Incydr - Building an IRM Program - Departing Employees

Updated

This article contains information on managing the risks associated with departing employees, including best practices for preventing data loss, detecting insider threats, and ensuring a smooth offboarding process through collaboration between HR, IT, Security, and Legal teams.

Overview

Departing employees are one of the biggest sources of data loss in an organization and most exfiltrate data long before a two-week notice. This course will cover industry best practices when it comes to preventing, detecting, and responding to insider risk of departing employees.

Prerequisites

  • You are an  Incydr Administrator or Security Practitioner, with beginner to intermediate experience level.
  • You are familiar with Incydr.

Why are Departing Employees a Risk?

Introduction

People don't stay in the same job forever. In fact, the median tenure of employees 18 and over in the United States has decreased in the last ten years, implying wage and salary earners are changing jobs at a faster pace.
With all this change, how are organizations supposed to protect their data from going out the door along with the departing employees?

Key Concepts of Departure

When employees depart an organization, they can do so in two ways: voluntarily, and involuntarily.

Voluntarily

In the United States, over four million people quit their job every month. That's a lot of job changes!
They change roles within an organization, they go on to new opportunities, they retire, they change careers, they go back to school, etc.

Involuntarily
Sometimes the change happens by choice of the employee, but other times it happens by the choice of the organization (layoffs, terminations) or even outside the organization (end of vendor contracts).

Is It Really Stealing?

Regardless of the motivation, Incydrs's Annual Data Exposure Report confirmed there is a 1 in 3 chance a company will lose intellectual property (IP) when an employee quits, and two-thirds (63%) of employees who admit to taking data with them from one employer to the next are repeat offenders. The consequences of this behavior can be more damaging to a business when workers take data from a former employer and go to work for a competitor. Three in five (59%) employees move to a company in the same industry.
But most people aren't trying to steal your data. They’re doing things like:

  • Pulling together their best work to help them land a new job.
  • Taking the work they’re most proud of with them.
  • Taking things like templates to use in their new gig.
  • Taking “their” client info.
  • Deleting files to “help” clean up their devices for the next user.
  • Transferring files to a current colleague to ensure the project keeps moving forward after they leave.

A vast majority of employees have the very best intentions, but regardless of intention – good, bad, indifferent – these actions put company data at risk.
Organizations would do well to consider the departing employee lifecycle as an area of risk exposure.

We Did the Math

We Did The Math

Real-World Example

Over half of of the C-Suite, Information Security leaders, and business decisions makers admit to taking data with them from one employer to the next, and while most occurrences are non-malicious in nature, the ones that are malicious sometimes end up in the courts and/or in the headlines.

Piping Rock Health Products, LLC. v. Gerardo Cortes and the Doe Company

In the days before he resigned from the Company in April 2022, Cortes uploaded and transferred to himself hundreds of documents containing confidential and proprietary information belonging to Piping Rock (the “Customer List and Confidential Files”).
These Customer List and Confidential Files included, inter alia [among other things], millions of customer contact information and marketing materials, which Piping Rock has spent over a decade and tens of millions of dollars compiling and maintaining.
...
Upon information and belief, Cortes has provided or intends to provide the Customer List and Confidential Files to the Doe Company for Defendants’ mutual benefit.

- Piping Rock Health Products, LLC. v. Cortes et al.

People

All risks and any associated risk mitigations start with the people involved in deciding what constitutes a risk to the business, what risk(s) should be prioritized, and how to prevent, detect, respond to, and recover from those risks.

Who's involved, and what responsibilities does each team have?

Every organization is different, but typically, at least the following departments/roles are involved during the process:

1. Employee's Manager.

Responsible for making the decision and ensuring a smooth transition.

2. Human Resources (HR) / People Team. 

Responsible for managing the transition and conducting the exit interview.

3. Information Technology (IT). 

Responsible for identity and access management (IAM) and asset management.

4. Security. 

Responsible for maintaining the privacy and security of individuals while investigating any events.

5. Legal. 

Responsible for ensuring any employment separation legal requirements are met.

