How to prevent data theft by existing and departing employees

How to prevent data theft by existing and departing employees

Some 12% of employees take customer details, health records, sales contracts and other confidential data when leaving a company, according to DTEX.

An employee accessing confidential information.
Image: Feodora/Adobe Stock

A former employee may try to sell account credentials from their former employer on the dark web. A current employee can record a confidential CEO presentation and then send a link to that recording to the press. An existing employee may share a customer list with a third party, which is then offered for sale to a competitor. These are just a few of the data theft incidents and insider threats that workforce security provider DTEX has investigated throughout 2022.

Released on Thursday, DTEX’s 2023 Report on Insider Risk Investigations examined the scope of employee attrition and data theft for 2022. To compile its report, the company looked at hundreds of investigations conducted by the DTEX Insider Intelligence and Investigations team for the year. The results point to an increase in corporate IP and data theft.

Jump to:

What business data are employees stealing?

The i3 team investigated nearly 700 cases of data theft by departing employees; this is double the number of cases in 2021. Based on incidents, DTEX determined that 12% of employees take sensitive information with them when they leave an employer. The stolen information included customer data, employee data, health records and sales contracts.

But, 12% do not consider non-sensitive data, such as templates and presentations; based on anecdotal evidence, DTEX says it believes more than half of departing workers leave with this type of data.

How do employees steal data?

Employees use several different methods to capture company data, including screenshots, recordings, and syncing to personal devices or accounts. As just one example, the employee who sent the CEO’s press presentation link used a screen recording tool to capture confidential data and then uploaded the recording to a personal account.

What factors contribute to incidents of employee data theft?

Employee termination was a major contributor to data theft and system sabotage last year. In many of the cases the DTEX team investigated, terminated employees still had some type of access to their corporate accounts, even after they were fired. In some cases, current employees have provided corporate data or account credentials to their former colleagues without even knowing they were terminated.

SEE: Access management policy (TechRepublic Premium)

Besides departing employees, existing workers can pose a threat. Some employees maintain side gigs where they use their corporate devices. Unsanctioned use of third-party work on such devices increased by nearly 200% last year. And in a shadow IT scenario, the use of unsanctioned applications increased by 55% during the same period.

Signs of employee data theft

To catch employees who might try to record or copy sensitive information, DTEX suggests being alert to certain early warning risk indicators. This includes:

  • The anomalous use of a screen or video recording software in video conferences.
  • Any research conducted on how to bypass security controls.
  • Using personal file services, such as Google Drive or Dropbox.
  • Saving sensitive presentations as images.

To prevent employees who might use company devices or applications inappropriately, DTEX suggests looking for some warning signs. This includes:

  • Unusual browser activity accessing sites not used by the general employee population.
  • Signing into personal social media accounts to hide activity.
  • Using multiple non-corporate webmail accounts.
  • Administrative access to accounting systems unrelated to their work.
  • Unusual use of personal file sharing sites.

How to prevent incidents of employee data theft

To protect your organization against data theft and similar threats, DTEX offers the following recommendations:

  • Set up policies that clearly define the difference between personal use and corporate use of data, devices, networks and other assets. Make sure those policies are communicated to employees, whether they are new, existing or departing.
  • Implement a no trust mindset when removing data access for departing employees. Always assume that there is some residual access to sensitive data and systems after an employee leaves. Turn to tools that create a full audit trail in the event of a problem.
  • Understand that technology will not be 100% effective in preventing data theft. That’s why you need to focus on your policies in this area and constantly review your existing procedures for departing employees.
  • Be proactive by looking for early warning signs of malicious intent and not just actual incidents.
  • Maintain a trusted insider relationship with employees. Respect their privacy, communicate policies regarding data access and offer support rather than suspicion.

Read next: 10 best employee tracking software for 2023 (TechRepublic)