September 28, 2021
7 Best Practices to Prevent Data Theft by Departing Employees

Departing employees are a source of insider threats that often get overlooked. According to a study by Biscom, one in four departing employees steal data when leaving. Whether they do so out of negligence or with malicious intent, such cases can only have negative outcomes for organizations, from losing their competitive advantage to facing penalties for non-compliance with cybersecurity requirements.
The good news is that you can detect this dangerous insider activity and mitigate it before employees leave with corporate data. In this article, we take a look at the main reasons for data theft, key indicators of this threat, as well as steps to prevent data theft from exiting employees with Ekran System.
What are the risks of data theft by departing employees?
Thanks to technologies and telecommuting, changing jobs today is easier than it has ever been. The U.S. Bureau of Labor Statistics states that the level of labor turnover in 2021 in the US is at an all-time high. In this environment, it’s important to stay alert to secure your organization from risks of data theft by departing employees.
When an employee resigns, they usually move to a similar position at a company operating in the same industry — maybe even your direct competitor. They are expected to leave only with their experience and personal belongings, but some workers also take their employer’s valuable data with them.
At the same time, 87% of employees say that their former employer never verified if they had taken data according to the 2020 Data Exposure Report by Code42. Such carelessness may create lots of risks for an organization.
Here are the key negative outcomes your organization may face in case of data theft by a departing employee:
- Fines and penalties for non-compliance. Sensitive data like financial, medical, or personal records are protected by various cybersecurity regulations and standards. If an employee manages to steal this data, their employer can face external audits and costly fines for non-compliance.
- Confidentiality breaches. When a customer signs a non-disclosure agreement (NDA) with an organization, they expect the details of their deal to be private. Yet a departing employee can disclose the details of an NDA to their new employer and break the trust of your customer.
- Loss of competitive advantage. Intellectual property (IP) is one of the most common types of data to be stolen by departing employees. Departing employees can take designs, software code, and documents that they worked on to their next workplace. In this way, your competitor can discover and incorporate your trade secrets. Another possible scenario of IP theft is disruption of your work. This can happen if an employee steals and deletes project information before termination.
- Loss of customers. News on data and confidentiality breaches are red flags for many customers. Even if they were unaffected by a breach, customers may lose trust in your organization and may start looking for another partner. Also, if a customer worked with your organization because of a particular star employee, they may follow that employee to another company.
As you can see, a departing employee can have a great influence on an organization. But it takes the right motivation and knowledge (or lack of knowledge) to steal data. Let’s take a look at the key motives that drive insider attacks by departing employees.
Learn more about Insider Threat Prevention
Why do employees steal data on their way out?
The motivation of sticky-fingered departing employees is slightly different from that of usual insider threat actors. Here are the key reasons for data theft by departing employees:
Feeling of ownership over IP. When an employee works on a piece of intellectual property for a long time, they can start feeling like this IP belongs to them. An employee may take it with them when they leave an organization just like they take their coffee mug.
One of the most famous cases of data theft with this motivation is the case of Anthony Levandowski, an ex-autonomous vehicle engineer at Google. At the beginning of 2021, Levandowski was pardoned for stealing autonomous vehicle software from Google that he had worked on before his termination.
Desire to secure a better position. When moving to an organization within the same industry, departing employees might believe that providing the new organization with confidential data of their competitor will help them secure a better job offer or a higher salary. Alternatively, employees may wish to use confidential information to start their own businesses.
Rapid Software claims that its former executive officer Douglas Brown stole financial reports, client information, and business and marketing strategies with the intent to start his own company. Before his resignation, he also deleted 29,0000 files from company computers and created a backdoor to be able to continue stealing data.
Revenge on the employer. If an employee had a conflict with their employer before termination, they can use their access credentials and knowledge of the organization to get revenge. For example, an employee can create a backdoor and steal valuable data or disrupt critical processes.
This is what Hector Navarro, an HR system administrator at Century 21, did before his termination. Hector created a superuser account to delete data, change access rights of other users, and edit the company’s payroll policy. Century 21 had to rework its cybersecurity to seal the breach. They also lost more than $50,000 in potential profit because of this attack.
Read also: 7 Best Practices to Prevent Intellectual Property Theft
Personal financial gain. Instead of pursuing their career, an employee might want to sell stolen data to hackers or competitors. They can also use stolen personal, financial, and medical information to scam people.
Such incidents seem to happen repeatedly with Tesla employees. Tesla is already suing several ex-employees that stole the company’s data to sell it to other organizations. In 2021, Tesla filed a new lawsuit against a former quality assurance engineer who copied code and files from the company’s backend software to his private Dropbox account.
Poor understanding of data security. Departing employees may steal or harm data not because of evil intentions but out of negligence. They can forget which data is confidential or accidentally leave a copy of the company’s sensitive data on their personal devices or email accounts.
Regardless of their motivation, departing employees usually leave digital traces of their insider activity. With the right cybersecurity software, you’ll be able to pick up those traces and stop misbehaving employees. Let’s see which actions can be an indicator of data theft.
Read also: Portrait of Malicious Insiders: Types, Characteristics, and Indicators
What are the indicators of data theft?
