Optimism bias: it’s a common but unfortunate human psychological fallacy. As humans, we believe we are less likely to experience a negative trend or occurrence than others. Unfortunately, many business leaders experience this, too.
The Great Resignation is currently taking center stage — a massive employee turnover sweeping the country. In December 2021, job openings hit 10.9 million, and more people are quitting their jobs than looking for new ones. In fact, recent studies show 48.1% of employed Americans are looking to leave their current jobs. This may be why nearly half of senior leaders are concerned about the lack of visibility over what sensitive data departing employees take to other companies.
This massive employment shift leaves a huge opening for increased incidents of insider risk and should be of extreme concern for both security leaders and practitioners. Employee turnover is one of the most significant causes of insider risk. That means when employees leave, they often take company data with them. And the only thing riskier than an employee quitting is when a security team isn’t prepared for turnover. This scenario will likely play out again and again if a company doesn’t take precautions before their employees exit.
Employee turnover is inevitable. Here are a few things you should do now to be prepared when it happens.
Clearly define data ownership policies
A staggering 80% of business decision makers feel they should have ownership over the projects and data they produce at their jobs. And that data often goes with them — because of pride or to help them at their next job. One of the best ways you can prevent this exfiltration is to be highly transparent with your team about your company’s policies on data ownership. Leave no room for ambiguity. Start at onboarding. Make sure the data ownership policy is clearly laid out, and tell employees what consequences they might face if they take those files.
Most employees won’t remember all the details of onboarding training months or years into their tenure, so continue to reiterate this message. I recommend sending a quarterly memo to the entire team reminding them about policies, including that the company owns all the work employees do on the clock. These reminders can make a big difference and likely save you from major legal and security headaches in the future.
Catch data theft before it happens
Recently, we faced our own insider risk event when an employee downloaded customer data to their personal devices – 24 hours after putting in their resignation. Thankfully, due to the processes we have in place, our security team caught the event and thwarted it before a crisis occurred. Not every company moves that quickly.
It takes the average security team nearly four months to notice a data breach. If a former employee steals trade secrets and you don’t discover the theft until months after they started working for your competitor, you’ve got a problem. Give your security team the visibility and technology resources they need to know which employees are leaving and what files they are downloading before their last day in the office. Doing so will save you a lot of trouble down the road.
Consider who really needs access to intellectual property
You can avoid a significant amount of insider risk altogether if you prevent people from accessing sensitive files they don’t need. Your security team should closely examine your company’s IP and determine who currently has access to it. How is that data presently being protected? Is it locked in a proverbial safe?
Thanks to the rise of the cloud, especially during the pandemic, we’ve created a connected work culture built on tools like OneDrive and Google Drive. But these tools also make it easy to access and download files employees don’t need to be privy to. Findings from the 2022 Data Exposure Report found that the average percentage of employees that have shared sensitive documents with third parties when they should not rose to 41% since the start of the pandemic.
Consider restricting access to sensitive files and data to only the people who need access to it. If an employee can’t open up a file that contains trade secrets, you won’t have to worry about them taking it with them when they leave.