In this TechNode Global Q&A, Colin Estep, Principal Researcher at Netskope, discusses the impact of the Great Resignation on data security.

According to an anonymized study of over 58,000 departing employees using Netskope, it was found that 15 percent of them transferred data from corporate systems to personal cloud applications and 2 percent violated corporate policies in doing so. The shift to remote work and increased cloud application usage has complicated the task of managing data security. Estep warns that if the trend of the Great Resignation continues, there could be a notable increase in the exfiltration of sensitive data.

Estep stresses the importance of forward proxies, audit log ingestion from managed cloud applications, and data lakes in proactively monitoring data movement. With the help of these systems, the data can be analyzed to determine the nature of the data being accessed, the direction it’s being moved, and the volume of data being moved.

Additionally, he advocates the use of Data Loss Prevention (DLP) and User and Entity Behavior Analytics (UEBA) solutions to manage data security effectively. Furthermore, the interview reveals that disgruntled employees pose a unique risk, as they might be more inclined to inflict damage on the organization. Estep emphasizes the necessity of proactive data movement monitoring and potential interventions to mitigate this risk.

Balancing data security and privacy is a challenging task for organizations. Estep suggests that organizations need to focus on tracking the company’s property without infringing upon employees’ privacy, ensuring they understand local laws and regulations around privacy. For addressing the data security challenges during mass layoffs and onboarding of new employees, he suggests having a robust cybersecurity and data protection training program. Estep concludes that building a resilient security culture should involve making cybersecurity and data protection everyone’s responsibility, rather than solely relying on security and IT teams.

With the increasing number of employees leaving their jobs during the Great Resignation, how has this affected the safety and security of company data?

Colin Estep, Principal Researcher, Netskope

Employees taking company data when leaving their jobs is not new, but it is easier than ever to exfiltrate data without being noticed.  Remote work and cloud application usage have made this a more complex issue for organizations to manage.

We recently conducted an anonymized study of over 58,000 employees working at organizations using Netskope that left their jobs. Analyzing their behaviors, we found that 15 percent of them moved data from corporate systems into personal cloud application instances, and 2 percent took data from the organization that violated corporate policies.

If large numbers of the workforce continue leaving their jobs, and 2 percent remains constant, there will naturally be a continued increase in people exfiltrating sensitive data.

What measures can organizations take to ensure that the data utilized by departing employees remain secure?

Departing employees are not the only ones posing a risk. Virtually any employee can exfiltrate data, whether inadvertently or on purpose. It would be a mistake for organizations to focus their attention on specific cohorts of employees, ignoring the broader risk of easy data exfiltration over ubiquitous cloud-based services. Our research showed most of the data exfiltration happened before employees typically give notice, so proactive, automated monitoring of data movement is necessary.

In order to proactively monitor data movement, an organization really needs to have the following infrastructure in place:

  • Forward Proxy for managed devices to access cloud and web applications.
  • Audit log ingestion from managed cloud applications
  • A data lake, which consolidates all of the logs from the other solutions, and allows the security team to monitor activities that affect the company’s data.

Once the above infrastructure is in place, then the data can be analyzed to determine the nature of the data being accessed, the direction it’s being moved, and the volume of data being moved.

What best practices can companies adopt to manage data security effectively when employees leave? How can organizations ensure a smooth and secure transition during employee departures?

Implementing a modern Data Loss Prevention (DLP) product is key here so that the organization can be alerted when sensitive data is being mishandled. Good DLP solutions allow organizations to automate the labeling of files that contain sensitive information, such as intellectual property, financial data, and personally identifiable information.

In addition to DLP, a User and Entity Behavior Analytics (UEBA) solution is helpful to find users who are starting to diverge from their normal practices and may be exfiltrating large amounts of data.

To ensure a smooth transition, organizations need to find data exfiltration as early as possible. In many cases, it will start happening before the organization knows the employee intends to leave.

How do disgruntled employees pose a unique risk to data security during the Great Resignation? What steps can companies take to identify and mitigate potential threats from such individuals?

Disgruntled employees pose the biggest threat because they are likely more willing to damage the organization. These types of employees may destroy files or leak information to competitors or the public.

Our research found that data exfiltration started happening about 50 days before an employee departed the organization. This means that their behavior changed even before the organization knew that the person was going to resign, and demonstrates the need for proactive data movement monitoring.

The goal of such a monitoring system is to show that an employee is mishandling the organization’s data so that it can be addressed as soon as possible. For example, if a user goes from typically uploading no files containing sensitive data to their personal Google Drive to uploading hundreds of files in a day, then the organization can have multiple interventions in place to mitigate that behavior.

One such intervention may be blocking their access to the application until the security team is able to investigate. Once it has been determined that an employee can no longer be trusted, then completely removing access to the organization’s applications and systems may be necessary.

How can organizations monitor potential leavers for data security risks without violating their privacy? What balance should be struck between ensuring data security and respecting employee privacy?

It’s important that any organization first understand their local laws and regulations around privacy and let that guide their internal handling of data. There are many techniques for ensuring the privacy of their employees, such as redacting sensitive information, implementing encryption, and only storing data that is necessary for specific purposes.

Tracking the organization’s property should be the focus, so the system may not need to save information about everything an employee is doing.

Corporate data protection strategies should always be clearly communicated to employees, and efforts should be made to ensure that employees understand the methods used, and what privacy they should expect to be afforded when using corporate resources. (Please note: This is not legal advice. All companies should work with knowledgeable legal counsel to clearly understand privacy regulations and the necessary input to inform responsible technology procurement.)

What are the main challenges organizations face with data security during mass layoffs and the onboarding of new employees? How can companies address these challenges to maintain a secure environment?

A solid cybersecurity and data protection training program when onboarding new employees is a must. Ideally, user education happens with regular updates, reminders, and verification of their knowledge. The application of best practices over the course of their employment can be supplemented with just-in-time coaching, which helps ensure users know if they are violating a corporate policy.

The challenges that organizations face with data security during layoffs and regular employee turnover are very much the same. The main challenges are around how to track data movement at scale when employees are not all in the same building, and everyone is using cloud applications. In our research, we have been able to find data security breaches in real environments using the following methods, which we strongly recommend for every organization:

  • Application Instance labels: The data lake containing the events being tracked for internal employees should be enriched with application instance labels. This means that data showing someone interacting with files hosted by Google Drive is meaningless until you can see that they downloaded from the company.com Google Drive instance, and uploaded to a gmail.com Google Drive instance.
  • Data sensitivity labels: Whether through Data Loss Prevention (DLP) products, or some other labeling method, the company must maintain accurate labels to show which files contain sensitive data.
  • User and Entity Behavior Analytics (UEBA): A UEBA product should show spikes in data being moved and other strange behavior. This is most effective when it leverages the two components mentioned above, so the security team can see that someone has started uploading lots of sensitive data to their personal cloud applications.

How can organizations create a security-conscious culture that minimizes the risks associated with employee departures, particularly during the Great Resignation? What role does employee training and awareness play in this process?

Data security teams should strike a balance between reliance on the latest technology, and old-fashioned training and communication. Ultimately organizations should be making cybersecurity and data protection everyone’s responsibility because relying solely on security and IT teams to police behaviors is both negatively received and limited in efficacy.

The executive team, department leaders, or managers have an equal responsibility in instilling that culture, helping with spreading knowledge and best practices.

Seedstars’ Alisée de Tonnac on investing in global startups and emerging markets [Q&A]