When employees leave the company, does the organisation’s data leave with them? CoSoSys, vendor of Endpoint Protector data loss prevention (DLP) software believes that many organisations aren’t paying enough attention to this point.
In a blog post written for CoSoSys by Tim Deluca-Smith, the vendor outlined the legal risks that such leaks can pose, pointing to lawsuits such as that filed by car parts firm Valeo against IT giant Nvidia.
“Leavers can represent an immediate insider threat. It might not be coaching data, as it was in the case of the [US sports teams] Knicks and Raptors, but customer contacts, Salesforce reports, presentations, source code, process documents, and more,” he wrote.
According to CoSoSys, this data can be “fair game” for people exiting an organisation.
In the Valeo v Nvidia suit in the US State of California, which you can read here, the allegation is that an ex-employee took Valeo source code with him to Nvidia, his new employer, he added.
Deluca-Smith pointed out that this can be less about anything malicious than be simply a desire to retain data that might benefit their new position – such as a list of sales contacts, or some examples of their work.
“This is exactly why Endpoint Protector by CoSoSys focuses attention on the endpoint. Unfortunately, many of today’s DLP solutions are built only to protect where your data lives, not where it’s used and where it can leak from,” Deluca-Smith said.
The ex-Valeo worker was reported as having taken 6GB of source code relating to parking and driver assistance technologies, as well as presentations and spreadsheets relating to the technology. According to Valeo, this represents potential for Nvidia to gain financially through what it believes are trade secrets of its own.
The ex-Valeo staffer had shared his Teams screen during a joint project meeting, accidentally revealing documents containing the source code, according to CoSoSys.
“This story puts into perspective the very real danger and financial impact that intellectual property theft can have on both the exited company, and also a new employer – who may very well be completely unaware that stolen IP has been introduced to their organisation,” Deluca-Smith wrote.
“Interestingly, the lawsuit outlines Valeo’s technologies and process to protect IP, although this seems to have not been enough to mitigate the risk. The information points to the use of access controls within Google Drive that the employee managed to circumvent.”
He added that tools like Endpoint Protector by CoSoSys are designed to combat data loss through unauthorised content sharing. Policies can be built to protect common sensitive information types and company-specific intellectual property such as computer code.
Deluca-Smith said that Endpoint Protector was built to “continuously protect” data exit points including email clients, enterprise messaging apps, browser uploads to the cloud, removable media, printers, and more, even when the endpoint is offline.