How can organizations minimize risk of data loss due to employee turnover?

Employee turnover feels like a slow-motion data heist. We combat this with a centralized knowledge repository, exit interviews focused on knowledge transfer, and ‘stay interviews’ to identify flight risks early and address concerns proactively.

Here the data loss has 2 aspects – Company assets and the lesser tangible “tribal knowledge”. Company assets (key data) can be protected through various data protection measures currently in force and certain process get triggered when employees are on notice period. Preventative, detective and corrective mechanisms are in place to limit risk of data loss through company provided assets and identities spread across hardened endpoints, on-prem, network, cloud and through third party SaaS based applications. Not to forget the humble pin-based security printing. Exiting employees are also made aware of the need to maintain confidentiality of the information they have been privy to long after they have left the organization. Consequences of non-compliance are understood and acknowledged through mandatory sign-offs. Audit trails of activities need to be retained for some time as permitted in case of any issues. Co-workers and supervisors are anyways trained to notice and report any suspicious activities.  

Tribal knowledge - While companies have robust processes in place that mandates proper and updated documentation in place, exiting employees, especially tenured ones and those playing key roles, do carry valuable ingrained institutional knowledge that need to be passed onto existing teams as part of knowledge transition (KT) and handover formalities. Role rotations, periodic KT and regular connects at the office facilitate this as certain things cannot be taught but they can be learnt.

Regularly fine tuning internal processes and procedures that smoothen the separation process can create lasting goodwill that helps in this situation.      

Minimizing the risk of data loss due to employee turnover is a classic insider risk issue. This became particularly evident during the "Great Resignation" when many employees were changing jobs post-pandemic. One effective strategy is to monitor employee behavior closely. For example, when employees start visiting job search websites like LinkedIn or Indeed and simultaneously begin downloading and uploading files to personal storage solutions like OneDrive, it can be a red flag.

Using behavior analysis tools can help identify these patterns and intervene before any intellectual property is moved. The role of the employee also matters. For instance, programmers might take code they've written to new jobs, thinking they're saving time rather than stealing intellectual property. This issue is compounded with gig economy workers who might be working for multiple companies simultaneously and using your resources across different projects. Monitoring their activities can be challenging since they might not always use your systems.

While there are many excellent tools available to help track where your data is going, there's also a cultural aspect that often gets overlooked. In Silicon Valley, for example, many companies value transparency and make all data available to everyone in the company. This can be a double-edged sword.

The challenge lies in classifying data and determining who really needs access to it. A transparent culture can increase the risk of data exfiltration when employees leave. Reducing the amount of accessible data and retaining only what is necessary can mitigate this risk.
I've implemented solutions like Netskope to monitor data activities within my platforms, but it's also crucial to question why there is so much data in the platform in the first place. A multi-pronged approach is essential to effectively minimize data loss risks during employee turnover.