Insider threats: how the ‘Great Resignation’ is impacting data security

This article is brought to you thanks to the collaboration of The European Sting with the World Economic Forum.

Author: Jony Fischbein,Chief Information Security Officer, Check Point Software Technologies

• The Great Resignation has seen the largest exodus of employees on record, putting pressure on employers to attract and retain talent.
• But the ‘turnover tsunami’ and working from home during the COVID-19 pandemic has also increased cybersecurity challenges.
• Organizations need stringent offboarding solutions to reduce the risk of the insider threats and data breaches when people leave.

The so-called Great Resignation, a term coined and predicted by psychologist Anthony Klotz during the pandemic, has had a profound impact on organizations around the world.

What started as a US phenomenon has gone global, with 2021 seeing the largest exodus of employees on record. Nearly 4.5 million people in the US voluntarily resigned in November 2021 alone, setting an all-time monthly record.

Some in the media are referring to this as a “turnover tsunami” because of the uphill struggle some organizations now face in terms of attracting and retaining talent. But that’s not the only hill they have to climb.

Data security risks and high employee turnover

As well as dealing with the largest skills gap in a generation, business leaders are also dealing with the inevitable data security risk that comes with record-breaking employee turnover – and that’s proving very problematic.

Data loss is always a risk when an employee leaves an organization. According to a recent report, almost two-thirds (63%) of all employees admitted to taking data from their previous workplace to use in their current job, but there are countless others who appropriate data on their way out of the door without even realizing it.

Whether malicious or accidental, the consequences can be equally devastating. As it turns out, the Great Resignationcould actually be one of the biggest insider threats facing organizations in a generation.

Growing concern about insider threats

When it comes to employee turnover, security should always be a part of the conversation. Regrettably, that hasn’t always been the case, particularly over the course of the past two years.

Faced with a mass exodus of talent, it’s perfectly understandable that organizations should be focused on talent acquisition and retention. But by neglecting good data hygiene with the coming and going of employees, they’re leaving themselves wide open to attack.

This risk has only been heightened for the countless organizations that switched to a hybrid working model. So sudden was the move to incorporate remote working during the pandemic, that bring-your-own-device (BYOD) adoption surged, broadening the attack surface area for criminals and, crucially, creating more data siloes that are potentially outside of an organization’s control.

In the first year of the pandemic, 67% of employees said they were using personal devices to get some of their work done. What’s more, a staggering 87% of organizations said they were relying on their employees’ ability to access mobile business applications and other important information from their personal smartphones.

Remote working raised the security risk

While the benefits of BYOD, particularly during the rapid transition to remote working, were significant, the potential drawbacks in terms of data hygiene and security were often overlooked.

It’s a significant security blind spot, with 71% of organizations admitting that they don’t know how much sensitive data departing employees typically take with them when they move onto pastures new.

This data can be used maliciously to gain leverage over a previous employer or give a new employer a competitive advantage. But even if the ex-employee isn’t aware they’re exfiltrating data, and it simply lies dormant on their device, it’s still an extreme security risk.

These data loss issues are difficult enough to deal with during periods of average employee turnover, but the Great Resignation combined with BYOD and a trend toward hybrid working has only amplified the challenge.

How does data loss typically occur?

There are really two types of data exfiltration – malicious, and non-malicious. Malicious exfiltration of data is more common than many organizations realize, and usually involves a departing employee purposefully taking sensitive data to either cause harm to the organization they’re leaving or give themselves an advantage in their next venture.

Depending on their role and level of access, it isn’t difficult at all for employees to smuggle data out of an organization, particularly if the “offboarding” process isn’t very thorough.

Common mistakes include keeping ex-employee email accounts active, failing to revoke their access to company servers, or allowing them to use unmonitored personal devices in their day-to-day work.

What is the World Economic Forum doing to address the cybersecurity workforce gap?

The World Economic Forum Centre for Cybersecurity and its partners have launched a set of initiatives to reduce the global cybersecurity workforce gap through training and upskilling.

Salesforce, Fortinet and the Global Cyber Alliance, in partnership with the Forum, are delivering free and globally accessible cybersecurity training through the Cybersecurity Learning Hub. This platform aims to democratize access to cybersecurity career paths and has already trained over 80,000 individuals spread across all continents.

Other Centre partners are also leading the way in international cybersecurity training that identifies how organizations can best protect the value they create and the wider supply chain in which they sit.

The Cyber Polygon is the world’s largest technical training event for cybersecurity professionals and teams. Led by Sberbank subsidiary Bi.Zone, with support from the Forum and INTERPOL, this online cybersecurity training is allowing professionals from 47 countries to enhance and develop tactics for responding to targeted cyberattacks against corporate ecosystems.

