George Leung Siu-kay, CEO of the Hong Kong General Chamber of Commerce, reveals that companies in Hong Kong are struggling with an emigration wave that has pushed turnover rates above 20%, with the loss being felt especially keenly in their middle ranks
While helping, increasing salaries alone should not be seen as a cure-all for the situation, as not every organisation can afford to battle a wage war.
For heads of departments and HR left to contend with the aftermath of staff departures, the challenge of assessing what's been left, what may have been taken intentionally or otherwise, and how to move quickly to business as usual.
Human Resources and CIOs may cite the difficulty of recruiting the right talent, but little is usually spoken of about staff that leave organisations, and what happens to the information/data they are able to access during the remaining days of their stay with the company, and after that.
The Proofpoint 2023 Voice of the CISO report noted revealed that among CISOs there is a greater expectation in 2023 that malicious (43%) and compromised (40%) insiders are more likely to cause a data breach or exposure in the next 12 months.
The finding suggests that CISOs increasingly believe more employees are exposing data on purpose. The report revealed that some 82% of CISOs report that employees leaving their organization has contributed to a data loss event.
"We conducted a study of 58,000 people from 33 industries that left their jobs in a nine-month period from July 2022 to April 2023. Insurance has the highest number of flight-risk users at 17% and technology, was the second highest at 16%," said Dagmawi Mulugeta, senior threat research engineer for Netskope APAC.
In a separate report, the 2020 Securonix Insider Threat Report found that 60% of insider threat cases involved a flight risk user. "Of these, 2% steal the organisation’s data when they leave. Safeguarding data is key," called out Mulugeta.
Asked how companies can manage data security in the wake of employees leaving, Mulugeta identified what he claims are three critical signals to help identify these types of threats: the nature of the data, the direction of the data, and the amount or volume of data.
"Introspectively looking at the files, the amount of data being uploaded, outside of the organisation’s parameters and that is being moved and downloaded can be monitored for policy violations. These three signals can help identify data violators," he further explained.
Security issues arising from disgruntled employees
Mulugeta acknowledges that employees, as insiders already have access to the organisation’s internal systems and data.
"We observed in our research a high level of data movement happening close to 50 days prior to an employee’s departure. When you have disgruntled employees, a lot of data movement happens before their notice period which is very concerning."
Dagmawi Mulugeta
Balancing employee privacy versus company data protection
Mulugeta is adamant that employee privacy must not be compromised in data protection.
"Organisations involved in such monitoring should be familiar with their local laws and regulations and ensure that their monitoring systems comply with what is acceptable," he suggested. "Organisations must be transparent with employees on the monitoring of their sensitive data and privacy elements in company resources like managed devices."
He suggested that data rather than tracking employees’ every activity is prioritised more in safeguarding an organization’s resources.
Challenges ahead
According to Mulugeta, cloud migration and remote working pose new challenges. "In cloud app abuse, identifying threats on a large-scale system or environments is particularly challenging," he opined.
The Netskope Threat Labs Report for Asia found that an average enterprise user in Asia interacts with 20 cloud applications per month, rising to 79. "Large organisations must ensure that sensitive data going through these cloud applications stays within the corporate perimeter which is challenging," he suggested.
Click on the PodChat player to hear Mulugeta's take on how organisations can (should) pick up the data after staff have left the organisation.
- The Great Resignation and recent tech layoffs saw people leaving their jobs voluntarily and involuntarily. What remains is the data utilised by them. Is it safe?
- How can companies manage data security in the wake of employees leaving?
- What kind of security threats awaits organisations from disgruntled employees?
- The role of privacy and threat to organisations; monitoring potential leavers. Are companies breaching privacy laws through such monitoring?
- What are the other challenges facing companies in the wake of mass layoffs as well as new people coming in?
