The pandemic has caused so many people to reconsider their career choices and change jobs that some experts are calling it the ‘Great Resignation’.

But Canadian cybersecurity expert Krishna Raja has warned that exiting employees may be taking more than their coffee cup when they leave.

The managing director of cyber-risk at Kroll in Toronto said some employees take with them vital corporate data and leave behind a damaging calling card.

“We are seeing a big rise in insider threat,” Mr Raja said during a panel on cybersecurity trends and threats, held during the NetDiligence Cyber Risk Summit 2022 at the Hamilton Princess & Beach Club.

“A lot of people are shifting companies,” Mr Raja said. “When they do so, they can often try to take some data with them. This might be for the person to leverage the intel they have gathered to be successful at their new organisation.”

He said reviewing the forensics from different incidents, cybersecurity experts have found a lot of activity on people’s machines, where they are grabbing data off different corporate systems before they leave.

“They could also be disgruntled employees,” he said. “People are being laid off, and people might want to do something against their previous employer.”

He said the proliferation of remote access in the workplace is also creating more cybersecurity headaches.

In a USB drop attack, cyber miscreants leave malware-laced USB drives around an office environment. An unsuspecting employee, looking to transfer data from one device to another, grabs the USB, plugs it into the system and inadvertently introduces malware.

“That has been around for a while, but it is starting to come back as people are starting to go back into the office,” Mr Raja said.

He said many inside threat actors are trying to use valid credentials to leverage information in an unauthorised manner.

Phishing attacks are a common way for people to try to harvest valid credentials to authenticate a system. This can be countered with multi-factor authentication — where a user is asked to confirm their identity in multiple ways — but cyber attackers are now finding ways to bypass this.

For example, in SIM swapping, cyber attackers use social engineering to gain some personal information about you, then call the phone company to try and get them to activate a new SIM card. With that, they can get the codes they need to authenticate something and circumvent the SMS defence.

Mr Raja said a well-defined off-boarding process, when an employee leaves the company, is just as important as the onboarding process when they enter.

“Often, in very large, sophisticated organisations, people’s user accounts will still be hanging around even weeks after they departed,” he said. “IT teams need to be diligent in defining when someone leaves an organisation.”

He said there has to be a way to quickly disable a departing employee’s access to any office applications.

“It is important to make sure that process is locked down,” he said. “There also needs to be continuous monitoring.”

The panel was moderated by Gregory Bautista, a Mullen Coughlin partner. Other panellists included Stephen Boyce, of Magnet Forensics; Marko Polunic, of CrowdStrike; and Brendan Rooney, of Tracepoint.