Looking for more in-depth information on a specific team or topic mentioned in this course? Check the Additional Resources section at the end of this course for additional modules.

Process

Define the Process

  • What happens when, and by whom when an employee is set to depart?
  • What documents and policies must be in place to protect company data before, during, and after employee departure?
  • If a risk event is detected, what is the investigation process?

Consistency is Key

Playbooks, run books, manuals, and how-to guides are all designed to help those in a situation perform the steps needed to respond to the situation at hand. When it comes to departing employees, it's important for each team involved to know their specific duties, and how they fit within the organization's larger off boarding process. Not only does this make the stand down procedure easier, it also ensures a fair and consistent workplace for all involved.

Voluntary Employee Departure Workflow with Incydr & Instructor

When an employee leaves an organization, it requires alignment across multiple departments and tools. The process here outlines some example milestones during the departure process from employee notice to final day and beyond.

1. Employee Provides Notice.

In the United States, when employees intend to leave an organization it is customary to provide two weeks' notice to the employer via their direct manager. This notification will put into action the remaining actions in this process.

2. Notification to HR and Processing in HRIS.

After the manager has been notified of the departure intent, it is critical for the manager to immediately inform Human Resources (HR) to begin the departure procedure across systems. The HR rep should then document this in the Human Resources Information System (HRIS) to schedule the stand down at the end of the two weeks.

3. Pre-Exit Communication.

Instructor Departing

Companies can set up their departing employees for success by providing them the best opportunities and information to depart without incident. Pre-exit communication might include an email, training videos, or a brief, in-person conversation that includes the procedures for the employee's remaining time and appropriate actions when it comes to data management.
Instructor has a number of persona-based videos for departing employees to watch on appropriate actions.

4. Monitor for Compliance with Policies. 

Departing watchlist

During the employee's final days, it is a best practice for the security team to add the employee to the Departing watchlist and look back over the employee's 90 days of activity.
If any events of risk require an investigation, Incydr's Cases functionality allows security teams to conduct an investigation and maintain employee privacy along the way.
Investigations for departing employees should be performed as soon as possible, due to the employee's limited time remaining at the organization.

5. Final Hours. 

In the employee's final hours, HR should conduct an exit interview to discuss the final departure checklist, discuss final payment and benefits information, and answer remaining questions.
(Interested HR reps can check out the extension for HR during employee departure.)
During this time, the identify lifecycle management (ILM) process should be performed and remove access from locations, systems, and resources for the departing employee. If the employee has any remaining resources or assets that belong to the organization, they should also be returned during this time.

6. Departure. 

At the appointed time, the employee should gather their remaining items and be escorted from the premises.

Summary

The departing employee process should not be a mystery to the company or to the departing employee. Through thorough communication and vigilance, the employee can depart the organization on good terms, and the organization can protect its data along the way.

Responsibilities

1. Employee's Manager.

When a direct hire is departing, don't panic! Though their tenure at the organization is coming to a close, a manager's job is not yet complete.
Manager duties during the departure process include:

  1. Set or understand the employee's planned departure date.
  2. Document and transition any of the employee's responsibilities and projects.
  3. Take time to talk with the employee to understand why they have chosen to leave (if voluntary) and then show support for their choice.
  4. Walk them through the departure process (if known), or do a warm hand-off to HR.

Take time to connect with the departing employee. A manager may learn something about the organization they didn't know. And while it may be too late for this employee, a manager can use that knowledge to make future improvements.

2. Human Resources (HR) / People Team. 

As owners of the employee lifecycle and experience, Human Resources is heavily involved in the departing employee process. HR's handling of the departing employee process can reduce risks the organization faces. Documented procedures lower the chance of unintentional data loss due to mishandling or missteps, and they can also lower the occurrence of IT sabotage, by allowing an employee to depart with dignity and respect.
Some of the tasks HR will be in charge of performing include:

  1. Arrange and perform an exit interview.
  2. Review employment and company policies with the departing employee.
  3. Confirm procedure on departing employee's final day with the employee and the employee's manager.
  4. Provide any separation resources, including information on their final paycheck, benefit expiration, and severance package (if applicable).
3. Information Technology (IT). 

