Consider Sandra – a hypothetical marketing executive who has worked for the same company for over a decade. When Sandra joined the firm, she brought hundreds of documents --business cards, phone numbers and notes – that she added to her new employer’s customer relationship management software. When she decided to leave, she believed she was entitled to take the entire database with her. Not true. 

According to David A. Smith, a CISSP, in a recent whitepaper, How UEBA mitigates IP Theft By Departing Employees, while employees like Sandra may believe that they have a legitimate claim to customer information they brought in and personally worked cultivating, "all the information in the CRM actually belongs to the employer" and the transfer of an employer’s "valuable and confidential digital assets is theft."

While this particular incident is hypothetical, similar situations – whether inadvertent as Sandra’s situation was or deliberate – happen far too often. For example, a recent security survey showed that 87% of departing employees take data they worked on, including confidential customer information, price lists, marketing plans, sales data, and competitive intelligence; 28 percent take data created by others. The loss of this intellectual property (IP) can be devastating.

So, what steps can you take now to prevent this type of theft when employees decide they’re ready to move on?  

Establish – and Enforce - Corporate Policies: While some employees who share proprietary data with outside sources or take it with them to their next place of business might do so maliciously, others might simply be unaware that it doesn’t belong to them. Having a strong, plainly written Confidentiality and Intellectual Property Agreement in place can help to alleviate the gray areas that exist when employees involved in the creation of IP perceive they have an ownership stake in it; reviewing that Agreement with an employee when they are departing acts as something of a deterrent against IP leaving with them. (See the white paper, 3 Steps to Protect Your Data During The High Risk Exit Period)

Ensure that the confidentiality and IP agreements outline what data employees can take with them when they leave and what needs to stay behind, as well as any consequences for its removal. And ensure that the document is written in terms that people who do not work with legal contracts as part of their everyday role will readily understand. 

Monitor Behavior:  While it’s possible for humans to get an idea of when changes in an employee’s behavior might indicate an increasing probability of IP theft, it would be "impractical, if not outright impossible, for an organization’s cybersecurity staff to observe and monitor each employee," Smith wrote. Instead, companies should implement technology such as user and entity behavior analytics (UEBA) – with advanced machine learning algorithms –  to help define what is normal behavior for each user so any anomalies will be easier to detect and investigate.

UEBA compares each user’s real-time activities against their recorded behavior baseline, and alerts the designated response team (likely cybersecurity) so it can investigate more closely. When coupled with user activity monitoring (UAM) software, security can see if the employee is emailing or otherwise transferring data he doesn’t normally transfer, is downloading lists onto external devices,or is logged into the IT server at 2 a.m.

To help with this process, the insider risk team should quantify employee risks, giving employees a score of 1 to 10. For example, some employees may have a low score, meaning they do not need to be monitored as closely because they do not have access to as much proprietary information, and higher level executives (even security itself) a high score, meaning they should be monitored more closely. When employees tell their managers or HR that they’re planning to leave, the risk score should be set to 10, triggering a review of 30 days worth of online and communications activity. The 30 days leading up to notice of resignation is the high-risk exit period during which IP is most at risk.

Limit Data Access: Only give employees access to data they need to do their jobs. This will keep them from accessing other corporate information, and, according to Smith, "in most cases it will also prohibit the installation of any hardware or software that can be used for the exfiltration of data (i.e., being able to transfer files to cloud storage, or to copy data to a thumb drive).” To prevent users from transferring data they shouldn’t, the organization should also consider configuring firewalls that block malicious websites or those which can be used to transfer data, encrypting all data at all stages of storage and transport, and requiring user authentication to utilize encrypted data.

Fortunately, having strict policies in place, and communicating these policies (and any consequences for breaking them) will deter many departing employees from taking data that doesn’t belong to them. However, being able to analyze employee actions and behavior, detect whether any anomalous behavior poses an actual threat, prioritize which behaviors might be most damaging to a company, and then respond appropriately, could be even more critical to preventing valuable IP from leaving when your employees do.