Annual Job Hopping Spikes Insider Threats  

Many South Africans will be switching jobs come January and February after year-end bonuses and some post-holiday reflection. And, while HR departments are geared up to contend with the expected personnel changes, too many IT security teams are underprepared and underresourced, with more than 8 out of 10 cybersecurity leaders admitting they expect data loss from insider events, such as employee departures, to increase in the next 12 months.

An insider threat is a security risk that comes from within a company, where employees, partners, suppliers or other known entities can access the organisation’s internal network and may accidentally leak or purposely steal sensitive information.

Employees leaving the company (voluntarily or involuntarily) are among the most common insider threats. They will often take materials they believe to be theirs or documents and information to help secure a new job. Or, more insidiously, they could deliberately look to steal and expose sensitive data out of revenge.

Whatever the reason, insider threats are much more common than many realise, making up 22 per cent of all data breaches.

Worryingly, the 2024 Annual Data Exposure Report from Code42, now a Mimecast company, shows that 85 per cent of cybersecurity leaders expect data loss from insider events to increase in the next 12 months.

According to the report, exfiltration of data can occur in any number of ways, with personal cloud accounts (42 per cent), CRM systems (40 per cent), and files sent to personal email addresses (39 per cent) ranking as the top three methods posing the greatest risk.

While the methods of exfiltrating data tend towards the tried and tested, employees are getting more creative, and tools are becoming more sophisticated.

Data loss from insiders continues to pose a growing threat to security, with emerging technologies like AI and generative AI adding further layers of complexity. Cybersecurity teams are not given the appropriate technology or training to address the threat or to ensure compliance with data security laws and regulations. Urgent action must be taken if organisations hope to avoid damage to the company’s reputation or financial stability.

Planning For The Worst Is The Pragmatic Approach

Insider threats are notoriously difficult to detect and, considering some infamous industry examples, employers must absolutely plan for the worst.

For instance, in 2016, a former Google employee leaving for Uber downloaded thousands of company files onto his personal laptop. The files related to Google’s early self-driving car programme are now known as Waymo. Google sued, and the ex-employee admitted that Google may have lost up to $1,500,000 due to his actions.

Companies in highly competitive industries are known for poaching competitor employees, especially as the skills crisis grows.

In 2022, Apple was forced to file a lawsuit against a competing startup, claiming the company undertook a coordinated campaign to poach Apple employees who had worked on proprietary system-on-chip (SoC) technology.

The rival company, Rivos, had hired 40 ex-Apple employees, and in its filling Apple alleges a multi-billion-dollar data theft, saying it had spent billions of dollars and more than a decade of research on its proprietary SoC technology.

Stealing IP, while not as immediately lucrative as theft of credit card details or individual personal records, still has significant value and, even if not sold, can do untold damage to a business’s competitive edge and brand reputation.

Strong Policies And Forward Planning

Organisations need to begin their interventions at the outset of an employee’s tenure with strong onboarding policies and rigorous information oversight. Clear communication and training help build a culture of accountability, allowing organisations to tackle insider risk without eroding hard-earned trust.

Similarly, monitoring of data movement can’t begin only when an employee announces their intention to leave. While employees are more likely to exhibit riskier behaviour with company data as their departure nears, exfiltration activity may begin as early as three months before they formally resign.

Security teams should be constantly monitoring anomalies, but will need visibility into employee file activity at least 90 days before departure to identify changes. These can include sudden increases in downloads, especially to personal cloud storage or exfiltration of data through collaboration tools such as Slack or Teams.

Likewise, unusual transfers and greater use of Zip files or Airdrop, as well as accessing information that is not specific to their job function, are red flags. It’s at this point that access should be dynamically adapted to employ evasive measures such as revoking access, quarantining devices or blocking any risky file movements as they happen.

Coordinated Approach With The Right Technical Support

Offboarding is generally seen as the purview of the HR department. However, preventing insider threats and data leaks or IP theft requires a coordinated approach across HR, IT and information governance teams.

Clear workflows for resignations, redundancies, and terminations mean everyone knows their role and can act timeously. As soon as HR triggers an alert that someone is leaving, security teams can activate the right tools to monitor current and past behaviour, detect anomalies, and flag potential misuse.

Legal may also need to step in if IP theft or compliance breaches are suspected. In a larger organisation, people coming and going can number in the hundreds every month and employing appropriate human risk management platforms can give security teams the insight they need to tackle this rapidly growing insider risk, at scale and in real time.

This article was written by Heino Gevers, Senior Director of Technical Support, Mimecast SA