Insider threats: how the 'Great Resignation’ is impacting data security

The so-called Great Resignation, a term coined and predicted by psychologist Anthony Klotz during the pandemic, has had a profound impact on organizations around the world.

What started as a US phenomenon has gone global, with 2021 seeing the largest exodus of employees on record. Nearly 4.5 million people in the US voluntarily resigned in November 2021 alone, setting an all-time monthly record.

Some in the media are referring to this as a “turnover tsunami” because of the uphill struggle some organizations now face in terms of attracting and retaining talent. But that’s not the only hill they have to climb.

As well as dealing with the largest skills gap in a generation, business leaders are also dealing with the inevitable data security risk that comes with record-breaking employee turnover – and that’s proving very problematic.

Data loss is always a risk when an employee leaves an organization. According to a recent report, almost two-thirds (63%) of all employees admitted to taking data from their previous workplace to use in their current job, but there are countless others who appropriate data on their way out of the door without even realizing it.

Whether malicious or accidental, the consequences can be equally devastating. As it turns out, the Great Resignation could actually be one of the biggest insider threats facing organizations in a generation.

When it comes to employee turnover, security should always be a part of the conversation. Regrettably, that hasn’t always been the case, particularly over the course of the past two years.

Faced with a mass exodus of talent, it’s perfectly understandable that organizations should be focused on talent acquisition and retention. But by neglecting good data hygiene with the coming and going of employees, they’re leaving themselves wide open to attack.

This risk has only been heightened for the countless organizations that switched to a hybrid working model. So sudden was the move to incorporate remote working during the pandemic, that bring-your-own-device (BYOD) adoption surged, broadening the attack surface area for criminals and, crucially, creating more data siloes that are potentially outside of an organization’s control.

In the first year of the pandemic, 67% of employees said they were using personal devices to get some of their work done. What’s more, a staggering 87% of organizations said they were relying on their employees’ ability to access mobile business applications and other important information from their personal smartphones.

While the benefits of BYOD, particularly during the rapid transition to remote working, were significant, the potential drawbacks in terms of data hygiene and security were often overlooked.

It’s a significant security blind spot, with 71% of organizations admitting that they don’t know how much sensitive data departing employees typically take with them when they move onto pastures new.

This data can be used maliciously to gain leverage over a previous employer or give a new employer a competitive advantage. But even if the ex-employee isn’t aware they’re exfiltrating data, and it simply lies dormant on their device, it’s still an extreme security risk.

These data loss issues are difficult enough to deal with during periods of average employee turnover, but the Great Resignation combined with BYOD and a trend toward hybrid working has only amplified the challenge.

There are really two types of data exfiltration – malicious, and non-malicious. Malicious exfiltration of data is more common than many organizations realize, and usually involves a departing employee purposefully taking sensitive data to either cause harm to the organization they’re leaving or give themselves an advantage in their next venture.

Depending on their role and level of access, it isn’t difficult at all for employees to smuggle data out of an organization, particularly if the “offboarding” process isn’t very thorough.

Common mistakes include keeping ex-employee email accounts active, failing to revoke their access to company servers, or allowing them to use unmonitored personal devices in their day-to-day work.

However it can also be non-malicious or accidental, but that doesn’t make it any less dangerous. During the Nefilim ransomware attack in 2021, it was revealed that one of the primary methods the attackers used to breach corporate networks was to take advantage of so-called “ghost accounts” – login credentials belonging to ex-employees that were still active.

In one instance, a threat actor had commandeered an account with admin privileges that had belonged to a deceased employee, allowing them unfettered access to the corporate network. These dormant accounts are frighteningly common, and are one of the main threat vectors for external attackers.

It’s not uncommon for employees to remain logged into their user accounts on certain devices once they’ve left an organization. In some instances, they may even have a corporate device such as a tablet or smartphone that they simply forget to return or, worse, are not asked to return. This is another instance in which a thorough offboarding process would help to mitigate risk.

As we continue to navigate the relatively uncharted waters of large-scale hybrid working, it’s never been more important for organizations to exercise good security hygiene. There should be robust policies in place that specify rules around data handling, outlining what employees can and cannot do.

While this won’t stop a malicious insider in his or her tracks, having clear rules in place will make accidental loss less likely when an employee does eventually move on.

The principle of least privilege or “zero trust” should also be applied at all times, particularly where employees are working remotely. This makes all data held by the organization available on a need-to-know basis only, limiting the number of accounts that have access to sensitive data and decreasing the chances of an insider threat emerging.

As well as putting company-wide safeguards in place for all employees, it’s also important that organizations handle the offboarding process meticulously. This is where a lot of organizations tend to fall down, particularly when they’re more focused on the new talent that’s coming in rather than the talent they’re letting go. It’s one of the rare instances in cybersecurity where looking back is just as important, if not more so, than looking forward.

No user accounts should remain active once an employee has left an organization, and logs should be checked thoroughly before an employee leaves to ensure no data has been transferred to an external source. The offboarding process should carry on even after the employee has left the building, with accounts monitored regularly to ensure that all access has indeed been revoked.

Organizations cannot guarantee 100% mitigation of insider threats, but they can strive for 99% and hit that target with the right focus and resources.

Check Point’s cybersecurity solutions, for example, help organizations create a safe and streamlined offboarding experience, reducing the risk of data loss or exfiltration. From the automatic monitoring of endpoint devices and intuitive zero-trust segmentation, to multi-layered cloud security that can detect device anomalies and automatically provision and scale security policies.

True to their name, insider threats are always lurking in the background during times of crisis. It just so happens that the Great Resignation is a crisis that lends itself perfectly to malicious motives and careless actions around the handling – or mishandling – of data.

If organizations devote as much attention to offboarding employees as they do onboarding them, they stand a greater chance of keeping their networks secure in 2022 and beyond.