min read
Sep 17, 2021

How HR and Security Teams Can Work Together to Stop Insider Threats

The work environment is a place of comings and goings -- new employees join while others depart, either on their own or at the company’s request. Decades ago, companies didn’t worry much about the harm the fired worker could cause on the way out the door: a torrent of ill-chosen words, a stolen stapler or two, a carton of pilfered Post-Its.

Now the damage can be much greater. SaaS applications can be goldmines of valuable data that the employee downloads before, during or even after the firing. Timing around the separation is critical: A motivated employee being let go can copy, download, share or even delete many files in the course of just a few minutes. But just as technology can create a problem, technology can help solve it.

In this case, a tight, automated connection between HR platforms and SaaS apps can safeguard companies against a disgruntled employee who tries to steal company secrets, run away with financial or customer information, unleash those ill-chosen words publicly, or act on any number of other threats.


The value of a coordinated, automated technical defense against fired employees


Just as HR platforms can greenlight access to corporate information systems for a new employee, they have mechanisms for managing the offboarding process when an employee leaves the company. The HR systems can be used for such fundamental activities as determining where to forward any post-termination documents, shutting off email systems and phone lines, and recording information needed for accounting purposes. But to protect the company from insider threats arising from a dismissal, HR platforms and IT/InfoSec platforms need to be integrated in order to more closely monitor the employee’s behavior and shut down access to SaaS assets and applications when the employee’s tenure with the company ends (or even sooner if anomalous SaaS activity is detected).  

In companies where such integration does not exist, a different scenario often plays out. What may happen when an employee has been notified of the termination is that the employee’s direct manager relays the fact to the HR department – in an email, a phone call or maybe a Zoom chat. If busy with other matters, the HR representative might not take immediate action. In the meantime, an employee who has a week or two to wrap up the work and pass it along to someone else on the team may be taking revenge without anyone noticing. Even worse, a terminated employee may find that even after leaving the company he or she still has access to company assets via the SaaS apps that house them. Think that scenario doesn’t happen?  Check out this case of a fired employee taking revenge

A smart technical solution would be to have a linkage between the HR platform and the SaaS applications so that either side – the business manager or HR – can click a button that initiates policies previously designed to terminate data access for outgoing employees. The date of departure is entered in the HR platform, and in the meantime, other automated measures kick in to manage data access – essentially relegating the employee to a “high-risk” classification. The SaaS asset management could be configured to shut off the employee’s access to third parties or corporate information not needed in the wrap-up stage and shut down all access as soon as the employee departs.

 This automated process – involving HR managers and the lines of business managers – is a form of “shifting left” when it comes to security measures. Here, the shift is in time: The company needs to identify potential threats before the employee resigns or is fired. It’s only through intelligent automation such as insider risk management solutions that the shift left can identify and head off potential security issues much sooner than any manual data access control process could manage.


Protecting the company against other unhappy employees


Of course, there are other employees who may be taking actions that undermine the company but are not designated for termination. Consider employees who are unhappy and planning to leave but haven’t made their intentions known to anyone.

In these cases, the SaaS applications should be – repeat, SHOULD BE – capable of detecting anomalous behavior, such as an employee suddenly downloading all the contacts in the company’s Salesforce app and important documents stored on Google Drive. The apps ideally would not only notify the right people of these activities, but also suspend the employee’s access before too much material has been grabbed. 

Unlike the employee who’s classified as a high risk, the company doesn’t want to curtail their activity because they have no reason to suspect malevolent intent. There’s business to be conducted, and it may be a mistake to be too suspicious of employees and stop them from doing their jobs. However, a temporary suspension of employee access to SaaS apps automatically triggered by anomalous SaaS activity may be a necessary and worthwhile tradeoff for preventing malicious data exfiltration.

Unfortunately, no SaaS application has the capability to monitor employees’ SaaS behaviors and automatically shut down access to all apps and assets in response to a triggering event or notify the appropriate people of the transgression … except ours.


The DoControl method for protecting companies against employee threats


As we have described previously, DoControl provides the granular level of access control that is missing from most native SaaS applications. Our platform integrates with all the major SaaS apps, so companies can effectively head off dangerous activities quickly and systematically rather than on an application-by-application basis. And DoControl works with HR platforms to provide a coordinated response to an employee’s change of status before any significant damage can be done. Integrating DoControl with HR platforms allows IT and security teams to identify employees who are either high risk or soon to leave the company, monitor their SaaS activity across all SaaS apps, identify anomalous activity as it's happening, intervene automatically, and notify the right people. 

(Sorry – we can’t help you with the missing staplers or Post-It Notes.)


To learn more, ask for a demonstration. We’ll be happy to show you how DoControl puts not only your InfoSec team, but your HR team and your managers fully in control of your SaaS data access.

Adam Gavish is the Co-Founder and Chief Executive Officer of DoControl. Adam brings 15  years of experience in product management, software engineering, and network security. Prior to founding DoControl, Adam was a Product Manager at Google Cloud, where he led ideation, execution, and strategy of Security & Privacy products serving Fortune 500 customers. Before Google, Adam was a Senior Technical Product Manager at Amazon, where he launched customer-obsessed products improving the payment experience for 300M customers globally. Before Amazon, Adam was a Software Engineer in two successfully acquired startups, eXelate for $200M and Skyfence for $60M.

Adam is a lifetime information geek, breaking down business and technical problems into components to generate long-term learning. He loves running outdoors, playing with LEGOs with his son, and watching a good movie with his wife.

Adam holds a B.S. in Computer Science from the Academic College of Tel-Aviv Yafo and an MBA from the Johnson Graduate School of Management at Cornell University.

Get updates to your inbox

Our latest tips, insights, and news