Five signs an employee plans to leave with your company’s data

Predictive analytics plays a growing role.

A global high-tech manufacturer had reached its boiling point after several of its sales reps left the company unexpectedly and took with them sales leads and other data to their new employers.

The company needed to stop the thefts before they happened. So the company hired several security analysts who manually looked at the behavior patterns for all sales reps working on its cloud-based CRM system, and then matched them with the behaviors of those who ultimately quit their jobs. What they were able to correlate was startling.

Sales reps that had shown a spike in abnormal system activity between weeks nine and 12 of a financial quarter generally quit at the end of week 13 – in many cases because they knew they weren’t going to meet their sales quotas, says Rohit Gupta, president of cloud security automation firm Palerra, which now works with the manufacturer.

[ ALSO ON CSO: A secure employee departure checklist ]

These abnormal behaviors included one or all of these warning signs -- doing mass exports of lead information, entering parts of the system where they don’t usually go, changing object information, deleting items, and doing any of these things from home or in the office on a Saturday afternoon.

With these early warning indicators, IT staff was able to put controls in place to stop massive downloads before they happened or freeze accounts for several hours until a manager had a chance to speak with the employee.

Today, cloud security automation tools make easier work of detecting these warning signs. “Predictive analytics is important, not just prevention or detection, but getting ahead of the curve,” says Gupta. Palerra’s LORIC is one of a handful of cloud security automation tools which has ventured into predictive analytics capabilities for the cloud on top of security configuration management, threat detection and automated incident response -- and it comes at a critical time.

A thriving economy means greater opportunity for job seekers, and therefore more job turnover. In May 2015, the US Bureau of Labor Statistics reported 4.7 million total employee separations, 2.7 million of which were “quits,” or voluntary separations initiated by the employee. But lately, it’s become easier for those employees to leave the company with more than just their 401K plan and a box of pens.

Employees are taking valuable company data with them that is stored in the cloud in CRM systems like Salesforce, collaboration tools such as Microsoft Office 365 or storage sites like Box and Dropbox.

[ ALSO ON CSO: Revamping your insider threat program ]

“It’s just so easy to access, download and transfer data these days – in fact, the company doesn’t even know it’s happening,” says Eric Chiu president of cloud security automation firm HyTrust. “On the flipside, it’s difficult to track” all the data that is out there and secure data against an authenticated user, he adds.

Half of all employees who left their posts in 2013 took company data with them, and 40 percent planned to use that data in their new job, according to a study by Symantec and the Ponemon Institute.

In January, Morgan Stanley fired one of its financial advisers after it accused him of stealing account data on about 350,000 clients, potentially one of the largest data thefts at a wealth management firm.

Predictive capabilities are available from just a handful of cloud security automation vendors today, and some analysts consider predictive analytics to be in the early stages.

“There’s potential but the practical applications are still a little immature,” says Jon Oltsik, senior principal analyst at Enterprise Strategy Group. “You can tune something to look for an attack that you know about, but what’s hard is to tune it to something you don’t know about. I can look at access patterns on repositories and how much people download and whether they save documents locally. But there’s always creative ways to work around that. A really dedicated, sophisticated adversary will quickly decipher where you’re not looking – and that’s the problem.” Or they will carry out a “low-and-slow” theft by regularly moving data to a repository over time, he adds.

Still, security automation vendors continue to add predictive analytics capabilities to their platforms. In July, Splunk acquired security company Caspida to add machine learning-based user behavioral analytics and extend its analytics-enabled SIEM to better detect advanced and insider threats.The Splunk platform can search, monitor, analyze and visualize machine-generated big data coming from websites, applications, servers, networks, sensors and mobile devices.

Some users of cloud-based systems may choose to wait for predictive analytics to mature before taking the plunge. In the meantime, there are other ways to keep data from walking out the door with exiting employees, experts say.

Work with human resources

It's important for IT security managers to communicate with the human resources department so they are aware of pending layoffs or other personnel issues that might lead to employee departures. “You have to look at whatever data is available in their corporate environment, such as an HR data source. If an employee has a termination date or is being terminated for any reason, then you have to look at that person’s system activities with increased scrutiny,” says Andras Cser, vice president and principal analyst at Forrester Research, serving security and risk professionals.

Monitor third-party storage

Many companies have measures in place that will automatically stop unauthorized use of internal systems or keep users from downloading data, but what about cloud storage sites that are out of their direct control?

“You can have solutions like CloudLock, BetterCloud and others that tie to APIs of a cloud service like Dropbox, Box or Salesforce,” Cser says. “If the solution sees that I’m downloading 300-times the usual data volume that I normally look at, then it can send an alert.”


“Encrypt [sensitive] data so that if it’s taken offsite, then it is no longer useful. Controls, monitoring and data security on the inside can prevent bad things from happening,” Chiu says.

Use automation

Cloud apps are typically siloed and not connected in the network, so it’s difficult to put controls in place across the board. “The result is – if there are separate owners responsible for managing Workday, Google Apps or Box, for instance, then those administrators have to do the right thing” and put the right monitoring and controls in place, Gupta says. “That’s all the more reason for cloud security automation. If you have a monitoring framework doing this 24/7 in an automated fashion, then the enterprise has someone to watch their back.”

Join the CSO newsletter!

Error: Please check your email address.

More about 24/7CSODropboxForrester ResearchGoogleMicrosoftMorganMorgan StanleySplunkSymantecWorkday

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Stacy Collett

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place