The Great Resignation and Remote Work: A Potential Cybersecurity Disaster

As companies across most industries deal with historically high turnover, their threat landscape has also increased. With employers embracing remote work arrangements, former employees’ ability to intentionally—or accidentally—take sensitive corporate data, and the need for information governance controls, has never been greater, lawyers said.

“It’s not like in the old days, where you had to take boxes [to steal corporate files],” noted Jeffer Mangels Butler & Mitchell partner and cybersecurity and privacy group co-chair Robert Braun. “Now you just take your phone with you, and you have all sorts of data.”

To be sure, not all former employees intentionally or maliciously steal company data when they quit, Braun noted. Nevertheless, such unauthorized access to corporate data could adversely impact a company, he said.

“High employee turnover is a source of data insecurity for a lot of reasons. One of them is [that] it takes more work to offboard an employee than one would think. The IT, information security teams have to review identity and access privileges and they have to make sure they’re all terminated in an appropriate time frame. … It’s even harder since we’re doing so much work remotely, because it’s not as easy to collect a badge, collect or [erase data from] a mobile device,“ Braun said.

Similar to how the transition to remote working expanded companies’ potential cybersecurity threats, remote employee turnover also can exacerbate an organization’s data security, Braun added.

However, despite the growing threat, not all companies are concerned or proactively addressing the risk, noted Reed Smith counsel Catherine Castaldo.

“I have been advocating for it, but we haven’t always seen it. Especially in the beginning of the pandemic when companies were worried about cash flow, [I] saw a pullback from compliance-related spending,” Castaldo said.

What’s more, Castaldo also noted some companies have little experience grappling with data incidents or don’t understand the true value of their data. “They may not be able to do [a] risk-balance” assessment, she added.

But more may soon realize the need for information governance. While Moses & Singer privacy and cybersecurity partner Jason Johnson hasn’t seen an uptick in regulatory actions or trade secret lawsuits regarding data incidents stemming from former employees, he said it’s only a matter of time. Highly publicized or highly critical incidents are likely the only way to spur all companies to prioritize information governance, he said.

“What I think it will take is someone taking a treasure trove of this data and putting it out there,” Johnson said. “Privacy has typically been, people aren’t proactive about it, they are reactive. We are in this reactive stage. There hasn’t been an issue yet, but if you think about all the information that is being downloaded and is confidential, there hasn’t been a situation where it’s meant something yet. But at some point there will be.”

From: Legaltech News