If you notice your employee doing the following, they may be attempting to steal data:
Plugging in unknown USB devices. Copying data to a USB flash drive or personal smartphone is a routine action that might not catch the attention of cybersecurity officers, especially if an organization has implemented a bring your own device policy. However, USB devices can be a tool to steal data or attack your organization, so you need to carefully control their use.
Accessing sensitive files without a reason. As an employee gets closer to the termination date, they may start deviating from their usual behavior. For example, they may start accessing files they never or rarely worked on before, or files that they already have entrusted to another employee. The reason for such behavior can be a desire to steal those files.
Use of public cloud storage services. Uploading corporate data to a personal cloud storage service like Dropbox or Google Drive is a simple way to steal it. Even if an employee doesn’t plan on stealing information, saving it to a public cloud is a dangerous cybersecurity practice.
Sending emails with attachments to private accounts. Sending work-related data to personal emails is generally a bad cybersecurity practice. Some employees do it, however, to be able to do some extra work at home. But departing employees usually don’t need to put in that extra effort, so it’s suspicious for them to send sensitive data to non-corporate accounts.
Creating new accounts. The Century 21 hack we discussed above is a perfect example of why departing employees should never create new user profiles or edit access rights. There’s a high chance that if they do, they’re trying to create a backdoor they can exploit later. If creating new user profiles is part of an employee’s responsibilities, verify that they create only needed accounts.
Deleting files and backups. Employees that worked in your organization for a long time know where you store critical data and backups. Deleting these files or messing with internal servers and configurations seems like a simple and efficient option for terminated employees to get revenge or cover their tracks.
Spotting these indicators in time can help you prevent data theft from departing employees. In the next section, we take a look at practices to help you do that.
Read also: What Is Data Exfiltration and How Can You Prevent It?
How to prevent data theft with Ekran System?
Here are seven methods to stop data theft from departing employees:
With dedicated cybersecurity software like Ekran System, you’ll be able to successfully implement each of these steps and detect suspicious user activity of departing employees in time.
1. Implement a zero trust approach. Zero trust is an approach that doesn’t trust any user or device that tries to access sensitive resources. To get access, a user has to prove their identity and the validity of their device. After that, they can interact only with the data they need for their tasks. Such an approach allows you to reduce the attack surface in case a departing employee tries to steal data. With Ekran System, you can:
- Limit user access with one-time passwords and manual access approval
- Granularly manage access rights by setting up role-based access control
- Verify a user’s identity by implementing multi-factor authentication
2. Enhance activity monitoring for departing employees. If a terminated worker decides not to leave empty-handed, they usually start acting right before their termination. That’s why you need to practice employee computer monitoring. Ekran System can monitor user activity in real time and record sessions for you. You can set up alerts for suspicious actions, get notifications each time a user triggers these alerts, and see for yourself if they do something suspicious.
3. Employ user and entity behavior analytics (UEBA). A UEBA tool uses machine learning and artificial intelligence algorithms to create a baseline of normal employee behavior and alerts security officers when an employee behaves oddly. UEBA can help you detect the earliest stages of a possible insider attack. For example, Ekran System’s UEBA module can alert you when an employee connects to a corporate network at an unusual time, which is one of the most common insider threat indicators.
4. Implement USB device management. Copying data to a USB device is one of the easiest ways to steal information. A USB device management solution helps you detect when a user connects a suspicious or unknown device, control access to it, and block the device. With Ekran System, you’ll also be able to create a whitelist of allowed USB devices and manually approve access.
5. Audit access privileges and recent activities. Such an audit is part of the offboarding procedure. It’s required to confirm that a terminated employee didn’t break cybersecurity rules before departing from an organization. Ekran System has features for reviewing recorded user sessions, automatically generating reports on user activity, and reviewing access privileges to help you conduct such an audit. In case you detect malicious activity during an audit, you can use Ekran System to export data about it in a protected format.
6. Revoke privileges and credentials after termination. When an employee leaves, you need to delete their individual accounts, revoke access rights, and change credentials to shared accounts. It’s a lot of work to do this manually, but Ekran System’s privileged access management tools do a large part of the work for you. You can reconfigure access rights in several clicks, revoke them completely, and automate password management.
7. Plan your response in advance. When you discover an insider attack, you’ll need to act quickly and efficiently in order to prevent data theft by employees when they leave. Analyze your incident response options and decide which ones you’ll use prior to an attack. With Ekran System, you’ll be able to show a user a warning message, terminate a harmful process, or block a user completely. You can also configure the software to do this automatically in response to specific events.
Read also: Incident Response Planning Guideline for 2021
Conclusion
Departing employees may take sensitive corporate data with them or create a backdoor account to keep spying on your organization. Because of such actions, your organization can lose customers, lose its competitive advantage, or deal with the consequences of a breach of confidentiality.
Preventing data theft from departing employees is possible if you can detect risk indicators in time. Ekran System is insider risk management software that helps you do that. With our solution, you can monitor user activity, control access to sensitive data, and respond to security threats fast.
Request a 30-day trial to see how Ekran System can protect you from data theft by departing employees!