The market dynamics of the past several years have created a massive undercurrent: employees are leaving – and subsequently joining – organizations at an unprecedented rate. Dubbed The Great Resignation, and often referred to as the Great Reshuffle, over 47 million Americans voluntarily quit their jobs in 2021, a new record.
The Great Resignation combined with the work-from-anywhere workplace and cloud adoption has created a perfect storm for organizations trying to protect their most important and sensitive data. At the same time, legacy DLP systems that are on-premise, complex and costly to maintain cannot keep pace with today’s modern workforce.
Halfway through 2022, these trends show no signs of abating. And even as employees in the tech sector are affected by recent layoffs, the implication is the same: departing employees put sensitive data at risk.
Great Resignation and Insider Threats Top CISO Challenges
According to this year’s Voice of the CISO report, insider threats increased from the number three spot in 2021 to number one in 2022. With the volume of insider threats increasing 40% in 2022, it’s easy to understand why insider threats, data risk loss, and employee data theft are top of mind for today’s CISOs.
Furthermore, 50% of CISOs state that protecting data has become an increased challenge due to the Great Resignation. As employees leave companies in historic numbers and data volumes increase significantly, it is critical to put the controls in place to protect your most valuable data from employee data theft.
The Departing Employee
Departing employees can be categorized as malicious or careless users. The malicious user is typically motivated by personal gain and departing employees, who may want to get a jumpstart in their next job opportunity, are a common use case. For example, the departing employee may feel entitled to customer data based on their relationships or to intellectual property given the ‘sweat equity’ they contributed.
The careless user is well-intentioned but may accidentally exfiltrate data as they leave the company. For instance, a user may inadvertently download sensitive data like financial reports or credit card numbers to a USB while trying to download personal documents.
Understanding a user’s motivation is critical to gaining context and determining the best response. Proofpoint believes that a people-centric approach to data loss is needed – one that is content, behavior and threat-aware. Having insight into a user’s intentions and behavior helps determine if the actions are a result of a careless user or a malicious user.
Given the potential for financial and brand impact from malicious users, these incidents tend to be widely publicized. There are several recent examples of data loss stemming from departing employees. In November 2021, Pfizer alleged that a former employee exfiltrated thousands of files with Covid vaccine trade secrets as they left the company. Similarly, in December 2021, Qualcomm discovered that a long-term employee exfiltrated hundreds of files with confidential and propriety information to his personal accounts before leaving for a new job. In both instances, these long-term employees wanted to take data that would be useful to them as they were headed to their next opportunity.
How to Stop Data Theft from Departing Employees
An employee gives their notice to leave the organization. The employee works with sensitive customer data and critical intellectual property. Unfortunately, the employee also believes the code and designs are their hard work and belong to them. So, they want to take the sensitive information to their next job. How can you protect your organization from employee data theft?
Fortunately, there are several steps your organization can take. Proofpoint Information and Cloud Security is a cloud-native platform that stops data loss, investigates insider investigations, and blocks cloud threats. Part of the Information and Cloud Security platform, Proofpoint Insider Threat Management (ITM) and Proofpoint CASB can help you stop data loss from departing employees across managed and unmanaged devices. With these solutions, you can:
- Monitor departing employees – Using Proofpoint ITM, you can build a watch list of departing employees. As users give their notice and HR tags them as leavers, Proofpoint ITM will automatically start monitoring these users as risky users, providing visibility into their data activity on managed endpoints.
- Detect and prevent malicious users – With Proofpoint ITM, policies can be set up for the exfiltration of sensitive data via a USB, cloud sync, or an unauthorized website. Departing employees’ actions can also be blocked and screenshots can be captured to provide forensics evidence for an investigation. Alerts will be generated for any out-of-policy behavior for departing employees so the security analysts can react in real-time.
- Identify and remediate careless behavior – Using Proofpoint CASB, you can identify when users share sensitive files in the cloud (such as through OneDrive, Google Drive, or Dropbox) too broadly (e.g.: for ease of use) or simply with unknown recipients (e.g.: email address typos). Most customers set up automated remediation policies to protect cloud files in such cases while only allowing collaboration between trusted parties.
- Investigate departing employees – The Proofpoint Information and Cloud Security platform allows you to manage investigations, triage alerts and dig deep into the metadata to understand a user’s timeline of activity. With departing employees stealing sensitive cloud data, Proofpoint CASB will automatically correlate all their abnormal or risky cloud data activity in the recent past (e.g.: their notice period). PDFs and reports of the concerning activities can be easily exported for use by HR, Legal, and other departments that may need to be involved.
- Prevent employee data theft across channels – The Information and Cloud Security platform gathers telemetry across channels – from endpoint, email, cloud, and web – so that you can have a holistic view of incidents and avoid ad hoc, time-consuming investigations that require pivoting between different tools. As a result, you will be able to gain visibility and contextualized insights, proactively hunt and respond to threats, and work more efficiently to minimize business disruption.
Learn More about Protecting Your Organization from Insider Threats and Employee Data Theft
To learn more about how Proofpoint ITM and Proofpoint CASB can help you protect against insider threats and to see a demo, watch our on-demand webinar. Read our ITM eBook to understand how to implement an ITM program.
Listen to the CISOs of Pfizer and Tetra Pak discuss their experiences and lessons learned with ITM and DLP during the main stage session at Proofpoint Protect.