IT's involvement with the departing employee process will be to follow the documented stand down procedure for identity lifecycle management (ILM). To what hardware, software, applications, and other digital credentials did the employee have access, and how can any assets/access to which the employee has access be routinely returned and/or revoked?
Determining when, how, and the level of sophistication for asset return and access revocation will vary by resource. Some resources may need to be returned/revoked immediately after the employee gives notice, other resources may be available until the last moment of employment. Each approved resource should have a procedure in place for return/revocation when an employee departs, including an explicitly identified individual/role assigned to perform the appropriate task(s).
Ideally, the stand down process should be tracked in an IT ticketing system including manager notification and approval. Regular audits should be performed to confirm that assets were properly returned and all access has been revoked as expected. Any lingering access can allow someone to take data even after they've officially departed.

4. Security.

Security may not be directly involved in the departing employee process, in fact they may not even be aware an employee is departing when an alert comes in; however, they will be in charge of detecting any risk events and performing any follow-up investigation. The investigation workflow should be documented, including thresholds and notification requirements. During an investigation, if security is made aware of an employee's intent to depart, this can help confirm the appropriate process and urgency. An investigation should be properly tracked in a case management system.
A documented investigation procedure should include high and critical risk situations in which the employee's manager and potentially HR and Legal are brought in to determine the appropriate action(s) before the employee departs.

Departing Executive Exfiltration

In the example above, a departing executive uploaded company data to a personal cloud account. Follow the highlighted path to see an example workflow for this scenario.

 

As with any insider risk investigation, maintaining the privacy of and respect for the affected individual(s) is of the utmost importance. Some organizations require analysts who investigate insider risk events to sign a non-disclosure agreement (NDA) to maintain confidentiality.

5. Legal. 

When employees leave–whether by their choice or not–there are legalities that must be followed. Communicating with Legal the when, how, and why an employee is departing will help uncover potential legal issues.

Along with HR, Legal should be involved in the creation and enforcement of the organization's acceptable use policy, non-disclosure agreement(s), and any other employment agreements to which the employee agreed as part of their hiring process or throughout their tenure at the organization.

What Policies Should be in Place?

Every organization is different, so the required policies will also be different for every organization. Organizations may also have a different name for a policy or have a policy within a larger document (e.g. maybe the acceptable use policy is inside of the larger corporate security policy). With that in mind, here are a few of the key principles that should be documented throughout the employee's tenure and available for reference at their departure:

  • Who owns information created by the company, or while on the company time.
  • What tools and resources can be used.
  • What can(not) be kept on company-owned resources.
  • Personal use of company-owned resources and/or Bring Your Own Device (BYOD).
  • Data classification and how to handle data at each classification.

Still not sure? Take a look at our Acceptable Use Policy template to get started.

Looking for more in-depth information on a specific team or topic mentioned in this course? Check the Additional Resources section at the end of this course for additional modules.

Technology

Incydr is designed to help detect risk events: suspicious file movement, unapproved sharing, and exfiltration activities. When employees depart, they may wish to transfer data from their company-owned resources to a personal one for future use. With strong policies in place, employees should already be aware of what they can and cannot do with company data. Incydr is here to verify data policies are being followed, and if a risk event happens, detect it and help respond appropriately.

Detection

Incydr's Departing Watchlist is specifically designed to help security teams monitor for risk events performed by departing employees. By integrating Incydr with your Human Resources Information System (HRIS), departing employees can automatically be added to the Departing Watchlist for increased visibility at speed.

Incydr's Alerts allow security teams to configure alert rules that are triggered when certain actions and/or thresholds are met with data. Users added to the Departing Watchlist automatically get added to two default alerts, too.

