Security Experts:

When Data Walks: Can Data Theft by Ex-employees be Stopped?

Employees often feel they have a stake in information they help to create. When they leave an employment they sometimes believe they have at least a moral right to take that information with them; or perhaps even destroy it before leaving. A new study (PDF) from Osterman Research shows that this is a common problem, and that many organizations have difficulty in preventing it.

Osterman Research questioned 187 IT and/or HR decision makers and influencers in organizations of various sizes, primarily in North America. The results show that companies lose both expertise and data when staff depart; but that many of the problems are simply caused by poor visibility into data controlled by the employee. That data could subsequently be abused, or simply deleted by the former employee -- the difficulty for the organization is that it might never know, or might only find out after damage has been done.

It is a complex issue driven by different motives: bitterness at being laid off, ambition to create a new competitive organization, a sweetener for a potential new employer, or simple forgetfulness. In many cases, shadow IT and BYOD play a part; but direct theft through copying data to a thumb drive or portable disk and direct damage through file deletion cannot be ignored.

Many of the solutions already exist, at least in part, within an organization's security defenses -- but perhaps with the wrong emphasis. Network monitoring, for example, is being trained to look for indications of compromise; but it could equally be trained to look for inappropriate staff behavior. This could include any sudden spike in file accesses, or access to corporate accounts or facilities at odd hours.

The key, as it is with all security, is data control and protection. The IT department does not need direct access to all corporate data, but it does need control over it. It needs to know where it is and who can access it at all times. Where it loses that visibility, encryption can solve the problem. "Sensitive and confidential data should be encrypted in transit, at rest and in use, regardless of its location," says Osterman. "Encryption alone can prevent much of the data loss that occurs when employees leave a company." 

And it needs data archiving to protect it from malicious deletion.

BYOD remains a difficult issue. Most employees genuinely use their own devices at home to improve their business efficiency. But once data is on an uncontrolled phone, tablet or home laptop, IT can lose visibility over its use. When an employee leaves the company, that data invariably leaves as well. 

One partial solution here would be a policy that denies network access to any personal device that does not include a company-provided MDM system. The MDM would help enforce access policies. These are another important protection. Staff should only have access to data pertinent to their own function. Attempts to access other data can be flagged. Moreover, all company data can be remotely wiped from the device when the employee leaves employment.

Of course, that does not prevent the employee from copying the data to another uncontrolled device, or to a personal cloud account with something like Dropbox prior to ceasing employment. The reality is that there is little that can be done to prevent determined, slow and persistent data exfiltration by an employee who understands the system.

In the absence of prevention, deterrence becomes important. This starts with the contract of employment. It should include clear notice that network behavior is monitored, and that use of cloud sync services must be limited to company-controlled accounts with Box or Dropbox. Again, this will not prevent data theft; but it will combine deterrence of casual theft with a strong company position if any subsequent litigation becomes necessary.

In the past, security teams have concentrated on protecting their organization's intellectual property -- and this remains a priority. However, the last few years have seen a dramatic increase in regulations designed to protect personal information. Compliance is now an ever-increasing part of security -- and the cost of non-compliance regulatory sanctions cannot be ignored.

It is perfectly possible that without sufficient controls sensitive data can be downloaded to an employee's laptop. It is equally possible that an ex-employee could forget that he has done so. If that laptop is subsequently lost or stolen, it is still the organization's liability for any exposed personal information. Given the global nature of modern business, it is equally possible, if not likely, that this will come under the purview of the European General Data Protection Regulation (GDPR). 

A serious breach of GDPR can make an organization liable to fines of up to €20 million or 4% of global annual turnover for the preceding financial year. Fines at this level will be rare; but the potential exists -- and the best defense against them is to be able to demonstrate that reasonable care has been taken to prevent that data loss. This must include data loss through ex-employees.

"Whether its premeditated or simply in error," warns Michael Osterman, CEO and founder of Osterman Research, "many employees leave their employers with a wide variety of data types that can include confidential or sensitive financial data, customer information, and/or product, sales and marketing roadmaps, as well as other business critical intellectual property. This can leave a business organization vulnerable to regulations noncompliance, litigation, a loss in competitive edge and even embarrassing bad press with long-term ramifications."

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.