Proofpoint lawsuits underscore risk of employee offboarding

Nearly every employee leaving a company takes data or intellectual property, but few companies adequately screen and monitor for it. Recent court cases underscore the risk.

Feodora Chiosea / Getty Images

Our professional journey takes us through many doors as we enter and exit engagements. The hiring entity often spends an inordinate amount of time on process and acclimation onboarding new employees. The C-suite focus is rarely on who departed, yet the offboarding of employees, contractors, advisors, etc. is fraught with risk and requires as much (if not more) attention than who is coming in the door.

For many it’s, “Nice working with you, good luck on your next gig, and don’t let the door hit you in the butt on the way out.” The wise will eschew the discomfort of a colleague’s departure and have in place a structured process and procedure. The unprepared are rolling the dice.

Why do we care about offboarding?

An individual’s departure, be it for cause or new opportunity, exposes the current employer to risk. That is very real and entity after entity face the repercussions every day of not paying attention to exiting colleagues and what they are taking with them as they head out the door.

Cybersecurity company Code42 recently coined the situation the “Great Resignation.” “Offboarding is where every company needs to invest,” says Code42 CEO Joe Payne. A recent survey by CODE42 and the Ponemon Institute showed almost 100% of employees depart with some type of data.

The current imbroglio between Proofpoint and Abnormal Security provides an example of what Payne refers to. Court documents show that Proofpoint is piqued that seven of its employees moved on to Abnormal Security and accuses Abnormal of targeting Proofpoint’s employees “to gain access to Proofpoint’s confidential and proprietary information.” The company’s perspective is buttressed by the actions of former Proofpoint channel sales director Samuel Boone, who admits to having exited with a “USB drive containing some of his work-related documents from Proofpoint” and having “sent two emails with Proofpoint material to an Abnormal colleague,” according to court documents.

Staying with Proofpoint for the moment, the company was recently awarded a $13.5 million judgement in a separate intellectual property (IP) theft case which involved a former vice president of Gateway Technology at Cloudmark, Olivier Lemarié, who took Proofpoint’s technology in 2017 when he departed and moved on to Vade Security. Two years later, Proofpoint filed suit. Two years after that, the verdict arrived.  

Vade was found to have incorporated Proofpoint’s IP into its product suite. Proofpoint is doing what every company should do: It is protecting its IP, even if the journey took four years. But they are doing it in the courts.

If you are in court, your IP has already bolted, and chasing your property is tantamount to chasing the cow down the hill after it’s bolted from the barn. It could be a long day.

Invest in preventing the departure of information

CISOs normally have in place a “big red button” that terminates access to users, literally at the push of that button. The question is, does it kill access to all services or just services that IT directly supports?

Adam Nichols, principal of software security at GRIMM, says many companies are good at turning off the access to in-house services but come up lacking when it comes to third-party services like Trello or Clickup where “shared resources such as API keys to which the employee had access may be long-lived, and if not rotated out, it means they retain privileged access,” after their departure.

Securonix’s VP of customer success Shareth Ben agrees. The deprovisioning of cloud-based platforms and applications “lag the in-house applications.”   

How do employees exfiltrate employer’s information?

When looking at which exfiltration vectors are most commonly used, we only need revert to Boone and his use of the USB. Code42 noted between April and June 2021, over 42% of exposure events involved the ubiquitous USB. Cloud sync agents closely followed with 37% of unauthorized upload of company data prior to departure.

Do most employees take information with them? Yes, they do. While Payne’s claim that almost 100% of employees are filching information may startle some, he isn’t alone in that thinking.

“Most employees take documents and artifacts such as PowerPoint presentations, Excel sheets containing specific data tied to their line work as they feel entitled to do so given that they worked on it,” says Ben. “The motive is mostly to re-use these documents in their next job as it allows them to demonstrate performance. In some cases, the data exfiltrated is of high value such as intellectual property or customer data like account details (in the case of a banking/financial institution).”

How can organizations stop IP exfiltration?

Be transparent. Hiring is a display of trust. This trust must be in place from day one to the last day. But as the Russian proverb goes, “trust but verify.”

Monitoring is a primary ingredient of dissuading individuals from moving data in an unauthorized manner, be it during the day-to-day activities or as they prepare for their exit. Payne notes while they had a very low incidence of data moving to and fro in an unapproved manner in his company, such incidents were reduced to an infinitesimal number when they implemented monitoring and showed the workforce how the monitoring worked.

Then we have the offboarding process. “Entities must focus on offboarding as a process that just doesn’t happen on the last day,” says Arman Mahood, director security and business intelligence at DTEX. He notes how the process must include HR, IT, security, and line-of-business operations to be effective. “Data theft occurs 30 to 60 days prior to contract end date. Monitoring for tell-tale signs of file movement, searching, aggregation, and obfuscation are good indicators.”

Ben of Securonix notes, “When employees are aware of the monitoring procedures during departures, they recruit other colleagues to collude with them. A friend on the same team might copy the sensitive data for them instead so the departing employee can evade monitoring controls.”

The need for the exit interview

At departure, HR should be conducting an exit interview. The components of that interview should include:

  • Reason for leaving (unless being discharged)
  • Review of privileged company access and termination of same including discussion and amelioration of anomalies revealed in pre-departure monitoring
  • Collection of all devices including storage, phones, and laptops
  • Attestation from employee that they are not retaining intellectual property, trade secrets or other property of the company
  • Review of the non-disclosure agreement, if applicable
  • Provision of contact information in the event the departing employee wishes to impart information post-employment “omitted” during the exit interview

As important as processing the employee out the door, says Rajan Koo, chief customer officer at DTEX Systems, companies are equally at risk of a new employee infiltrating another company’s intellectual property into their new company. This puts both the old and new employer at risk (see above re: Proofpoint and Abnormal Security). “It’s just as important that the same level of diligence is placed on new starters, where data loss detection methods are focused on large volumes of data or intellectual property being introduced by a new employee,” he says.

Trust but verify your departing employees’ intentions vis-à-vis company information and wish them well, but don’t let them out the door until you’ve covered all your bases and have level-set expectations on protecting both the employee and employer.