| Key Takeaways
• Data exfiltration spikes 720% in the 24 hours before a layoff — but suspicious activity often starts up to six months earlier. • 59% of departing employees take confidential data with them, with personal cloud storage now the #1 exfiltration channel. • Traditional DLP tools cannot protect files after they leave the corporate network — once a document reaches a personal device, DLP has no visibility. • Persistent document-level encryption renders exfiltrated files useless — access can be revoked even after a file is downloaded to a personal device. • Offboarding must be treated as a security event, not just an HR process. Only 44% of companies revoke all access within 24 hours of departure. |
Your employee already knows they are leaving. You do not know yet.
That gap — between when an employee decides to leave and when HR processes the departure — is one of the most dangerous windows in enterprise security. According to the 2026 Ponemon Cost of Insider Risks Report, organizations see a 720% surge in data exfiltration activity in the 24 hours before a layoff, compared to baseline. However, the risk starts far earlier: suspicious activities often begin up to six months before a formal departure.
This post breaks down why pre-termination exfiltration is so hard to stop, which exfiltration channels are most common, and how organizations can close the gap.