As Employees Move, Keeping Data in All the Right Places Is Crucial

October 12, 2022



Daniel Black
Daniel Black

As the corporate workplace continues to evolve—encompassing hybrid work environments, bring your own device policies, and cloud-based storage—companies are well-advised to consider areas of increased vulnerability and whether their policies, procedures, and forensic tools are keeping pace with reality. A hybrid or remote workforce and a more collaborative data infrastructure only exacerbate data risks that were easier to manage when employees were comfortably situated at their desks. Adding even more complexity to these risks are broader labor trends, including “the Great Resignation and Reshuffle” and an aging work force, which are changing staffing and recruiting strategies and impacting knowledge transfer and IP creation.

Employee intake and departure: crucial points of data security  

Two areas likely needing renewed attention are the moments of employee onboarding and offboarding, when a company’s most prized assets—people and data—are on the move. Departing employees present a particular risk as the potential for data exfiltration of IP and other sensitive information, whether intentional or not, is high. Often, employees take corporate IP with them inadvertently, a situation bound to get worse as turnover rates grow (Gartner anticipates a 20% jump in turnover from the pre-pandemic national average).

Since people usually take jobs similar to the ones they leave (and often with competitors), taking company data along with their coffee mug and potted plant may seem justified (I wrote this stuff, so it’s mine)—or simply inconsequential. Cloud storage services such as Dropbox, Box, or Google Drive, and collaborative apps such as Microsoft Teams or Slack make it all the easier to appropriate files, lending credence to a feeling of personal data ownership.  

No matter how it happens, the escape into the wild of proprietary items such as source code, strategy documents, contact lists, and financial information exposes the company to untold risk, including the danger of running afoul of any number of privacy regulations if personal data is exfiltrated from its protected environment—an additional headache for the company if things go south.  

Are current entry and exit protocols enough? 

Although most companies have entrance and exit protocols usually siloed as HR and IT functions, the recent surge in employee turnover has put those very teams under pressure as they face their own personnel and budget deficits. Further, responsibilities have become less defined at a time when offboarding tasks—many now carried out at a distance—should be fortified to include proactive data monitoring and oversight, activities such teams may not be equipped to handle.       

The challenge, of course, is the growing complexity of the data landscape. Knowing what information is where, who accesses it, and for what purpose becomes more difficult to track as software and storage options grow, yet this is key to keeping important data protected.  

Data security: start training early and reinforce often   

Onboarding procedures can play a key role in keeping data where it belongs and helping employees navigate through and understand their responsibilities in this increasingly intricate data terrain. First, a sound onboarding protocol can ensure that new employees aren’t bringing troublesome data into the environment. No company wants to deal with the fallout of being in possession of some other company’s IP or sensitive information. 

More importantly, onboarding offers the most opportune time to clearly communicate expectations regarding data management and safety—information that should be reinforced with frequent (and up to date) training that emphasizes data protection and ownership. It's easy to forget as time goes on what data may be confidential or sensitive, and even easier to forget that data belongs to the business, not the employee. In short, data awareness should be instilled as part of the company culture right from the start.     

Seize the moment: identify and monitor offboarding risks

The recent and ongoing workplace disruption calls for a hard look at offboarding data risks and an evaluation of potential vulnerabilities to protect data before an employee leaves the company, bolster the exit protocols to have in place when they do, and have the proper forensic and analytic tools to handle data monitoring and address potential wrongdoing.  

Most companies do have standard offboarding checklists that address employee assets, data access, and preservation obligations as they leave the company. But there’s more to data protection at this crucial moment than ticking off boxes. 

Expand and optimize the offboarding checklist

Savvy companies implement a more proactive, programmatic approach that begins earlier, with monitoring procedures that include defensible and repeatable processes to guard against the exfiltration of company data while helping to fortify the company’s position in case of a breach.  

A few important things to consider as part of the offboarding process:

  • Know which employees warrant departure attention. Develop risk profiles with business stakeholders to identify which classes of employees, whether based on role, circumstance of departure, seniority, or access to sensitive information could present an exfiltration risk.
  • Understand the company’s data landscape. Make sure there are mechanisms in place for tracking where sensitive data and IP may reside and when such data has been accessed.
  • Explore activity and assets with the employee prior to their departure. An expert, friendly review of a departing employee’s recent computer activity with the employee, including an audit of their recent network activities, use of peripherals, cloud uploads, and email sends, can reveal and help mitigate potential trouble.
  • Preserve employee devices and data as warranted with state-of-the-art forensic tools. Forensic preservation is critical to ensuring valid evidence down the line, especially since investigations today regularly involve new and novel devices, data sources, and artifacts that must be diagnosed and understood.
  • Document all offboarding information. A paper trail of findings during the exit procedure is important if further analysis is recommended or necessary and will be crucial for subsequent investigation, if it comes to that. 
  • Have a plan if there is evidence of wrongdoing. Part of any data security effort is having an action plan to execute if there are signs of a breach. Preservation, collection, and a forensic analysis may be required should legal action ensue. 


The recent upheaval in employee turnover along with more collaboration tools and storage options present increasing risk for today’s enterprise. Companies that acknowledge new vulnerabilities and leverage opportunities to revamp outdated policies and protocols are better positioned to stop data exfiltration before it becomes a problem. The best solution: Implement robust onboarding and offboarding solutions that include data monitoring, reporting, and forensic analysis to enable a quick pivot to actionable remediation steps if trouble is brewing.   

About the Author

Daniel Black

As Executive Director of Digital Forensics, Daniel leads Lighthouse’s global digital forensics practice. The world-class team is responsible for data collection, investigation, and analysis using transparent, documented, and defensible workflows and methodologies. The team is comprised of more than 20 talented individuals with decades of combined experience across the collection, investigation, and analysis continuum, and hails from careers in security technology, software development, eDiscovery, law enforcement, and the military. This diversity in background and technical acumen, combined with a vast tech toolkit, enables Lighthouse to provide enterprise-grade remote and on-site data collection, forensic analysis, deposition prep and expert testimony, as well as support special use cases like risk management for employee onboarding and offboarding. 

Daniel brings more than 25 years of experience in the legal industry to Lighthouse and was most recently at Cisco where he led their eDiscovery and forensic investigations team for almost eleven years. The program he built saves Cisco over $50M a year. Prior to Cisco, Daniel was a freelance eDiscovery consultant, led Stratify’s global eDiscovery services team, and was a Litigation Support Manager at Heller Ehrman. 

Daniel has been a guest lecturer at Stanford Law School and was also featured in Inside Counsel magazine.