[BreachExchange] Protecting Data from Departing Employees

Destry Winant destry at riskbasedsecurity.com
Fri Oct 5 09:19:03 EDT 2018


Countless formal and informal studies show that most employees retain
at least some company data when they leave a job. The reasons vary
from the benign (like when an employee inadvertently keeps a work
flash drive) to the more malicious (in the case of an employee’s
deliberate theft of company trade secrets for use at a new job).
Motivation matters only so much, though, because even the innocent
retention of data can have far-reaching consequences.

Threats From all Sides

Much like an ocean seal swimming through shark-infested waters,
threats can come from any direction. There are the obvious ones, such
as those involved when a new competitor hires your company’s best
employees and encourages them to bring “their work with them.” The
threats can also be more indirect. For example, an employee who copies
large swaths of data for use as evidence to support a good-faith
wrongful termination claim against the company can still, under the
right circumstances, trigger a reportable data breach or a breach of
the company’s contractual obligations to a third party.

The threats can even arise from third parties that come into contact
with your data. A departing employee may back up her work computer to
a personal cloud storage account and accidently change the parent
folder’s permissions to “public.” Not only can this lead to the loss
of valuable intellectual property—in the unfortunate event the
publicly-shared folder included protected data—a state or federal
agency may also use the company’s inability to detect or prevent the
exfiltration (removal) of sensitive data as a basis to issue fines.

The threats can also be opportunistic. An employee with access to
payroll and benefits databases who is working out the final weeks of a
reduction in force notice period may decide to save her coworkers’
personal information for later use in the event she cannot find
subsequent employment, becomes financially desperate, and determines
that “borrowing” her former coworkers’ tax refunds is a financial
cure-all. Perhaps this employee also works in IT and knows where to go
on the internet to sell her coworkers’ identities. Whether arising in
the context of a private lawsuit filed by the affected persons, a
government investigation, or a shareholder derivative lawsuit, a fact
finder may determine that the offending employee shouldn’t have had
access to the data in the first place.

The threats can even come from inaction. For example, when reviewing
the computer of a technical employee recently terminated for
performance, a company may discover that the employee often backed up
data to a flash drive to work on weekends. In the event he doesn’t
respond to requests to return or delete data retained in that fashion,
it may reasonably determine that he doesn’t pose a significant enough
“threat” to justify the costs of litigation. While certainly
understandable from a cost-benefit perspective, failing to act could
undermine the protected trade secret status of an entire category of
data in other scenarios and, in the right context, even undermine the
enforceability of other employees’ noncompete agreements.

Striking a Balance

Regardless of how robust your security program is, there are always
employees who will find vulnerabilities and exploit them. Clearly,
employees must be able to collect, access, and use company data in the
ordinary course of business. Convenience is the enemy of security,
however, and that is especially true in the digital domain. You must
therefore implement policies, procedures, and safeguards that strike
an appropriate balance between security and convenience and, more
importantly, reflect a company-wide commitment to security. Here are a
few suggestions:

Know your company’s data flow and identify potential sources of data
leakage. You cannot defend your digital castle without knowing where
to place your guards. Thus, you must determine:

- What kinds of data they maintain;
- How data are collected, stored, used, and destroyed;
- Where data are stored, copied, and backed up;
- Who can access the data, how access is decided, and how it is policed; and,
- The potential avenues through which data can be exfiltrated to a
location beyond the company’s control.

The good news is many companies have already thoroughly mapped their
data flow and performed a vulnerability analysis. The bad news is
those that have not probably have more significant concerns than
departing employees because they are likely not in compliance with
some U.S. and foreign cyber security and data privacy laws (GDPR being
the most notable example).

Nevertheless, no matter how secure an environment a company believes
it maintains, it’s certainly not uncommon for companies to discover
unanticipated vulnerabilities after significant or embarrassing damage
is done. It could even be something as simple as a forgotten legacy
database available to a large set of employees that copies information
from a more restricted database. Even so, a company cannot hope to
reasonably anticipate potential sources of data leaks unless it can
track the complete life cycle of its data from creation to disposal.

