Data loss due to the human factor – HR offboarding / exit

Employees who leave a company – whether voluntarily or involuntarily – often cause major data loss that can wreak havoc. A company’s data disclosure can cause immense reputational damage, depending on the type of data. Data loss is often due to human error. It is not uncommon for employees to take sensitive data with them, whether on a USB stick or exporting confidential information via email. The graph below speaks a clear language.

Laptops, hard drives, smartphones and other server systems are often not set up with adequate access locks that could prevent sabotage or intentional destruction of data. Apart from the fact that there are employees who deliberately steal trade secrets and confidential company data, a significant reason for data leaks is probably also the fact that employees are not properly trained in handling data. A global study by Kaspersky Lab in collaboration with B2B International asked companies what they thought was the most common cause of data leaks. The result is that when data leaks out of companies, it is often due to incorrect employee behavior. Another cause of data leaks in enterprises are due to thefts from mobile devices. The 2016 study by Osterman Research also confirms Kaspersky Lab’s finding: […] because a large and growing proportion of employees work at least some of the time from home, if only after normal work hours, they often maintain a rich source of corporate data on their personal desktop and laptop computers, USB sticks, personally managed file sync and share tools like Dropbox, and other locations […]”.

The study contains many practical examples with the consequences (e.g. loss of intellectual property or reputation) [1]. and recommends both organizational and technical measures to minimize data loss due to an employee leaving the company. The exit process is clearly regulated by a checklist. The reclaiming of all computers and mobile devices borrowed from the company, as well as external hard drives, USB sticks, backup CDs, etc. should be mentioned by name. In addition, an inventory of all work documents (hand files) and projects on which the employee has worked should be requested. During the exit interview, the employee’s future plans should be discussed in order to identify and determine any potential risks.

Technical measures to minimize data loss can be ensured by providing ECM systems. The above-mentioned study describes the following recommendation: “It is essential that organizations maintain complete, ongoing visibility of sensitive corporate data across all of their endpoints, cloud applications and any other repositories where data might be stored. An important best practice to accomplish this is he deployment of a content archiving system that will enable the capture, indexing and immutability of content based on corporate policy […]. This policy must include access control, encryption and backup policy. The authentication of sensitive data must also be part of this policy; access to less trustworthy data is protected only by user name and password, whereas confidential or secret information is protected by assigning two-factor authentication.

Conclusion: companies, especially HR departments, are advised to pay special attention to both organizational measures (clearly regulated exit procedure regarding business information) and technical measures to prevent data loss by departing employees.

Ariane Wyss


[1] Osterman Research White Paper: Best Practices for Protecting Your Data When Employees Leave Your Company( )


Submit a Comment

Your email address will not be published. Required fields are marked *

Related articles

On 16.3. is Digital Cleanup Day

On 16.3. is Digital Cleanup Day

Tidying up is clearly not everyone's cup of tea, but we all know the good feeling that a tidy room, a tidy desk or ... a tidy drive! You can feel proud with a clear conscience, because deleting data also has an important effect on energy consumption. I have calculated...

read more
Dealing with data risks: Data breach notification

Dealing with data risks: Data breach notification

A data breach notification or "data breach notification" refers to the process by which an organization or company is required to notify the relevant data protection authorities and, if applicable, data subjects of a data breach that is likely to result in a high risk...

read more