How to Prevent Data Theft by Departing Employees: 7 Best Practices

Departing employees are a source of insider threats that often get overlooked. According to a study by Biscom, more than one in four departing employees steal data when leaving. Whether they do so out of negligence or with malicious intent, such cases can only have negative outcomes for organizations, from loss of competitive advantage to penalties for non-compliance with cybersecurity requirements.

The good news is that you can detect this dangerous insider activity and mitigate it before employees leave with corporate data. In this article, we take a look at the main reasons for data theft and key indicators of this threat. We also guide you through the best ways how to prevent employee data theft with Ekran System.

What are the risks of data theft by departing employees?

Thanks to digital technologies and telecommuting, changing jobs today is easier than it has ever been. The U.S. Bureau of Labor Statistics states that labor turnover remained high between 2021 and 2023. In this environment, it’s important to stay alert to secure your organization from the risk of data theft by departing employees.

When an employee resigns, they usually move to a similar position at a company operating in the same industry — maybe even your direct competitor. They are expected to leave only with their experience and personal belongings, but some workers also take their employer’s valuable data with them.

Meanwhile, the 2022 Data Exposure Report by Code42 reveals that 71% of organizations lack visibility over what and/or how much sensitive data departing employees take to other companies. The same report highlights the need for a better cybersecurity approach to protect data from insider risks.

Unfortunately, the past year has shown no sign of improvement — the number of data exposure events has increased according to numerous insider threat reports, with respondents estimating that data breaches cost on average $16 million to remediate. 

Insider risk events mainly lead to the following negative consequences:

Among the key negative outcomes your organization may face in case of data theft by a departing employee are:

• Fines and penalties for non-compliance. Sensitive financial data, medical data, and personal records are protected by various cybersecurity regulations and standards. If an employee manages to steal this data, their employer can face external audits and costly fines for non-compliance.
• Confidentiality breaches. When a client signs a non-disclosure agreement (NDA) with an organization, they expect the details of their deal to be private. Yet a departing employee can disclose the details of an NDA to their new employer and break the trust of your clients.
• Loss of competitive advantage. Intellectual property (IP) is one of the most common types of data stolen by departing employees. Departing employees can take designs, software code, and documents that they worked on to their next workplace. In this way, your competitor can discover and incorporate your trade secrets. Another possible scenario of intellectual property theft is disruption of your work. This can happen if an employee steals and deletes project information before termination.
• Loss of clients. News on data and confidentiality breaches are red flags for many customers. Even if they are unaffected by a breach, clients may lose trust in your organization and may start looking for another partner. 

As you can see, a departing employee can have a great influence on an organization. It also should be noted that departing employees typically have strong motivation and the necessary knowledge to steal data. Let’s take a look at the key reasons behind departing employee data theft.

Insider Threat Prevention

Why do employees steal data from a company?

The motivation of sticky-fingered departing employees is slightly different from that of usual insider threat actors. Here are the key reasons for data theft by departing employees:

Feeling of ownership over IP. When an employee works on a piece of intellectual property for a long time, they can start feeling like this IP belongs to them. An employee may take it with them when they leave an organization just like they take their coffee mug.

One of the most famous cases of data theft with this motivation is the case of Anthony Levandowski, an autonomous vehicle engineer at Google. At the beginning of 2021, Levandowski was pardoned for stealing autonomous vehicle software from Google that he had worked on before his termination.

Desire to secure a better position. When moving to an organization within the same industry, departing employees might believe that providing the new organization with confidential data of their competitor will help them secure a better job offer. Alternatively, employees may wish to use confidential information to start their own business.

In May 2022, Qian Sang, a Yahoo research scientist, stole confidential information about Yahoo’s AdLearn product shortly after he received a job offer at a rival company, The Trade Desk. Sang reportedly downloaded a staggering 570,000 pages of Yahoo’s intellectual property to his personal devices with the intention of using the information to his advantage in his new position. 

Revenge on the employer. If an employee had a conflict with their employer before termination, they could use their access credentials and knowledge of the organization to get revenge. For example, an employee can create a backdoor and steal valuable data or disrupt critical processes.

This is what Hector Navarro, an HR system administrator at Century 21, did before his termination. Hector created a superuser account to delete data, change access rights of other users, and edit the company’s payroll policy. Century 21 had to rework its cybersecurity strategy to seal the breach. They also lost more than $50,000 in potential profit because of this attack.

7 Best Practices to Prevent Intellectual Property Theft

Personal financial gain. Instead of pursuing their career, an employee might want to sell stolen data to hackers or competitors. They can also use stolen personal, financial, and medical information to scam people.

Such incidents seem to happen repeatedly with Tesla employees. Tesla is already suing several ex-employees that stole the company’s data to sell it to other organizations. In 2021, Tesla filed a lawsuit against a former quality assurance engineer who allegedly copied code and files from the company’s backend software to his private Dropbox account.

Poor understanding of data security. Departing employees may steal or harm data not because of evil intentions but out of negligence. They can forget which data is confidential or accidentally leave a copy of the company’s sensitive data on their personal devices or email accounts.

Not all insider threats are intentional, as demonstrated by a data breach at Microsoft in August 2022. A group of employees accidentally exposed login credentials to the company’s GitHub repository, potentially granting unauthorized access to Azure servers and other critical systems. Fortunately, the breach was identified by cybersecurity firm spiderSilk, and Microsoft took proactive measures to prevent any harm both to the enterprise and to its customers.