Response

  • Incydr's Cases help security teams manage and respond to investigations with tools that collect, organize, and retain user file activity.
  • By taking an Empathetic Investigations approach, security is in a much better place to understand why employees are making mistakes and breaking policy. With this understanding, security teams can offer employees the assistance and guidance they truly need to make better decisions with company data.
  • Incydr's Preventative Controls allow for organization's to choose the appropriate response method depending on the action, up to and including blocking of the respective action.

Incydr Instructor is specifically designed for adult learning to guide employees and help companies prevent and respond to risk events. Instructor's proactive and situational videos are designed to be given before an event occurs (such as annual training or when a role change occurs), while responsive videos can be triggered to send after certain risk criteria have been met.
(To view any videos mentioned below, navigate to the Instructor page in your console or reach out to your CSM for more information).

Proactive

Proactive lessons promote safe security and data handling. These lessons presume positive intent and teach new employees security best practices.

  • Insider Risk & You:
    • Remind users about the risks we all pose to data in our day-to-day work, and how to avoid them.
    • Sent annually.
  • Risk of Not Separating Personal / Business:
    • What are the dangers of using a company-owned device for personal use?
    • Sent annually.
  • Templates (requires login) to keep company data ownership in mind, throughout their tenure.
    • Poster templates, communication templates, and response templates are available for Instructor customers for a variety of instances, such as chat applications, iCloud, email, USB, etc.

Situational

Situational lessons empower a more risk-aware workforce based on the employee lifecycle. These lessons are engaging, and teach users how to handle data as their roles and responsibilities change.

  • If Voluntary: 
    • Instructor includes multiple versions of this video depending on the role of the recipient.
    • This could be sent along with any other pre-departure package. This could also be done in person.
  • If Involuntary: 
    • Best practice is to not send an Instructor video for involuntary departures. This should be done in person.
    • While potentially uncomfortable, it is best to discuss policies and departure procedures in person and with empathy. Handling departing employee interaction with automations can give an implication of indifference at a time when tensions and tempers are already elevated.

Responsive

Responsive lessons provide just-in-time training as soon as a user makes a mistake. These lessons are non-accusatory and personable, which allows users to learn from their mistakes and build a positive relationship with the security team.

  • Sent to match the appropriate triggering action.
    • Instructor has a library of videos that correlate with the 9risk setting detection capabilities of Incydr.
  • Security teams should determine if there are any specific procedures for departing employees who are sent an Instructor video as a response. If an event is detected, Security may determine it a requirement to perform an inquiry to confirm any residual risk or follow up required.

Ecosystem Integrations

Incydr and Instructor were both designed to fit within an organization's larger ecosystem. In addition to Incydr's built-in detection and response capabilities, integrating with an HRIS, SIEM, and/or SOAR can speed up workflows, collect information in a central location, and perform additional response tasks.

Integration Options
There are many ways to integrate Incydr.
Reach out to your CSM or our sales team for more information.

Summary

When an Employee Departs: Don't Panic

People change jobs–sometimes voluntarily, sometimes not. It's part of business. And when employees leave, many of them will take data with them. It might be the personal vacation photos they uploaded to their company device or it could be the company's next quarter strategy documents. Companies can be the most prepared for both of these situations–and many in between–by aligning their people, process, and technology when employees depart.

Knowledge Check

Ready to test your skills on risk mitigation techniques for departing employees?

Question One: In addition to the departing employee's manager, what other teams are involved in protecting the organization's data during the departure process? (Choose all that apply)
 

  1. Security.
  2. Human Resources (HR) / People.
  3. Finance.
  4. Information Technology (IT).
  5. Sales.
  6. Legal.
Answer

The answer is 1, 2, 4, & 6.

 

Question Two: What is an example policy that lets employees know what they can and cannot do with company resources? (Choose one)
 

  1. Bring Your Own Device (BYOD) Policy.
  2. Acceptable Use Policy.
  3. Data Deletion Attestation.
  4. Data Disclosure Policy.
Answer

The answer is 2.

