Select Page

Employees come and go, however is your data leaving out the door when employees leave your organization?

During the COVID pandemic, workers began to resign from their jobs at an unprecedented rate. This caused employees to give up their jobs three times faster in 2021, creating a record.  It is estimated that 4.4 million resignations were made in September 2021 alone and the United Kingdom registered a 20-year record of resignations.

As a result of these resignations, organizations with intellectual property or personally identifiable information (PII) may face a serious security risk. There was a 61 percent increase in data exposure events between April 2021 and June 2021.  During this same period, there were 61 percent fewer data exposure events for organizations.

IT security experts have reported that data was exfiltrated at a higher rate around the time because more employees are misappropriating data. In a study conducted by a leading IT security consulting firm, 45 percent of employees admitted to downloading work files, saving them, or sending them out of the network before quitting their job at their former employers.

When employees leave, it is common for employees take data from customer lists to intellectual property. Some employees who contributed knowledge to the company could feel entitled to the knowledge. As they are starting at a new company, it may not seem like a big deal to them to take the data. There is a possibility that they are dissatisfied with their current employer and wish to damage its reputation by selling the company’s data to a competitor.

Organizations can no longer rely on a random process to protect their most valuable data. Organizations that have valuable intangible assets such as intellectual property should consider performing digital forensic scans as part of their standard operating procedures whenever an employee leaves the organization so they can identify threat actors and the data the threat actors are exfiltrating. It would enable organizations to better manage the risk of insider activity and recover critical data. They might even pursue legal actions in some cases, if necessary.

There are generally three steps involved in a digital investigation: triage, a complete digital forensic analysis, and intervention, often carried out by human resources and legal departments.

Managed IT services providers can use tools to investigate unintentional data leakage incidents, such as when an employee uploads work documents to their own cloud storage account so that they can continue working from home or when they send an email containing data to the wrong recipient. It is estimated that 70,00 files were exfiltrated to USB drives each year from inside the organization. With the proper proactive tools, IT departments or managed IT services providers can identify each time a file was copied to a USB drive and the most recent date an insider took this action. When employees leave, organizations need to take advantage of this, analysts can perform a deeper digital forensic analysis, which in turn gives them the leads they need.

A successful investigation cannot be conducted just based on confirmation that a member of staff has exfiltrated a piece of source code, customer list, or another piece of valuable data. Several weeks before they resigned, it is very possible that the employee in question had researched ways of concealing their activities from IT security teams and had deployed anti-forensic software in an attempt to hide their activities. The employee may have downloaded the data about a week later, or perhaps two weeks later as well, on their desktop. It is possible that the insider may have sent a second copy of the data to an unrelated address before downloading it to a USB drive or uploading it to a personal cloud storage system before exporting the data. In order to create a persuasive case based on the data points provided, analysts need to keep in mind that each of these pieces of data is a piece of evidence when employees leave.

If the investigation reveals that these employees have attempted to cover up their tracks and/or negotiated the sale of the data they stole, then the organization may take a different course of action with these employees than with those who have attempted to cover up their tracks and/or were well aware of the severity of their actions when they negotiated the sale of data theft.

In your final step, and perhaps one of the most important ones, you will want to try to recover any lost data or damages caused by the insider attack. In some instances it may be necessary to file a lawsuit to seek an insider’s return of the data. In some cases a lawsuit may be necessary to obtain the insider’s return of the data. This scenario is one which should be taken into consideration in cases where the data that was taken by an insider was of high quality or if the damages associated with their activity were high.

Even though digital forensic tools can’t fully restore the data that has been exfiltrated, the evidence they collect has proven to be reliable in civil court as well as criminal court as evidence because the evidence they gather have shown to be reliable. In addition to this, they also adhere to a chain of custody system which ensures the collection of evidence in a forensically correct and reproducible manner. It is the same evidence that analysts collected to justify the early termination of the insider that could be used as evidence by legal teams to support their claim for compensation.

Contact BrickHost to learn more.