Here’s the single clearest sign of insider risk: an employee’s resignation letter. A 2019 study found that 72% of employees take company data when they leave, according to Infosecurity Magazine. Fortunately, you don’t need fancy technology to figure out who these risky users are — they tell you! The problem is that most employees take data before they give notice — and conventional data security tools don’t give you the historical breadth and depth you need to detect and respond before they walk out the door.
The departing employee risk is only growing
According to Code42’s Data Exposure Report, 63% of employees say they brought data with them from their previous employer to their current employer. Sometimes recruiters take org charts and salary information. Engineers might take source code. Sales reps may nab customer lists. And more than half the time, these employees are leaving for a competitor. This was already a growing problem, with people changing jobs more frequently than ever. Now, record unemployment levels, economic uncertainty, and the seeming privacy of working from home are creating a perfect storm for departing employee insider risk.
The crux of the problem: Security teams aren’t looking back
The good news is that more and more companies are starting to include some data security protocols in their employee offboarding. The problem is that most start from when the employee gives notice. But think about it: Almost no one wakes up and decides, “Today I’m going to quit my job — and I’ll figure the rest out later.” Employees start planning their next move long before they give notice, and this is when they’re pulling together data and files to help them make that next move. The reality is that the vast, vast majority of this risky activity happens up to 90 days before they give notice.
…Because conventional security tools can’t look back
Most offboarding protocols don’t include looking back at recent file activity for one simple reason: conventional data security tools aren’t very good at looking back. They’re great at alerting and blocking once an employee is on a watch list — but that’s useless if the activity happened before. Here’s the most glaring example of this failure: Last year, McAfee, a “leader” in data loss prevention, was unable to stop three former employees from taking trade secrets to Tanium, a market rival.
How Code42 Incydr lets you look back — with a focused lens
The Code42 Incydr data risk detection and response solution starts with that foundation of visibility, detecting all file sharing and exfiltration across computers, cloud and email through an agent and direct cloud and email integrations. But security teams don’t just need another giant activity log to sift through. So Incydr gives security analysts a focused lens for addressing departing employees. Here’s how it works:
- Targeted risk lens with automatic alerts: When an employee gives notice and their departure date is added to your HR system, this employee is then added to the Incydr risk detection lens for departing employees. Security receives alerts when files are moved to untrusted destinations.
- 90-day look back: Incydr provides a clear, historical view – going back as far as 90 days – of the employee’s file activity. Within that time period, it alerts on any high-risk activity, such as file movements that happen during non-work hours, or off-network activity. This allows a security analyst to quickly prioritize any investigation needed.
- Full context to speed investigation: If activity warrants a closer look, Incydr gives you the full context on the files (what), vector (how) and user (who) involved — and even lets you open up the file in question to review its contents.
- Rapid insight for fast response: Armed with this full historical breadth and critical context on any risky file activity, you can quickly identify if there’s a need to take action — whether that be through a SOAR platform, personal outreach to the user, legal escalation or more.
Want to see how this all comes together? Check out how Macom is using Incydr to tackle the departing employee challenge across more than 1,500 employees and 50 global sites.
The risk isn’t going away — but it’s a solvable problem
Departing employees are always going to be a major data security risk. But this is a highly solvable problem, because the tough part of most insider risk — figuring out who to look at — is already done. Every organization needs to have an employee offboarding process that incorporates data security protocols. And every security team needs tools that give them the historical visibility and targeted focus to quickly look back and see if and when departing employees take files and data.