 

Question Three: Why is it important to have Identity Lifecycle Management (ILM) procedures documented, as pertains to data protection? (Choose one)
 

  1. It reduces the cost of lighting the next production.
  2. It ensures identity access is properly revoked during departure.
  3. It isn't, personnel should perform access procedures on an ad hoc basis and when the IT specialist determines necessary.
Answer

The answer is 2.

 

Question Four: Match the appropriate Instructor video category with its description. (Drag category on left to appropriate definition at right)
 

  1. Responsive.
  2. Proactive.
  3. Situational.
  • These lessons provide just-in-time training as soon as a user makes a mistake.
  • These lessons empower a more risk-aware workforce based on the employee lifecycle.
  • These lessons promote safe security and data handling from the start.
Answer

The answer is:

  1. Responsive - These lessons provide just-in-time training as soon as a user makes a mistake.
  2. Proactive - These lessons promote safe security and data handling from the start.
  3. Situational - These lessons empower a more risk-aware workforce based on the employee lifecycle.

Additional Resources

People

Human Resources
Ready to take a deeper dive into HR's responsibilities during the employee departure process? Check out the extension course.

Process

Response Playbooks
Creating response playbooks can ensure everyone knows their responsibility and what the process is during and investigation.
Risk Event

Getting Started with Incydr

General Resources

Questions or Comments?

Reach out to your Customer Success Manager (CSM).

How is HR Involved in the Departing Employee Process?

Introduction

Departing employees are one of the biggest sources of data loss in an organization and most exfiltrate data long before a two-week notice. This HR Add-on will cover the role of Human Resources during the departing employee process.

Human Resources (HR) has a unique perspective on the employee lifecycle, because they are involved in every stage of the process from hiring, to onboarding, all they until the employee's final day. With this experience and expertise, HR can help both the individual and the company maintain respect and integrity during the departure process.
This toolkit extension is designed for an HR representative looking to increase their knowledge about HR's involvement during the departing employee process.

What are some of the things HR can do to help reduce departing employee risk?

Hint: it starts long before the employee's last day

Company Culture

Three Ts of Culture

While the culture is set by CEO and executive management, HR plays a critical role of reinforcing the culture employees are living. By fostering a culture of trust, training, and transparency, expectations can be ingrained within employees and reduce the risk of departing employees making mistakes during their final days.

What's at Stake?

The departure process is risky in and of itself, but an incorrectly managed departure can actually make things worse.
Maintaining confidentiality and avoiding embarrassment of those departing can help the employee transition and mitigate risks, such as sabotage by a disgruntled employee.
Maladaptive organizational response (i.e. mishandling of a risk, such as departure) can push a user over the edge and increase the risks to an organization, especially for involuntary departures.

Future Success

Set the departing employee up for future success
Whether the employee is leaving voluntarily or involuntarily, HR is a key player in helping ensure a smooth transition.

  • When will the departing employee be given their final paycheck? On the last day? The next pay period? What about unused vacation time? HR should lead the creation and maintenance of these company policies, but don't forget to run it by Legal!
  • What severance packages are available? What about retirement or pension plan cash outs or transfers? When will their benefits expire?
  • If a package is not available, providing guidance and additional resources can help the employee's transition go as smoothly as possible.

Work Smarter Not Harder

Why wait until the employee's last day to remind them of the policies to which they've already agreed? A departing employee can be set up for success by reminding them what data can be taken (if any) and how it can be removed securely. This reduces the strain on the security team by preventing improper use before it occurs. This information could be in an Acceptable Use Policy. Communication when the employee "gives notice" doesn't need to be in person. Security and/or IT can configure automations about policy reminders and an Instructor video on appropriate data use during departure.

Summary

HR's role in the departure process is to ensure a smooth transition from employment through departure. By focusing on transparency, training, and trust, HR teams can help their organizations create a strong culture, preventing risks before they even happen. Empathy during the departure process can go a long way to alleviate any additional stress on a departing employee (especially those leaving involuntarily) to reduce risks before, during, and even long after their departure.

Additional Resources

Outside Resources

Questions or Comments?

Reach out to your Customer Success Manager (CSM).

Related to

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.