All these incidents highlight the importance of safeguarding company data and the risks associated with departing employees. And, luckily, regardless of their motivation, departing employees usually leave digital traces of their insider activity. With the right cybersecurity software, you’ll be able to pick up those traces and stop misbehaving employees. Let’s see which actions can be an indicator of data theft.

Portrait of Malicious Insiders: Types, Characteristics, and Indicators

What are the indicators of data theft?

It’s important to investigate any suspicious activity to prevent data theft. There are several indicators that may suggest your employee is attempting to steal data:

Plugging in unknown USB devices. Copying data to a USB flash drive or personal smartphone is a routine action that might not catch the attention of cybersecurity officers, especially if an organization has implemented a bring your own device policy. However, USB devices can be a tool to steal data or attack your organization, so you need to carefully control their use.

Accessing sensitive files without a reason. As an employee gets closer to the termination date, they may start deviating from their usual behavior. For example, they may start accessing files they never or rarely worked on before, or files that they already have entrusted to another employee. The reason for such behavior can be a desire to steal those files.

Use of public cloud storage services. Uploading corporate data to a personal cloud storage service like Dropbox or Google Drive is a simple way to steal it. But even if an employee doesn’t plan on stealing information, saving it to a public cloud is a dangerous cybersecurity practice.

Sending emails with attachments to private accounts. Sending work-related data to personal emails is generally a bad cybersecurity practice. Some employees do it, however, to be able to do extra work at home. But departing employees usually don’t need to put in that extra effort, so it’s suspicious for them to send sensitive data to non-corporate accounts.

Creating new accounts. The Century 21 hack is a perfect example of why departing employees should never create new user profiles or edit access rights. There’s a high chance that if they do, they’re trying to create a backdoor they can exploit later. If creating new user profiles is part of an employee’s responsibilities, verify that the employee creates only needed accounts.

Deleting files and backups. Employees who worked in your organization for a long time know where you store critical data and backups. Deleting this data or messing with internal servers and configurations seems like a simple and efficient option for terminated employees to get revenge or cover their tracks.

Spotting these indicators in time can help you prevent data theft from departing employees. In the next section, we examine how to prevent data theft by employees.

What Is Data Exfiltration and How Can You Prevent It?

How to prevent data theft by employees with Ekran System

Here are seven methods to stop data theft by departing employees with the Ekran System full-cycle risk management platform. With dedicated cybersecurity software like Ekran System, you’ll be able to successfully implement each of these steps and detect suspicious user activity of departing employees in time.

1. Implement a zero trust approach

Zero trust is an approach that doesn’t trust any user or device that tries to access sensitive resources. To get access, a user has to prove their identity and the validity of their device. After that, they can interact only with the data they need for their tasks. Such an approach reduces the attack surface in case a departing employee tries to steal data. With Ekran System, you can:

• Limit user access with one-time passwords and manual access approval
• Granularly manage access rights by setting up role-based access control
• Verify a user’s identity by implementing two-factor authentication
• Implement the just-in-time PAM approach to ensure that privileged users have access to critical data only for a valid reason, and only for a limited time
• Leverage mandatory access control (MAC) model when managing access in your organization

2. Enhance activity monitoring for departing employees

If a terminated worker decides not to leave empty-handed, they usually start acting right before their termination. That’s why you need to practice employee computer monitoring. Ekran System can monitor user activity in real time and record sessions for you. You can set up alerts for suspicious actions, get notifications each time a user triggers these alerts, and see for yourself if users do something suspicious.

3. Employ user and entity behavior analytics (UEBA)

A UEBA tool uses machine learning and artificial intelligence algorithms to create a baseline of normal employee behavior and alerts security officers when an employee behaves oddly. UEBA can help you detect the earliest stages of a possible insider attack. For example, Ekran System’s UEBA module can alert you when an employee connects to a corporate network at an unusual time, which is one of the most common insider threat indicators.

4. Implement USB device management

Copying data to a USB device is one of the easiest ways to steal information. A USB device management solution helps prevent employees from copying files

by letting you detect when a user connects a suspicious or unknown device, control access to it, and block the device. With Ekran System, you’ll also be able to create a whitelist of allowed USB devices and manually approve access.

5. Audit access privileges and recent activities

Such an audit is part of the offboarding procedure. It’s required to confirm that a terminated employee didn’t break cybersecurity rules before departing the organization. Ekran System has features for reviewing recorded user sessions, automatically generating reports on user activity, and reviewing access privileges to help you conduct such an audit. In case you detect malicious activity during an audit, you can use Ekran System to export data about it in a protected format. 

6. Revoke privileges and credentials after termination

When employees leave, you need to delete their individual accounts, revoke access rights, and change credentials to shared accounts to prevent employees from stealing data. It’s a lot of work to do this manually, but Ekran System’s privileged access management tools do a large part of the work for you. You can reconfigure access rights in several clicks, revoke them completely, and automate password management.

7. Plan your response in advance

When you discover an insider attack, you’ll need to act quickly and efficiently in order to prevent data theft by employees when they leave. Analyze your incident response options and decide which ones you’ll use prior to an attack. With Ekran System, you’ll be able to show a user a warning message, terminate a harmful process, or block a user completely. You can also configure the software to do this automatically in response to specific events.

Incident Response Planning Guideline for 2023

Conclusion

Departing employees may take sensitive corporate data with them or create a backdoor account to keep spying on your organization. Because of such actions, your organization can lose customers, lose its competitive advantage, or deal with the consequences of a breach of confidentiality.

Preventing data theft by departing employees is possible if you can detect risk indicators in time. Ekran System is insider risk management software that helps you do that. With our solution, you can monitor user activity, control access to sensitive data, and respond to security threats promptly.