Skip to content

TIPS #4: How can companies protect their data from “bad leavers”?

Shane Shook

July 5, 2023

  • Blog Post
  • TIPS

Welcome to the fourth edition of #ForgepointTIPS (Threat Intelligence Portfolio Spotlight), where we examine the latest cybersecurity trends and threats and provide actionable insights for industry decision-makers. Today we explore #insiderrisk and #datasecuritywhat companies miss when it comes to asset management, configuring user logs, departing employees, and data theft. Helpful reading? Subscribe and tell a friend…

Issue: Asset management often falls through the cracks- and insider data theft is more common than you might think

Many companies can’t accurately track which data and systems their employees have accessed or transferred, when they’ve done so, or what devices (or accounts) were used in the process. This is a problem because of the prevalence of insider data theft, particularly from departing employees or contractors (“bad leavers”).

Bad leavers may use USB devices, email, or personal cloud services to download sensitive company data to use in their next job. Cyberhaven’s Insider Risk report found that employees are 69% more likely to take company data right before they are laid off or resign, with instances of data theft increasing by 23% the day before employees leave and 109% the day they leave.

One highly publicized case of bad leavers involved researchers from the University of California San Diego (UCSD) leaving the institution for the University of Southern California (USC), taking an Alzheimer’s research study (and its associated database) with them. UCSD filed a lawsuit and a judge ruled that the program belonged to UCSD. USC was eventually forced to pay $50 million and publicly apologize.

Impact: Companies without proper data controls are at risk

Sensitive and proprietary data can be a company’s most important asset. Without good visibility and controls, companies risk data loss and exposure when bad leavers take data with them. Depending on what is stolen (customer data, for example), they may also be in violation of data privacy regulations and face fines or lawsuits.

In addition, these companies face increased costs during the legal discovery process. When a bad leaver is suspected of taking data, it is important to know what devices they actually used (and how) so that evidence can be collected, preserved, and examined. If a company can’t provide relevant user logs due to insufficient asset management, they don’t have the legal authority to collect evidence from a bad leaver’s devices, hindering their legal case.

Action: Understand how company data is used to create data security controls and policies

Security teams need to understand how data is moving inside (and outside) the organization to create and enforce relevant policies:

1. Update your Acceptable Use Policy with a Bring Your Own Device (BYOD) Policy

Address risky user behavior with policies around authorized device and data use. Set clear parameters around whether and how employees can use personal devices (including USB and other removable media devices, as well as personal cloud or email accounts) for work. Consider mobile device management (MDM) to verify user identity along with personal device security requirements. Invest in an effective communication and education strategy with employees regarding proper data access and use to improve adoption.

2. Invest in software for Acceptable Use, visibility, and Data Loss Prevention 

Drill down on data controls to track and protect your most sensitive IP. Cyberhaven acts as a flight recorder for your business that tracks every piece of data no matter where it goes. Ermetic works across your cloud infrastructure to provide full visibility, risk analysis, and automated remediation. Companies like SPHERE and Uptycs collect and review data access and use logs, giving you insights to remediate data controls and user behavior.

3. Accurate user logs: Configure security software to match your policies

The tools you use to visualize and protect company data need to reflect your security policies to work effectively. Configure your security software to align with Acceptable Use and BYOD policies. Accurate user logs allow you to identify and respond to authorized and unauthorized use cases.

4. Develop an incident response plan and team 

When data theft or misuse occurs, it’s critical to have a plan and team in place to minimize the impact. Companies like Surefire Cyber and Converge Insurance help you prepare for and respond to incidents.

5. Build a comprehensive security program 

Maximize the impact of your asset management efforts with a holistic approach. Companies like SolCyber provide a managed security program to simplify and customize your company’s cybersecurity.

6. Don’t forget to patch

Enforce regular patching to secure applications and operating systems. Updated systems close known security gaps in the software employees use, providing an important layer of protection.

Thanks for reading Forgepoint TIPS! Please subscribe and share with a peer. Have feedback or a cyber threat or trend you’d like us to address? Get in touch.


***This blog was originally featured on our Forgepoint TIPS LinkedIn newsletter. Read the original post on LinkedIn here.***