Closer collaboration between security teams and HR professionals is needed to prevent outgoing workers from leaking sensitive company information, experts have told ITPro.
The warning over staff “offboarding” comes in the wake of several incidents where disgruntled employees have sabotaged their former employer or taken sensitive materials to a new job.
In July, a former Intel engineer who admitted taking trade secrets to a new role at Microsoft received two years’ probation and a fine of over $34,000 by an Oregon court.
Varun Gupta, who had served at the chip maker for over a decade, left in January 2020 but not before copying confidential files containing presentation decks and sensitive business data.
Reports at the time of Gupta’s sentencing show this included PowerPoint presentations outlining the company’s pricing strategies.
Speaking to ITPro, Josh Kirkwood, senior manager for CyberArk’s field technology office, said the incident once again highlights why offboarding has become a perilous process for enterprises.
“It’s all too common for departing employees to walk away with sensitive company information, whether intentionally or simply because access to systems and files isn’t revoked quickly enough,” he said.
“The offboarding process has long been a weak spot for many organizations. It’s clear that a shift is needed. Offboarding should not just be an afterthought,” Kirkwood added.
Damian Garcia, head of GRC consultancy at IT Governance, echoed Kirkwood’s comments, adding that incidents like these have become a recurring theme in recent years – especially amidst continued hybrid working practices.
“Just because someone is out of the building doesn’t mean they’re out of your systems. It doesn’t work like that anymore,” he told ITPro.
“As more businesses move to remote or hybrid setups, people have more ways to stay connected to systems they shouldn’t be anywhere near.”
Garcia warned that layoffs, internal tension, or even individuals feeling undervalued in their roles can “create situations where someone decides to act out”.
“Most employees won’t go down that path, but the small number who do can cause serious damage,” he said.
Unwanted parting gifts
There have been several recent examples of disgruntled employees – whether current or former – have caused havoc for businesses.
In June 2024, a former employee at Singaporean IT firm NCS was sentenced to two years and eight months in jail after he deleted 180 virtual servers following his dismissal.
More recently, a software developer was convicted after installing a “kill switch” in the corporate network of his employer.
According to the US Department of Justice (DOJ), Davis Lu, formerly of power management firm Eaton Corp, conducted a long-running campaign of internal sabotage on the company’s networks, planting malicious code and targeting colleagues.
This incident severely disrupted Eaton Corp’s global IT systems, law enforcement said.
What can be done to prevent disaster?
Garcia told ITPro that enterprises need to act swiftly when employees are in the process of leaving, regardless of the manner of their departure.
“When someone leaves, especially on bad terms, there’s a short window where things can go very wrong,” he said. “That’s when you need to act fast: shut down access immediately, don’t leave it until after the weekend.”
This isn’t just a “box ticking exercise”, either, especially with technical staff such as system administrators or developers who have deep access to internal knowledge bases and critical files. Access rights should be revoked straight away, he added.
“If companies want to reduce the risk, communication between teams is non-negotiable,” Garcia added. “HR, IT, and security need to work together so that access is revoked immediately and consistently.”
Kirkwood added that this is where robust identity management processes are critical for businesses, enabling them to rapidly revoke rights and access.
“The most effective way for enterprises to prevent adverse activity following an employee’s departure is by automating identity lifecycle management,” he said.
“That means ensuring access is automatically provisioned and deprovisioned according to instructions from HR systems.”
Shane Barney, CISO at Keeper Security, noted that tools such as user and entity behaviour analytics (UEBA) can provide an “important additional layer of defence” by establishing baselines of “normal activity and flag anomalies that may signal malicious intent”.
“While UEBA can help organizations detect suspicious behaviour early, it’s most effective when used in tandem with identity-first controls such as zero trust, least-privilege access and privileged access management (PAM),” Barney told ITPro.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- British IT worker jailed for revenge attack on employer that caused a “ripple effect of disruption” for colleagues and customers
- AI means cyber teams are rethinking their approach to insider threats
- Former GCHQ intern risked national security after taking home top secret data
-
Thousands of exposed civil servant passwords are up for grabs onlineNews While the password security failures are concerning, they pale in comparison to other nations
-
Global PC shipments surge in Q3 2025, fueled by AI and Windows 10 refresh cyclesNews The scramble ahead of the Windows 10 end of life date prompted a spike in sales
-
Thousands of exposed civil servant passwords are up for grabs online
News While the password security failures are concerning, they pale in comparison to other nations
-
77% of security leaders say they'd fire staff who fall for phishing scams, even though they've done the same thingNews A new report uncovers worrying complacency amongst IT and security leaders
-
Hackers stole source code, bug details in disastrous F5 security incident – here’s everything we know and how to protect yourselfNews CISA has warned the F5 security incident presents a serious threat to federal networks
-
Hackers are using a new phishing kit to steal Microsoft 365 credentials and MFA tokens – Whisper 2FA is evolving rapidly and has been used in nearly one million attacks since JulyNews Whisper 2FA is now the third most common Phishing as a Service tool worldwide
-
Government urges large enterprises to shore up defenses as NCSC warns UK faces four 'nationally significant' cyber attacks every weekNews UK enterprises of all sizes face escalating cybersecurity threats, ministers have warned
-
Third time lucky? The FBI just took down BreachForums, again
News The hacking forum is down for now, but the group behind it, Scattered Lapsus$ Hunters, isn't going to stop extorting victims of the Salesforce breach
-
A malicious MCP server is silently stealing user emailsNews Koi Security says it's discovered the first malicious MCP server in the wild, exposing a risk to the entire ecosystem
-
NCA confirms arrest after airport cyber disruptionNews Disruption is easing across Europe following the ransomware incident
