←
Back to Blog
Security best practices
3/28/2025
-
XX
Minute Read
Secure employee offboarding isn’t happening fast enough to prevent employee data theft
Departing workers can pose significant risks to data. Let me share a story about an individual who stole and deleted valuable research data right before submitting his resignation: six weeks after a contingent worker left the company, the FBI contacted us. It turned out that the individual had tried to sell the company’s confidential data to a third party. When he left, everything seemed normal. However, he had transferred some of his work to a personal account before leaving—an activity most companies struggle to detect. Just 24 hours before an employee resigns—or when a mass layoff is looming—data theft spikes dramatically. To reinforce this point, in the 24 hours before a layoff organizations see a jaw-dropping 720% surge in data exfiltration activity compared to the norm. Employees may download sensitive files, forward emails, or copy customer lists—actions that can have lasting consequences, especially if that data ends up with competitors or malicious actors.
What is employee offboarding?
While I use the word “employee offboarding,” it’s not just employees who need to be properly offboarded. It can be anyone with access to company property, systems, and information; they could be a former employee, contingent worker, or partner.
When employees leave a company, the business is often focused on finding a replacement and keeping things moving. However, security, IT, and legal, among other stakeholders responsible for protecting the company’s data, have to think about sensitive data making their way out. Employee offboarding, or I should say, secure offboarding, is the process of revoking access to systems, safeguarding data, and monitoring for misuse, an area that unfortunately remains a weak link in many organizations. And when data is rushing out of the organization within a short span of time, it can be argued that secure offboarding isn’t happening fast enough.
What are the data security risks associated with employee offboarding?
Without a carefully crafted offboarding plan, a company could expose itself to insider threats, operational disruptions, and even legal consequences. The root cause can stem from two scenarios: an employee stealing data or, even more damaging, sabotaging it in a way that leaves no trace. Let me break down both cases below:
Data exfiltration
Data exfiltration—sometimes called data extrusion or data exportation—is the intentional and unauthorized transfer of data from an organization.
When an employee (or contingent worker) leaves on good terms for a new job or involuntarily through a reduction in force or termination, there’s a chance that sensitive information will be transferred out of a company’s authorized data repository. This can involve files being copied to personal devices, emailed to private accounts, or uploaded to personal cloud storage. The 2024 Insider Risk Report indicates that the most common exfiltration vectors are personal cloud storage (22.7% of incidents), removable media (15.6%), and generative AI tools (13.1%).
Going back to my example with the FBI and contingent worker – this was an individual with access to systems that housed highly confidential research data. He had copied the data with the intent to sell it online. Luckily for us, the FBI had discovered the stolen data and reported it to the company. The research represented years of hard work and millions of dollars in investments. In addition to exfiltrating the data, the individual altered the data left behind to make it look like the research was a dead end. He had introduced fake data, which no one questioned until after we had determined that this was a critical security incident. This brings us to the next data security risk I’d like to highlight: sabotage.
Data sabotage
At another previous company, I witnessed a software developer who deliberately sabotaged important code. Data sabotage, also known as data tampering, is when someone intentionally changes the data—whether by altering, deleting, or manipulating it—without permission.
For anonymity, let’s just call this software developer “Calvin.” Calvin was working on a fairly complex project. He expressed that the effort and code were unlikely to succeed, dampened our expectations for the project, and left the company shortly thereafter. A few months later, by chance, my colleagues and I stumbled across Calvin’s new startup in the same domain. As a result of our discovery, Calvin’s former manager did some digging and found that Calvin had deleted a git branch. That deleted git branch contained code that solved some complex pieces of our project. That branch had never been submitted for code review. It was clear that Calvin did not want us to find the data and removed it with the purpose of using it for his own startup.
What conditions increase employee offboarding risks?
Employee exit events and timing
Employee exit events cover voluntary resignation and layoffs. During these events, companies can expect a spike in data exfiltration activity. However, the risk of data loss doesn’t start when someone submits their resignation letter or is laid off—it can begin well before and persist long after the event.
In my experience, suspicious data exfiltration can start a month before an employee resigns—and sometimes even earlier, potentially six months prior. The challenge is that employees usually know they’re leaving long before notifying their employer, meaning they’re not on anyone’s radar. This gives them plenty of time to quietly exfiltrate data well before their official last day at work.
Continued unauthorized access
Without oversight and automation, it’s easy to lose track of who still has access to what months—or even years—after they’ve left the company. A Gartner peer survey asks, “What terrifies you the most as an IT leader when an employee isn't properly deprovisioned systems access after offboarding?” 53% of leaders identify the risk of a cybersecurity attack via an unmanaged account as their top concern. Former employees can:
- Use unrevoked accounts to steal data
- Delete or sabotage important information
- Exploit their access for personal or competitive gain
Also worth knowing, contingent workers can pose a greater risk than regular employees. This may be due to more relaxed offboarding processes for contingent workers—such as a lack of processes for exit interviews or the omission of the same rigorous background checks required of employees.
Lack of controls for BYOD
BYOD (bring your own device) policies allow employees to bring their own devices. While this may increase worker productivity, these devices can also pose security challenges when not properly offboarded.
If these devices aren’t properly monitored or logged, they can create an easy loophole for data theft. While companies can install monitoring software or remotely wipe data on company-owned devices, this approach may have limitations for personal devices.
Many company-issued devices can be returned to the company. However, personal devices do not return to the company and can expose sensitive data to unauthorized users, even after the employee stops working for the company. A former employee in charge of his or her own device may fail to properly factory reset or wipe the data before the device passes on to a new owner.
Get the employee offboarding process right: 3 best practices
To minimize risks of data exfiltration and sabotage, companies need a structured and proactive offboarding strategy.
Monitoring before and after the employee exit event
Security teams can be understaffed and underfunded, making it difficult to monitor data theft. However, it’s worth remembering the price of ignoring these risks: data breaches, IP theft, and sabotage that can cost millions—and in many cases, the damage isn’t just financial but reputational too. Security teams need a way to monitor suspicious activity and block data from leaving authorized environments. Ideally, they’ll have a way to maintain a record or log of actions performed by exiting employees that include the dates, times, and actions performed on sensitive data.
Move with speed
Given the time-sensitivity of offboarding, it’s important to find ways to automate and accelerate processes. This is especially true for larger companies where many stakeholders including security, IT, and HR are involved in the offboarding process. For example, when a leaving employee’s last day is scheduled in an HR system, it should trigger a downstream process to revoke access to the company's systems and applications. The sooner access to critical systems is revoked, the less opportunity an employee has to take the data.
Employee training
Ensure staff understand the importance of secure offboarding. Employee training is critical because offboarding isn’t just technical—it’s emotional. Layoffs, especially, can leave people feeling hurt, angry, or vengeful. Even the best employees might be tempted to delete files, take sensitive data, or otherwise retaliate when emotions run high. Training here may require managers to perform routine reviews of the work of departing employees, similar to the example I shared earlier when a manager discovered that a former employee had deleted a git branch.
Protecting your organization with a structured offboarding process
How well an organization offboards employees can have a significant impact on its data security. Without a well-defined process in place to quickly and thoroughly revoke access of former employees, companies risk data exfiltration and sabotage, which can lead to loss of customer trust and regulatory fines. To minimize these risks, security and IT teams must be able to monitor suspicious activities, prioritize speed and automation, and train employees to protect data.