World Economic Forum partner ABSA, in collaboration with the Maharishi Institute, have been running successful cybersecurity academies that are targeting some of the most disadvantaged groups in South Africa.

Read more about our impact

However it can also be non-malicious or accidental, but that doesn’t make it any less dangerous. During the Nefilim ransomware attack in 2021, it was revealed that one of the primary methods the attackers used to breach corporate networks was to take advantage of so-called “ghost accounts” – login credentials belonging to ex-employees that were still active.

In one instance, a threat actor had commandeered an account with admin privileges that had belonged to a deceased employee, allowing them unfettered access to the corporate network. These dormant accounts are frighteningly common, and are one of the main threat vectors for external attackers.

It’s not uncommon for employees to remain logged into their user accounts on certain devices once they’ve left an organization. In some instances, they may even have a corporate device such as a tablet or smartphone that they simply forget to return or, worse, are not asked to return. This is another instance in which a thorough offboarding process would help to mitigate risk.

How to mitigate risks of insider threats

As we continue to navigate the relatively uncharted waters of large-scale hybrid working, it’s never been more important for organizations to exercise good security hygiene. There should be robust policies in place that specify rules around data handling, outlining what employees can and cannot do.

While this won’t stop a malicious insider in his or her tracks, having clear rules in place will make accidental loss less likely when an employee does eventually move on.

The principle of least privilege or “zero trust” should also be applied at all times, particularly where employees are working remotely. This makes all data held by the organization available on a need-to-know basis only, limiting the number of accounts that have access to sensitive data and decreasing the chances of an insider threat emerging.

As well as putting company-wide safeguards in place for all employees, it’s also important that organizations handle the offboarding process meticulously. This is where a lot of organizations tend to fall down, particularly when they’re more focused on the new talent that’s coming in rather than the talent they’re letting go. It’s one of the rare instances in cybersecurity where looking back is just as important, if not more so, than looking forward.

Businesses need stringent offboarding processes

No user accounts should remain active once an employee has left an organization, and logs should be checked thoroughly before an employee leaves to ensure no data has been transferred to an external source. The offboarding process should carry on even after the employee has left the building, with accounts monitored regularly to ensure that all access has indeed been revoked.

Organizations cannot guarantee 100% mitigation of insider threats, but they can strive for 99% and hit that target with the right focus and resources.

Check Point’s cybersecurity solutions, for example, help organizations create a safe and streamlined offboarding experience, reducing the risk of data loss or exfiltration. From the automatic monitoring of endpoint devices and intuitive zero-trust segmentation, to multi-layered cloud security that can detect device anomalies and automatically provision and scale security policies.

What is the World Economic Forum doing on cybersecurity?

The World Economic Forum’s Centre for Cybersecurity is leading the global response to address systemic cybersecurity challenges and improve digital trust. The centre is an independent and impartial global platform committed to fostering international dialogues and collaboration on cybersecurity in the public and private sectors.

Since its launch the centre has driven impact throughout the cybersecurity ecosystem:

• Training a new generation of cybersecurity experts
  Salesforce, Fortinet and the Global Cyber Alliance, in partnership with the Forum, are delivering free and globally accessible cybersecurity training through the Cybersecurity Learning Hub.
• Improving cybersecurity in the aviation industry
  Through the Cyber Resilience in the Aviation Industry initiative, the centre has been improving cyber resilience in the aviation sector in collaboration with Deloitte and more than other 50 companies and international organizations.
• Building a global response to cybersecurity risks
  The Forum, in collaboration with the University of Oxford – Oxford Martin School, Palo Alto Networks, Mastercard, KPMG, Europol, the European Network and Information Security Agency (ENISA) and the US National Institute of Standards and Technology (NIST), is identifying future global risks from next-generation technology.
• Making the global electricity ecosystem more cyber resilient
  The centre and the Platform for Energy, Materials and Infrastructure have been bringing together leaders from more than 50 businesses, governments, civil society and academia to collaborate and develop a clear and coherent cybersecurity vision for the electricity industry
• The Forum is also a signatory of the Paris Call for Trust and Security in Cyberspace, which aims to ensure global digital peace and security.

Contact us for more information on how to get involved.

True to their name, insider threats are always lurking in the background during times of crisis. It just so happens that the Great Resignation is a crisis that lends itself perfectly to malicious motives and careless actions around the handling – or mishandling – of data.

If organizations devote as much attention to offboarding employees as they do onboarding them, they stand a greater chance of keeping their networks secure in 2022 and beyond.