By Tim Sadler, Co-founder and CEO, Tessian
The massive labor upheaval that dominated headlines in 2021 shows no signs of slowing down. The latest U.S. jobs report showed that 4.5 million people voluntarily left their jobs in November of 2021, a record high. Whether you call it the Great Resignation, Great Re-evaluation or Great Reshuffle, it’s not easing any time soon— and it could be a major data security risk for companies.
Many companies are hiring remote employees to fill the gaps left by record turnover, creating a wider surface area that must be secured. Meanwhile, the influx of employees coming into or leaving an organization provides opportunity for more data breaches. This can have serious consequences, from potential compliance violations and regulatory fines to a loss of customer trust. Data security must be a central focus for IT and security teams as we continue to see the impact of an uncertain labor market.
Mid-career employees are resigning— and taking data with them
Turnover trends have shifted since the start of the pandemic. Rather than early-career employees who dropped out of the workforce early on to pivot their careers or pursue passion projects, turnover rates are now highest among mid-career employees. These employees are likely to be very knowledgeable and experienced in their role. They’re looking for more flexibility, better benefits and salary, or a company mission that aligns with their values.
What does this mean for security? Mid-career employees are more likely to have a detailed knowledge of an organization’s products, processes and customers. What’s more, they may have greater access to sensitive (and potentially lucrative) data.
Data exfiltration is a widespread problem when employees leave a company. A Tessian report found that 45% of employees said they’ve “stolen” data before leaving or after being dismissed from a job. The Verizon Data Breach Investigations Report found that 72% of staff take some company data with them when they move on, although it isn’t always intentional. They also found that 70% of intellectual property theft occurs within the 90 days before an employee’s resignation announcement.
Fortunately, there are signs that security teams can look out for to help spot and avoid data exfiltration. The key is to look for anomalous behavior; for example, major changes in email activity, an employee accessing documents or files at odd hours, or an increase in data transfers. Email is a popular method for these exfiltration attempts— employees will often email files or documents to a personal address— so securing this channel before a turnover surge is crucial. It’s also important for security and IT teams to be involved in the offboarding process to adjust data access privileges when someone resigns or changes their role.
New staff are vulnerable to external security threats
New employees who are hired to replace staffing gaps are often vulnerable to external threats like phishing and social engineering attacks. This is because they may not have met all their colleagues in person, while remote employees may be even less familiar with their colleagues and less able to verify a legitimate request. Malicious actors know this and will specifically target new employees in spear phishing and social engineering attacks.
How do malicious actors know who has started a new job recently? All it takes is a quick search on social media. A report from Tessian found that 93% of U.S. employees post about a new job on social media sites like Facebook or LinkedIn. Cybercriminals use this information to develop targeted scams designed to trick new employees into sharing valuable data or login credentials, and even wiring money.
According to the FBI, $26 billion has been lost to these kinds of business email compromise attacks since 2016. In one costly example, a scammer posed as the CEO to trick an employee into transferring $17.2 million to a Shanghai bank account as part of a fake deal to acquire another company. New employees in particular may not be familiar with their new CEO and what type of request is abnormal or suspicious, so it’s important to train them quickly and effectively.
Comprehensive cybersecurity training should be part of the early onboarding process for all new employees to help avoid these data security risks. Training should be tailored specifically to the unique needs and risk factors of new and remote employees and delivered in real-time rather than at mandatory quarterly trainings. Basic security hygiene can also be effective at preventing data loss. New and existing employees should be consistently reminded of best practices and what to look for in a suspicious email.
Data security and hiring challenges are intertwined
No matter the issue — hiring new staff, addressing turnover, or preventing burnout among employees that stay in their roles — IT and security teams must be brought in so that data security impacts are foreseen and addressed. In these instances, securing the “human layer,” or the employees that handle a company’s most sensitive data, should be a priority.
Securing important communications channels like email and establishing real-time, automated cybersecurity training for employees is an important part of the solution. Empower employees to work both productively and securely by making them part of the solution. Encourage them to report mistakes or suspicious activity to the IT and security team without fear of repercussions. When an employee resigns, make sure to walk through data security policies and set clear expectations to avoid inadvertent exfiltration. By building these processes into the full lifecycle of an employee’s experience, organizations can help prevent The Great Resignation from turning into a data security nightmare.
About the Author
Tim is the CEO and co-founder of Tessian. He holds three Masters degrees in design, engineering, and innovation from Imperial College and formerly worked in HSBC’s Global Banking division. Learn more about Tim on Twitter and at Tessian.com.