Closer collaboration between security teams and HR professionals is needed to prevent outgoing workers from leaking sensitive company information, experts have told ITPro.
The warning over staff “offboarding” comes in the wake of several incidents where disgruntled employees have sabotaged their former employer or taken sensitive materials to a new job.
In July, a former Intel engineer who admitted taking trade secrets to a new role at Microsoft received two years’ probation and a fine of over $34,000 by an Oregon court.
Varun Gupta, who had served at the chip maker for over a decade, left in January 2020 but not before copying confidential files containing presentation decks and sensitive business data.
Reports at the time of Gupta’s sentencing show this included PowerPoint presentations outlining the company’s pricing strategies.
Speaking to ITPro, Josh Kirkwood, senior manager for CyberArk’s field technology office, said the incident once again highlights why offboarding has become a perilous process for enterprises.
“It’s all too common for departing employees to walk away with sensitive company information, whether intentionally or simply because access to systems and files isn’t revoked quickly enough,” he said.
“The offboarding process has long been a weak spot for many organizations. It’s clear that a shift is needed. Offboarding should not just be an afterthought,” Kirkwood added.
Damian Garcia, head of GRC consultancy at IT Governance, echoed Kirkwood’s comments, adding that incidents like these have become a recurring theme in recent years – especially amidst continued hybrid working practices.
“Just because someone is out of the building doesn’t mean they’re out of your systems. It doesn’t work like that anymore,” he told ITPro.
“As more businesses move to remote or hybrid setups, people have more ways to stay connected to systems they shouldn’t be anywhere near.”
Garcia warned that layoffs, internal tension, or even individuals feeling undervalued in their roles can “create situations where someone decides to act out”.
“Most employees won’t go down that path, but the small number who do can cause serious damage,” he said.
Unwanted parting gifts
There have been several recent examples of disgruntled employees – whether current or former – have caused havoc for businesses.
In June 2024, a former employee at Singaporean IT firm NCS was sentenced to two years and eight months in jail after he deleted 180 virtual servers following his dismissal.
More recently, a software developer was convicted after installing a “kill switch” in the corporate network of his employer.
According to the US Department of Justice (DOJ), Davis Lu, formerly of power management firm Eaton Corp, conducted a long-running campaign of internal sabotage on the company’s networks, planting malicious code and targeting colleagues.
This incident severely disrupted Eaton Corp’s global IT systems, law enforcement said.
What can be done to prevent disaster?
Garcia told ITPro that enterprises need to act swiftly when employees are in the process of leaving, regardless of the manner of their departure.
“When someone leaves, especially on bad terms, there’s a short window where things can go very wrong,” he said. “That’s when you need to act fast: shut down access immediately, don’t leave it until after the weekend.”
This isn’t just a “box ticking exercise”, either, especially with technical staff such as system administrators or developers who have deep access to internal knowledge bases and critical files. Access rights should be revoked straight away, he added.
“If companies want to reduce the risk, communication between teams is non-negotiable,” Garcia added. “HR, IT, and security need to work together so that access is revoked immediately and consistently.”
Kirkwood added that this is where robust identity management processes are critical for businesses, enabling them to rapidly revoke rights and access.
“The most effective way for enterprises to prevent adverse activity following an employee’s departure is by automating identity lifecycle management,” he said.
“That means ensuring access is automatically provisioned and deprovisioned according to instructions from HR systems.”
Shane Barney, CISO at Keeper Security, noted that tools such as user and entity behaviour analytics (UEBA) can provide an “important additional layer of defence” by establishing baselines of “normal activity and flag anomalies that may signal malicious intent”.
“While UEBA can help organizations detect suspicious behaviour early, it’s most effective when used in tandem with identity-first controls such as zero trust, least-privilege access and privileged access management (PAM),” Barney told ITPro.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- British IT worker jailed for revenge attack on employer that caused a “ripple effect of disruption” for colleagues and customers
- AI means cyber teams are rethinking their approach to insider threats
- Former GCHQ intern risked national security after taking home top secret data
-
How the UK is leading Europe at AI-driven manufacturingIn-depth A new report puts the country on top of the charts in adopting machine learning on the factory floor in several critical measures
-
US data center power demand forecast to hit 106GW by 2035, report warnsNews BloombergNEF research reveals a sharp 36% jump in energy forecasts as "hyperscale" projects reshape the American grid
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
-
Impact of Asahi cyber attack laid bare as company confirms 1.5 million customers exposedNews No ransom has been paid, said president and group CEO Atsushi Katsuki, and the company is restoring its systems
-
If you're not taking insider threats seriously, then the CrowdStrike incident should be a big wake up callNews CrowdStrike has admitted an insider took screenshots of systems and shared them with hackers, and experts say it should serve as a wake up call for enterprises globally.
-
Shai-Hulud malware is back with a vengeance and has hit more than 19,000 GitHub repositories so far — here's what developers need to knowNews The malware has compromised more than 700 widely-used npm packages, and is spreading fast
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
The US, UK, and Australia just imposed sanctions on a Russian cyber crime group – 'we are exposing their dark networks and going after those responsible'News Media Land offers 'bulletproof' hosting services used for ransomware and DDoS attacks around the world
-
Thousands of ASUS routers are being hijacked in a state-sponsored cyber espionage campaignNews Researchers believe that Operation WrtHug is being carried out by Chinese state-sponsored hackers
-
Microsoft opens up Entra Agent ID preview with new AI featuresNews Microsoft Entra Agent ID aims to help manage influx of AI agents using existing tools
