Join our panel during Black Hat 2024 – Blurred Lines: Investigating the Convergence of Internal and External Threats



Insider Risk Insights - DTEX Blog

The Great Resignation: 3 Steps to Help CISOs Secure Critical Data During Offboarding

Great Resignation securing critical data during off-boarding insider risk management

With 4.4 million workers quitting their jobs in April 2022, the Great Resignation persists. In response to the continued trend of workers leaving their jobs, business leaders and HR teams are grappling with how to retain top talent, while CISOs and IT teams work through the challenges associated with securely offboarding departing employees and onboarding new team members.

In previous blog posts, we’ve shared advice for how to reduce employee stress in an effort to minimize employee attrition and the risk of associated insider threats. We’ve also provided insights on the risks introduced by new employees, as individuals join new organizations and potentially bring data with them.

Now, we recognize it’s critical to share insights that help CISOs to minimize risk from the third group—those who choose to join the Great Resignation. Security leaders should follow the three steps below to ensure critical data doesn’t leave the organization along with the employee.

  • Step 1: After receiving notice that a team member is leaving, prioritize reducing the user’s current access to webmail, applications, servers and other company platforms. It’s also important to keep track of any shared accounts and credentials between the employee and other members of the organization to ensure passwords are updated immediately. This process should be the first step in a larger transition plan that security departments implement to gain a deeper understanding of any in-progress projects the team member was working on and the level of access they had to sensitive information. Having a transition plan in place to offboard these employees will also set CISOs up for success when it comes time to onboard the newest team member.
  • Step 2: Take a holistic security review of the individual’s activities leading up to the resignation. Corporate IP comes in many formats and is not limited to just a product design. Individuals in the security department may have access to sensitive data like network inspection logs, reports, tickets, or other information. When it comes time to offboard a team member, reviewing activities such as new accounts created by the user or data moved out of the organization, whether mistaken or intentional, is critical.
  • Step 3: Most importantly, monitor all applications, servers, and accounts the user has had access to and ensure they cannot gain future control or access. Organizations should continue to monitor for at least a few weeks, if not longer, to stay ahead of any potential threats, especially in today’s increasingly digital and distributed work environment. Ensuring that your security team has the right tools in place to monitor this information is key to easing the burden of offboarding employees across the organization.

It’s critical that CISOs go through these steps when offboarding team members. If offboarding is not properly handled and reviewed, individuals could still gain access to intelligence that they should not be able to. This data could be misused by the individual themselves—maliciously or negligently—or be passed off/sold to a malicious actor looking to expose corporate data.

Overall, offboarding should not just be something that occurs the day of an expected end date, but far in advance. Although individuals could be working on projects until the end of their time with a company, it is important that the individual’s superiors are aware of their upcoming departure as this could help to curb any unusual behavior. Additionally, if security is aware, these individuals can be placed on a watch list and further raised for anomalous behavior. Normally, data theft occurs 30-60 days prior to a contract end date. Unusual file movement, searching, aggregation, and obfuscation are some good indicators. Furthermore, having more than one individual validate that access has been revoked is important, as a second pair of eyes allows for no gaps.

Many CISOs and business leaders may not already have the transparency or level of oversight needed to closely monitor this access and an employee’s activities. Thankfully, DTEX can help. DTEX InTERCEPT, a first-of-its-kind Workforce Cyber Intelligence & Security solution, brings together the capabilities of Insider Threat Management, User and Entity Behavior Analytics, Digital Forensics, and Endpoint DLP in an all-in-one cloud-native platform. The solution delivers the context and intelligence that answers the Who, What, When, Where and How related to any potential insider threat situation, compromised account event or data loss scenario.

Interested in learning more about how DTEX can help CISOs secure the enterprise during the Great Resignation? Drop us a line here.