The Power of Forensic Imaging in Secure Employee Offboarding

It’s not always obvious that forensic imaging belongs in your employee offboarding processes. However, imagine these scenarios: Something is missing – you thought the file was right there on your computer. It is a vital client document for which you have looked for hours. You start to think how your old coworker also worked on the project, but their laptop was wiped and reissued after their departure. Oops! Or maybe you are in a situation where the CEO is retiring after many years with the company. There is a wealth of institutional knowledge in the CEO’s head, but also a wealth of data on their laptop, email, text messages, external storage drives and cloud storage.

Employees no longer consider staying with one company their entire careers. According to the U.S. Department of Labor, an employee’s average number of years with an employer was 4.1 years. With relatively high turnover, what happens to the digital devices assigned to them? In the realm of cybersecurity, the process of securely offboarding employees is a critical facet that demands immediate attention. The departure of an employee, whether voluntary or involuntary, presents a potential security vulnerability that must be managed correctly. Here are four reasons why it’s essential to securely offboard employees.

An external audit of the company’s finances determined that money was missing. Or, it has been discovered that your proprietary data is being used in a competitor company’s new advertising campaign. In each case, you are pretty sure it was someone who left the company a few months ago; but unfortunately, the assigned computer was wiped, the cloud account was deleted, the issued cell phone was given to a new employee. Potential valuable evidence – gone. A Tessian survey determined that 45% of employees, who left voluntarily or were dismissed, reported they took work-related data before leaving.

According to Verizon’s 2023 Data Breach Investigations Report, 19% of the threat actors involved in breaches were employees of the victim company. Tessian reported that “there was a 47% increase in the frequency of insider incidents between 2018 and 2020.” You may not know until months or years after the employee departs that there is a situation that will require a search of their digital devices.

In all the above scenarios could you just hold on to the departing employee’s digital devices and access them when needed? Sure, but this puts company resources out of service, possibly indefinitely. Do you have the storage capacity to maintain the digital devices, presumably a laptop and a cell phone, for every employee who leaves? Probably not.

In light of the potential risks outlined in these scenarios, it becomes evident that relying solely on traditional methods of retaining departing employees’ digital devices may not suffice. Not only does this approach strain company resources and storage capacities, but it also leaves organizations vulnerable to data breaches, regulatory violations, and legal complications.

Recognizing the imperative of safeguarding sensitive data and ensuring operational continuity, it’s essential for companies to proactively develop comprehensive offboarding protocols. By incorporating forensic imaging and extraction into the offboarding process, organizations can effectively mitigate these risks. Not only does this approach streamline data management and storage, but it also provides valuable evidence in the event of litigation or regulatory scrutiny.

Withum’s Cyber and Information Security Services Team is ready to help you integrate this essential step into your offboarding process. Our experts can make those forensic images and extractions for you. We can also keep them for you, with a proper chain of custody, and if you ever need them to be analyzed, we can do that too.

Author: Eric Bishop | [email protected]