When employees leave, is your data walking out the door?

In the second quarter of 2021, American workers began resigning from their jobs at a historic rate. The “Great Resignation”, as it’s since been dubbed, has seen the U.S. set monthly records for the number of workers leaving their jobs three times this year. In September alone, 4.4 million workers resigned from their jobs. The same trend is being seen in the U.K., where resignations are at their highest level in 20 years.

For organizations with valuable intellectual property or personal identifiable information, these resignations represent a serious security threat. According to Code42, the three-month period between April and June 2021 that kicked off this wave of resignations coincided with a 61 per cent increase in data exposure events from the previous quarter.

Data exfiltration often rises alongside resignations because more employees are misappropriating data and they’re doing so around the time they resign. A Tessian study confirmed this, finding that 45 per cent of employees admit to downloading, saving or sending work data out of network before leaving their jobs.

Everything from customer lists to intellectual property is in danger of being exfiltrated and for a variety of reasons. It may be that employees feel entitled to the intellectual property they helped create. It may be that they want to jump start their work with a new company and that taking data, in their minds, is no crime. It may be that they’re disgruntled and looking to do harm by selling the data to a competitor. In the most extreme case, the employees in question may even be cybercriminals-for-hire who infiltrate enterprises with the sole purpose of causing harm.

Amid all these possibilities, it is no longer reasonable for organizations to risk leaving the protection of their most valuable data up to chance. Organizations with valuable intangible assets must consider performing digital forensic scans as part of their standard operating procedures when offboarding employees, to identify threat actors and the data they’re exfiltrating. Doing so would enable organizations to better manage the risk of insider activity and give them the means to recover critical data and in some instances even seek legal recourse.

Before organizations begin scanning for insider activity, they should update their standard business practices to reflect the new challenges presented by insiders. Many organizations only perform a standard review of devices belonging to outgoing employees after their departure. By then, it’s already too late. Collecting their devices early also isn’t an option because it would slow productivity, tip off insiders and give them a window to act nefariously between the date their device is returned and their final day of employment.

To identify and eliminate insider activity, security teams must act weeks before the date employees are set to depart and perform digital forensic analyses using solutions that allow them to scan target endpoints remotely and covertly.

A digital investigation will often involve three steps: triage, a complete digital forensic analysis, and intervention, often led by human resources and legal teams.

By beginning with triaging, organizations can save time by quickly scanning for insider activity. This approach also balances the need for security measures with the privacy of employees as forensic analysts are not sifting through all their digital activity with the hopes of finding a “smoking gun.” Triage solutions can rapidly determine whether data has been exfiltrated from a target endpoint by scanning common threat vectors such as USB connection history, recently accessed folders, cloud storage and internet history and activity.

The same tools can be used to investigate unintentional data leakage incidents, such as an employee uploading work documents to a personal cloud storage account to continue a project from home or sending an email containing data to the wrong recipient. In the case of data exfiltration involving files copied to a USB drive, a triage solution will identify the date an insider took this action and the name of the files and folders that were exfiltrated. This gives analysts the leads they require to perform a deeper digital forensic analysis.

With a full digital forensic examination, an analyst can trace an insider’s steps, create a timeline of their movement and determine exactly what data was exfiltrated. Analysts will begin by remotely and covertly connecting to the suspect’s computer as well as cloud-based sources such as Microsoft Office 365, Amazon Web Services, and Slack. Using the results of the triage as a guide, analysts can begin their investigation by targeting the date of exfiltration and the file itself. File and folder names can easily be changed to disguise the data within and so this data point alone won’t prove any wrongdoing. During a full analysis, however, analysts can access the files and folders that were copied to USB drives and determine whether they have been altered in any way.

Confirming that an employee exfiltrated source code, customer lists or other valuable data isn’t enough to complete an investigation. It could be that several weeks before their resignation, the employee in question researched how to conceal their activity from security teams and deployed anti-forensic software to cover their tracks. One week later, they may have downloaded the data onto their desktop. Before they exfiltrated the data to a USB drive, the insider may have emailed another copy to a non-company address or uploaded it to a personal cloud storage system. Each one of these data points is a piece of evidence that will help an analyst build a case.

Once the investigation is complete, organizations can use the results to move towards an appropriate resolution, ranging from a warning to early termination with cause and, in some situations, a lawsuit. Before HR and legal teams meet with the suspect, it’s important to remember that some employees don’t realize that downloading confidential data and departing an organization with it is a crime.

Depending on the results of the investigation, organizations may wish to take a different course of action with these employees than with those who clearly tried to cover their tracks or were caught negotiating a sale of the data they stole and very clearly knew the gravity of their actions.

The last and perhaps most important step is to attempt to recover the lost data or damages from the insider event. The threat of legal action can be leveraged to request that an insider return the data and the reality is that a lawsuit may be required in some instances. This scenario is an important one to consider in cases where the data that was taken by an insider was highly confidential or the damages linked to their activity were high.

While digital forensic tools cannot recover the data that has been exfiltrated, they do facilitate the legal process, should it be required, because the evidence they collect has proven to be reliable in both civil and criminal court. This is because they collect evidence in a forensically sound and repeatable manner, while also upholding the chain of custody. The same evidence an analyst collected to warrant the insider’s early termination is what legal teams could use to pursue legal action.

Assuming the worst about your employees is difficult but planning for it is part of being a thoughtful leader in the digital age. With employee data exfiltration rising rapidly alongside resignations, organizations must take a more thorough approach to risk management. By implementing digital forensics into their offboarding processes, organizations can fall back on another layer of security and ensure their most valuable assets aren’t being stolen out from underneath them.