When it comes to access rights, follow the principle of least
privilege. Many employees test the limits of their access at some
point, typically by simple “data snooping.” Employees should be
granted as few privileges as possible, preferable only those necessary
to perform their job. This applies to data access privileges, computer
and device privileges, application privileges, network privileges, and
internet privileges. As clear cut examples, only the appropriate level
of management should be granted access to “big picture” financial
data, and very few employees should ever be given administrator level
rights to their computer. At the end of the day, it’s significantly
more difficult to exfiltrate data if the employee doesn’t have access
to it in the first place.

Completely deactivate access on the employee’s last day. To avoid
cutting off access too quickly or too late, this step requires close
coordination between the employee’s managers, HR, and IT. Ideally,
create a written protocol for departing employees using your data flow
map as a guide to help ensure that all potential avenues of access are
accounted for, including e-mail, network and remote login credentials,
and mobile device access. Don’t disable her e-mail account, however.
Instead, make sure her e-mails are forwarded to a manager’s account so
that they can be monitored. Also, change the passwords of all client,
vendor, or third-party accounts linked to the departing employee
(Salesforce, ADP, etc.). Finally, remotely wipe all company data from
her mobile devices.

Always conduct an exit interview. The exit interview is probably the
most effective way to prevent data retention. While it can be a
valuable tool for soliciting employee feedback, ensuring that
coworkers know where data has been stored, and recovering company
property, it’s also your first opportunity to assess any threat the
employee may pose.

If she executed an nondisclosure or noncompete agreement, give her a
copy and review it with her. Even if she didn’t sign any formal
agreements, still remind her that she is prohibited from using or
disclosing your company’s confidential information. Also, formally
request that she return all company property, including mobile devices
and credit cards, and agree to a process for returning them. Finally,
if she is subject to a restrictive covenant, ask her where she will be
working next and what her new job’s roles and responsibilities will
be. Although employees aren’t always honest during exit interviews, a
misrepresentation about their next job is certainly relevant in any
subsequent litigation. Take notes of what she tells you, or better
yet, prepare a written exit interview questionnaire for her to
complete. Make sure you confirm her contact information, including a
mobile phone number and e-mail address.

Trust but verify—audit departing employees’ activities and preserve
evidence. Following separation, review the employee’s computer to
determine if she recently deleted any data, connected any storage
devices, or ran any unauthorized programs that didn’t require
installation (such as encryption or erasing applications that can load
from a flash drive). Additionally, most network servers and content
archiving systems have logging capabilities that allow a company’s IT
department to create various levels of alerts triggered by suspicious
activity. Although exactly what constitutes “suspicious activities” is
highly fact-specific, common examples include:

- Multiple attempts to access unauthorized data or certain classes of
unauthorized data;
- Bulk file copying of any kind;
- Attempted installation of unapproved software;
- A new mobile device;
- The use of a non-company virtual private network; and
- Remote access that is inconsistent with the employee’s historical usage.

If you’re confident with the rules you set up to trigger alerts, then
review all alerts associated with the employee for at least the last
90 days. If you are less confident that your alert rules will identify
suspicious activities, then manually review her activities for the
last 90 days. If any behavioral anomalies warrant further
investigation, turn off her computer and arrange to have it
forensically imaged and analyzed. If your IT department has the
capabilities to conduct a forensic review, then make sure to image the
hard drive first because continued operation of the computer can
overwrite evidence of recent suspicious activity.

Bottom Line

While the threat of data leakage can never be eliminated, it can be
minimized and mitigated with proper security practices that anticipate
how a company’s data can leave its control. Departing employees
present a particularly vulnerable attack vector because they typically
know what data they have access to, where it is located, and how it
can be copied. Companies must therefore make sure to take this risk
seriously by incorporating strategies for dealing with departing
employees into its security program. Your company’s survival may very
well be at stake.

More information about the BreachExchange mailing list