In November 2022, Americans quit their jobs at record-breaking rates, with 4.5 million workers resigning. More shockingly, three percent of the entire working population voluntarily left their roles. This workforce exodus has triggered alarms for many companies. But this is not just an HR and staffing issue; this mass departure is also a substantial security threat.

Understanding insider threats stemming from the Great Resignation

Employees resign from their posts in many different circumstances. While some may leave the working population entirely, and some will leave for other jobs bearing no ill will to their former company whatsoever, it is unavoidable that some will be disgruntled and looking to make themselves as attractive to rival employers as possible.

One side of the scale: Data theft and accidental exposure

Employees may take internal data, sensitive commercial information or valuable intellectual property (IP) that they can bring to their next role, potentially at a competitor company. Some employees may seek to advertise themselves to new employers as having clients and contacts they can take with them from their old job without realizing this constitutes data theft.

Case in point: a 2016 report found 87% of employees admitted to taking data with them to their next job. As a result, many insider threat instances are unintentional because employees do not know or understand the laws regarding IP ownership.

Accidental exposure is another significant risk, albeit less malicious. As employees wind down their obligations during their notice period, they will likely be less vigilant regarding security protocols and hygiene. They may unknowingly expose businesses to security risks through remote work and increased use of personal devices and networks. Employees are also more likely to repeat passwords across accounts and become complacent regarding company security policies with continued work from home protocols.

Hybrid working practices compound this kind of carelessness. In the current work environment, employee devices have moved farther outside traditional infrastructure. This shift to remote and hybrid work across industries has led to the disappearance of the cyber perimeter. In the past, organizations localized critical data and corporate information in onsite data centers; now, employees must be able to access data anywhere, anytime.

Some employees may even access sensitive information from geographical locations with increased risk of cyber aggression from threat actors or state monitoring. This decentralized and geographically dispersed workforce allows employees to access sensitive internal data more easily and in settings with a less sophisticated security posture, increasing risk for employers.

And remote work is not going anywhere: 58% of workers would reportedly seek alternative employment if they could not continue hybrid working in their current role. As a result, CISOs and security professionals are grappling with the complexities of protecting their organizations and dynamic workers.

Regardless of whether it is deliberate or inadvertent, data theft creates vulnerabilities that significantly impact businesses.

The other end of the scale: Disgruntled employees with severely malicious intentions

On the other end of the scale, some resigning employees with more intentionally malicious intentions may seek retribution against former employers or personal financial gain. These ex-employees may leak or sell sensitive information or even give hackers access to their ex-employer's digital estate in exchange for a proportion of the ransom. 

Disgruntled former employees are the most common reasons for insider threats, with around 20% of companies reporting breaches stemming from ex-workers. For example, a former employee reportedly introduced ransomware into their former employer’s system late last year. These insider threats can be extremely costly to organizational reputations, operations and finances. Insider threats cost an average of $15.4 million during 2021, a 34% increase from 2020.

What should organizations do to protect themselves?

Businesses need comprehensive off-boarding plans that kick into effect as soon as someone hands in their notice — implementing a collaborative process. HR teams need to notify security teams as quickly as possible before it’s too late to map out potential risks and institute close monitoring.

While training employees to be aware of cyber risks checks off necessary compliance boxes, we also need to implement comprehensive training for employees to understand IP and ethical work practices as part of off-boarding protocols.

HR should flag to the cybersecurity team to increase monitoring and reduce employee access to critically important data to decrease risks during their last few weeks. Companies should adopt a zero trust framework by setting individual benchmarks for standard employee behaviors and data access.

Continuously validating users who can gain and maintain access vastly reduces the risk of ex-employees accessing internal systems after their employment ends. Employers should restrict workers to only access to the bare minimum of data needed to perform their job responsibilities and tie up loose ends.

Cyberattackers are becoming faster, more intelligent and more sophisticated. Companies can employ endpoint security tools to understand and support legitimate, normal employee behaviors. These tools must detect and respond to anomalous activity, including initial file downloads and data uploads or command and control attempts at lateral movement within corporate networks. Companies cannot rely on historical data to recognize these abnormalities.

Organizations need tools that can detect systems disruption to identify and stop cyberattacks and insider threats faster, limiting the possibility of an ex-employee becoming a security risk. Catching threats in real-time is crucial to prevent significant business disruption, especially during the notice period and immediately after an employee’s departure.

This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.