The Proverbial HR Exit Walk – But What About the Data?
Many of us have taken “the walk”! You know, the one where a representative from HR (commonly known as the People Team these days) walks you out of the building and wishes you all the best on your next adventure. We know the drill well and whatever may be the impetus (quitting, a new role, retiring, or in more extreme situations, termination), you will find yourself in that exit interview while you hand back your corporate issued devices and badge.
Never at any stage of this process are you asked about the data you are potentially taking with you nor confronted with evidence that you might be. This is even after Code42 research clearly identified that 63% of people admit to taking data from their previous jobs with the intent to use it with their new employer. Plus, let’s be honest, those other 37% are likely not being forthcoming. The magnitude of the problem gets worse when you consider that today’s employee departures are 100% virtual and we happen to be living in a time where turnover and job hopping are setting record benchmarks.
You can’t take it with you:
Stop data exfiltration now
A recent article by Paul Gillin (Technology Journalist) for Computerworld titled “You can’t take it with you: Stop data exfiltration now” hit a chord for me. We tend to focus a lot of our time and treasure on malicious intent (as we should). But what about the other employees doing “not so intelligent” things or the ones deliberately bypassing policy simply to get their jobs done? The good news is that the conversation is starting to shift to account for “accidental insiders” along with “malicious insiders.” It’s important to start thinking of the insider problem as Insider Risk (as we’ve explored in the past) because you need to account for the holistic nature of data loss. It’s never about a single source! When I run across an article that resonates with me, I like to share my top takeaways. So here it goes…
My top takeaways
1. The rapid shift of vast amounts of data from inside corporate walls to home PCs, Dropbox accounts, and Google Drives over the past 15 months has magnified the problem.
No analysis needed here. You get the gist! What I will say though is this problem isn’t going to get any better. With more employees being presented with the option to work from home 100% or in hybrid models, coupled with the reality that they will need to leverage an increasing array of cloud tools, visibility becomes more important than ever!
2. With record numbers of people on the lookout for new opportunities right now and statistics showing that most stay in the same industry, the risk of trade secret exposure is especially high.
I view this as a two-way problem. Obviously, there’s the company losing the data to exfiltration, but on the other hand, what about the legal risk to the new employer in the event that they are sued by the previous company? I can’t imagine any company explicitly saying “Hey, we’ll hire you as long as you bring me source code from your previous company!” Yet, employees can make the decision to infiltrate a new organization with IP that puts your organization at more risk than you know.
3. “All the security tools we’ve used historically were designed to block access. That flies in the face of what CIOs want to do today, which is share.” (Joe Payne, Code42 CEO)
This in many ways represents the heart of the problem in my opinion. Security teams have the unenviable task of promoting a culture of growth and collaboration while also protecting data. The two don’t always go hand in hand so you have to strike the right balance in terms of risk. Traditional tools have focused on controls and policies first-and-only, it’s time to shift that paradigm to demand more context before taking outright actions that simply satisfy compliance check boxes.
4. “The good news is that data exfiltration is usually unintentional. But intent matters less than outcomes.”
Word! At the end of the day, data loss is, well, data loss! So regardless of how it happened, you need to proactively protect your data and take measures to educate your workforce (sales awareness anyone?) on proper data handling techniques. There will always be malicious employees with the intent to harm organizations but there are also those simply trying to get their jobs done (albeit while putting data at risk). This is why it’s time to view the problem more holistically and think of it as Insider Risk vs. insider threat.
5. Education is part of the solution. Technology can help.
Nope, not a Code42 plug but I am here to tell you that there is help (no matter where you seek that help). Visibility should be a key part of your technology because without the proper insights and context, how else are you equipped to make very serious decisions? When we think about response protocols (blocking, termination, revoking access rights, HR or legal intervention etc.), context and insights should be core to the discussion. And then, of course, it’s refreshing to see how organizations are starting to prioritize and budget for security awareness as part of employee education. As I often say, an empowered and educated workforce is almost as good as an extended security team working 24/7.
Join us at the Insider Risk Summit
If you want more Insider Risk focused content, need more CPEs and/or you’re in the market for another (free) conference; register now to join us and the rest of the Insider Risk Summit™ team virtually at Insider Risk Summit 2021.
The Insider Risk Summit, the industry’s leading conference on Insider Risk Management (IRM), brings together security leaders and practitioners and industry experts to learn, interact and share best practices in the IRM space. More than just one moment in time – the Insider Risk Summit is a community of organizations and security professionals that understand collaboration, productivity and enablement of users while meeting data security challenges. In its inaugural year in 2020, more than 2,000 security professionals registered for the event, which is held annually in September during Insider Threat Awareness month.