give/sell to a competitor or leak to the media. Whatever the motive may be, any form of data loss at the hands of a departing employee can be extremely damaging, both financially and from a reputational perspective (or both).

Unfortunately, due to the unknown variables involved, organisations are at a major disadvantage when going up against this type of threat, which is why it’s so important to monitor for telltale activity and behaviour that might give a potential insider threat away before it’s too late.

How can businesses effectively mitigate the threat?

The best approaches combine the right technology with a robust process. First and foremost, visibility is needed on endpoints, as well as wherever data is leaving or transferring across the company. At a minimum, businesses should be able to track all types of file movement and data egress, and at least provide an audit trail of what each employee has been up to prior to departure. That way, an employee’s behaviour between the time they hand in their notice and their departure can be closely monitored and even presented to them at their exit interview for explanation/clarification if necessary.

What red flags can businesses look for?

There are several signs to look for that can give away a departing employee as an insider threat. One of the most common ones is spikes in data movement volume, i.e. large data egress to USB type devices or cloud storage sites like Dropbox or Google Drive. If a business has a data loss prevention (DLP) solution in place, it’s possible to tag files by level of sensitivity, making it easier to identify how confidential the data being taken is. For example, if confidential files are being attached to emails and sent to a personal domain like a Gmail or Hotmail against company policy, DLP would flag this . A security analyst can then investigate the incident to establish the intent of the individual sending the file and how sensitive its content was.

More recently, security vendors have started to leverage machine learning in their solutions to take the strain off analysts, who historically have had to manually investigate every alert created.  Machine learning has another trick up its sleeve as well – the ability to create baseline behaviour for an individual or a computer over time. Once created, anything outside of an employee or computer’s ‘normal’ activity will be automatically flagged for further analysis, making it much faster for security teams to weed out suspicious behaviour.

Of course, it’s also important to remember that size isn’t everything and large amounts of data egress isn’t always cause for alarm. Often, it can simply be the result of corporate data backups taking place. On the flip side, many sensitive trade secrets can be stolen in just a single file, which is why it’s so important to know exactly who or what is accessing this kind of information and ensuring the right level of protection is in place around it.

Fortunately, the tactics used by departing employees haven’t changed dramatically in the last 15+ years. While there might occasionally be a rogue employee with the technical know-how to hide stolen data in an image file and leverage steganography to sneak it out, such cases are extremely few and far between. As such, with the right safeguards and mechanisms in place to monitor for telltale behaviour and challenge employees where necessary, businesses of all shapes and sizes can make great strides towards minimising, or even eliminating the threat posed by this group.

By Tim Bandos, VP Cybersecurity,
Digital Guardian

Tim Bandos, CISSP, CISA is Vice President of Cybersecurity at Digital Guardian and an expert in incident response and threat hunting. He has over 15 years of experience in the cybersecurity realm at a Fortune 100 company with a heavy focus on Internal Controls, Incident Response & Threat Intelligence. At this global manufacturer, he built and managed the company’s incident response team. Tim has a wealth of practical knowledge gained from tracking and hunting advanced threats targeted at stealing highly sensitive data.



No posts to display