Closer collaboration between security teams and HR professionals is needed to prevent outgoing workers from leaking sensitive company information, experts have told ITPro.
The warning over staff “offboarding” comes in the wake of several incidents where disgruntled employees have sabotaged their former employer or taken sensitive materials to a new job.
In July, a former Intel engineer who admitted taking trade secrets to a new role at Microsoft received two years’ probation and a fine of over $34,000 by an Oregon court.
Varun Gupta, who had served at the chip maker for over a decade, left in January 2020 but not before copying confidential files containing presentation decks and sensitive business data.
Reports at the time of Gupta’s sentencing show this included PowerPoint presentations outlining the company’s pricing strategies.
Speaking to ITPro, Josh Kirkwood, senior manager for CyberArk’s field technology office, said the incident once again highlights why offboarding has become a perilous process for enterprises.
“It’s all too common for departing employees to walk away with sensitive company information, whether intentionally or simply because access to systems and files isn’t revoked quickly enough,” he said.
“The offboarding process has long been a weak spot for many organizations. It’s clear that a shift is needed. Offboarding should not just be an afterthought,” Kirkwood added.
Damian Garcia, head of GRC consultancy at IT Governance, echoed Kirkwood’s comments, adding that incidents like these have become a recurring theme in recent years – especially amidst continued hybrid working practices.
“Just because someone is out of the building doesn’t mean they’re out of your systems. It doesn’t work like that anymore,” he told ITPro.
“As more businesses move to remote or hybrid setups, people have more ways to stay connected to systems they shouldn’t be anywhere near.”
Garcia warned that layoffs, internal tension, or even individuals feeling undervalued in their roles can “create situations where someone decides to act out”.
“Most employees won’t go down that path, but the small number who do can cause serious damage,” he said.
Unwanted parting gifts
There have been several recent examples of disgruntled employees – whether current or former – have caused havoc for businesses.
In June 2024, a former employee at Singaporean IT firm NCS was sentenced to two years and eight months in jail after he deleted 180 virtual servers following his dismissal.
More recently, a software developer was convicted after installing a “kill switch” in the corporate network of his employer.
According to the US Department of Justice (DOJ), Davis Lu, formerly of power management firm Eaton Corp, conducted a long-running campaign of internal sabotage on the company’s networks, planting malicious code and targeting colleagues.
This incident severely disrupted Eaton Corp’s global IT systems, law enforcement said.
What can be done to prevent disaster?
Garcia told ITPro that enterprises need to act swiftly when employees are in the process of leaving, regardless of the manner of their departure.
“When someone leaves, especially on bad terms, there’s a short window where things can go very wrong,” he said. “That’s when you need to act fast: shut down access immediately, don’t leave it until after the weekend.”
This isn’t just a “box ticking exercise”, either, especially with technical staff such as system administrators or developers who have deep access to internal knowledge bases and critical files. Access rights should be revoked straight away, he added.
“If companies want to reduce the risk, communication between teams is non-negotiable,” Garcia added. “HR, IT, and security need to work together so that access is revoked immediately and consistently.”
Kirkwood added that this is where robust identity management processes are critical for businesses, enabling them to rapidly revoke rights and access.
“The most effective way for enterprises to prevent adverse activity following an employee’s departure is by automating identity lifecycle management,” he said.
“That means ensuring access is automatically provisioned and deprovisioned according to instructions from HR systems.”
Shane Barney, CISO at Keeper Security, noted that tools such as user and entity behaviour analytics (UEBA) can provide an “important additional layer of defence” by establishing baselines of “normal activity and flag anomalies that may signal malicious intent”.
“While UEBA can help organizations detect suspicious behaviour early, it’s most effective when used in tandem with identity-first controls such as zero trust, least-privilege access and privileged access management (PAM),” Barney told ITPro.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- British IT worker jailed for revenge attack on employer that caused a “ripple effect of disruption” for colleagues and customers
- AI means cyber teams are rethinking their approach to insider threats
- Former GCHQ intern risked national security after taking home top secret data
-
Windows 10 extended support costs could top $7 billionNews Enterprises sticking with Windows 10 after the October deadline face huge costs
-
Rampant skills gaps should be a ‘wake-up call for every leader’ as AI, tech talent shortages hamper growthNews AI and broader tech skills are two of the three biggest headaches for tech leaders
-
Jaguar Land Rover “did the right thing” shutting down systems to thwart cyber attackNews The attack on Jaguar Land Rover highlights the growing attractiveness of the automotive sector
-
The Salesloft Drift victim list keeps growing: Zscaler is the latest to confirm a breach, warning customers to remain wary of follow-up phishing attacksNews The company has warned customers that their data may have been accessed, saying it's implemented extra safeguards in response
-
Anthropic admits hackers have 'weaponized' its tools – and cyber experts warn it's a terrifying glimpse into 'how quickly AI is changing the threat landscape'News Security experts say Anthropic's recent admission that hackers have "weaponized" its AI tools gives us a terrifying glimpse into the future of cyber crime.
-
Google hits back at 'entirely false' reports of major Gmail security breachNews Reports of a massive Gmail hack affecting billions of users have been denied by Google
-
Ransomware attack on IT supplier disrupts hundreds of Swedish municipalitiesNews The attack on IT systems supplier Miljödata has impacted public sector services across the country
-
Warning issued to Salesforce customers after hackers stole Salesloft Drift dataNews Customers were targeted through compromised OAuth access tokens from Salesloft Drift integrations
-
A notorious hacker group is ramping up cloud-based ransomware attacksNews The Storm-0501 threat group is refining its tactics, according to Microsoft, shifting away from traditional endpoint-based attacks and toward cloud-based ransomware.
-
Hackers are abusing ConnectWise ScreenConnect, againNews A new spear phishing campaign has targeted more than 900 organizations with fake invitations from platforms like Zoom and Microsoft Teams.
