SA companies should be on the guard for data leaks in January and February as employees who are looking for new jobs in 2026 start exporting information to help them secure new positions, or excel at their new companies once they start.
According to Mimecast, 85% of cybersecurity leaders expect these losses to spike. Heino Gevers, Senior Director of Technical Support at Mimecast SA, explains how businesses need to protect sensitive info to mitigate damage.
Many South Africans will be switching jobs come January and February after year-end bonuses and some post-holiday reflection. And while HR departments are geared up to handle expected personnel changes, too many IT security teams are underprepared and underresourced, with more than 8 out of 10 cybersecurity leaders admitting they expect data loss from insider events, such as employee departures, to increase in the next 12 months.
An insider threat is a security risk that comes from within a company, where employees, partners, suppliers or other known entities can access the organisation’s internal network and may accidentally leak or purposely steal sensitive information.
Employees leaving the company (voluntarily or involuntarily) are among the most common insider threats. They will often take materials they believe are theirs, or documents and information, to help secure a new job. Or, more insidiously, they could deliberately look to steal and expose sensitive data out of revenge.
Whatever the reason, insider threats are much more common than many realise, making up 22% of all data breaches.
Worryingly, the 2024 Annual Data Exposure Report from Code42, now a Mimecast company, shows that 85% of cybersecurity leaders expect data loss from insider events to increase in the next 12 months.
According to the report, data exfiltration can occur in many ways, with personal cloud accounts (42%), CRM systems (40%), and files sent to personal email addresses (39%) ranking as the top three methods posing the greatest risk.
While the methods of exfiltrating data tend towards the tried and tested, employees are getting more creative and tools more sophisticated.
Data loss from insiders continues to pose a growing threat to security, with emerging technologies like AI and generative AI adding further layers of complexity. Cybersecurity teams are not given the appropriate technology or training to address the threat or to ensure compliance with data security laws and regulations. Urgent action must be taken if organisations hope to avoid damage to the company’s reputation or financial stability.
Planning for the worst is the pragmatic approach
Insider threats are notoriously difficult to detect and, considering some infamous industry examples, employers must absolutely plan for the worst.
For instance, in 2016, a former Google employee leaving for Uber, downloaded thousands of company files onto his personal laptop. The files related to Google’s early self-driving car program, now known as Waymo. Google sued and the ex-employee admitted that Google may have lost up to $1,500,000 due to his actions.
Companies in highly competitive industries are known for poaching competitor employees, especially as the skills crisis grows.
In 2022, Apple filed a lawsuit against a competing startup, claiming the company had undertaken a coordinated campaign to poach Apple employees who had worked on proprietary system-on-chip (SoC) technology.
The rival company, Rivos, had hired 40 ex-Apple employees, and in its filing, Apple alleges a multi-billion-dollar data theft, saying it had spent billions of dollars and more than a decade of research on its proprietary SoC technology.
Stealing IP, while not as immediately lucrative as theft of credit card details or individual personal records, still has significant value and, even if not sold, can do untold damage to a business’s competitive edge and brand reputation.
Strong policies and forward planning
Organisations need to begin their interventions at the outset of an employee’s tenure with strong onboarding policies and rigorous information oversight. Clear communication and training help build a culture of accountability, allowing organisations to tackle insider risk without eroding hard-earned trust.
Similarly, monitoring of data movement can’t begin only when an employee announces their intention to leave. While employees are more likely to exhibit riskier behaviour with company data as their departure nears, exfiltration activity may begin as early as three months before they formally resign.
Security teams should continuously monitor anomalies, but need visibility into employee file activity at least 90 days before departure to identify changes. These can include sudden increases in downloads, especially to personal cloud storage or exfiltration of data through collaboration tools such as Slack or Teams. Likewise, unusual transfers and greater use of Zip files or Airdrop, as well as accessing information that is not specific to their job function are red flags. It’s at this point that access should be dynamically adapted to employ evasive measures such as revoking access, quarantining devices or blocking any risky file movements as they happen.
Coordinated approach with the right technical support
Offboarding is generally seen as the purview of the HR department. However, preventing insider threats and data leaks or IP theft requires a coordinated approach across HR, IT and information governance teams.
Clear workflows for resignations, redundancies, and terminations means everyone knows their role and can act timeously. As soon as HR triggers an alert that someone is leaving, security teams can activate the right tools to monitor current and past behaviour, detect anomalies, and flag potential misuse. Legal may also need to step in if IP theft or compliance breaches are suspected. In a larger organisation, people coming and going can number in the hundreds every month and employing appropriate human risk management platforms can give security teams the insight they need to tackle this rapidly growing insider risk, at scale and in real time.
