| Key Takeaways
• Data exfiltration spikes 720% in the 24 hours before a layoff — but suspicious activity often starts up to six months earlier. • 59% of departing employees take confidential data with them, with personal cloud storage now the #1 exfiltration channel. • Traditional DLP tools cannot protect files after they leave the corporate network — once a document reaches a personal device, DLP has no visibility. • Persistent document-level encryption renders exfiltrated files useless — access can be revoked even after a file is downloaded to a personal device. • Offboarding must be treated as a security event, not just an HR process. Only 44% of companies revoke all access within 24 hours of departure. |
Your employee already knows they are leaving. You do not know yet.
That gap — between when an employee decides to leave and when HR processes the departure — is one of the most dangerous windows in enterprise security. According to the 2026 Ponemon Cost of Insider Risks Report, organizations see a 720% surge in data exfiltration activity in the 24 hours before a layoff, compared to baseline. However, the risk starts far earlier: suspicious activities often begin up to six months before a formal departure.
This post breaks down why pre-termination exfiltration is so hard to stop, which exfiltration channels are most common, and how organizations can close the gap.
Why Is Pre-Termination the Highest-Risk Window?
Most insider threat programs focus on the wrong moment. They trigger alerts after an employee is terminated — when access has already been revoked. By that point, however, the damage is frequently done.
The reality is that 59% of departing employees take confidential data with them, including customer lists, pricing information, product roadmaps, source code, or HR records. Furthermore, 70% of insider intellectual property theft occurs within 30 days of a resignation announcement, according to Carnegie Mellon’s CERT program.
The window is wide because employees in this period still have full, legitimate access. Therefore, their activity blends into normal behavior and evades traditional security monitoring.
What Does Pre-Termination Exfiltration Actually Look Like?
Exfiltration rarely looks dramatic. Instead, it looks like a busy employee doing normal work — just with unusual volume or destination.
The Rippling vs. Deel case from March 2025 is a striking example. An alleged insider, hired as a Global Payroll Compliance Manager, had legitimate access to Slack, Salesforce, and Google Drive. As a result, the activity — which included exfiltrating customer lists, pricing details, and competitive intelligence — went undetected for four months.
Common pre-termination exfiltration patterns include:
- Bulk downloading of files from shared drives or CRM systems in the final weeks of employment
- Emailing documents to personal addresses, often framed as “keeping safe copies” of personal work
- Uploading files to personal cloud storage such as Google Drive, Dropbox, or iCloud
- Printing sensitive documents under the guise of working remotely or from home
- Copying files to USB drives, which remain difficult to monitor without endpoint controls
Which Channels Do Departing Employees Use Most?
According to 2026 insider threat statistics, the most common exfiltration channels break down as follows:
- Personal cloud storage (22.7%) — Google Drive, iCloud, and Dropbox are the fastest-growing exfiltration path, precisely because they are also used legitimately by employees every day
- Removable media (15.6%) — USB drives remain a persistent risk, especially in manufacturing, engineering, or research roles with access to technical files
- Generative AI tools (13.1%) — Employees increasingly paste sensitive content into external AI tools, inadvertently or deliberately exposing proprietary information
- Email (declining but persistent) — Forwarding files or internal knowledge to a personal address before the last day remains one of the most common pre-departure moves
Notably, personal cloud storage is growing faster than any other channel. Moreover, most DLP solutions struggle to differentiate between a legitimate cloud sync and a deliberate exfiltration event.
Why Don’t Traditional DLP Tools Stop This?
Data Loss Prevention tools work at the perimeter. They inspect traffic leaving the corporate network and flag suspicious patterns. However, they have three significant blind spots in the pre-termination scenario.
First, legitimate access defeats rule-based detection. An employee downloading their own project files raises no alert. Only statistical anomalies — volume spikes or unusual access times — trigger flags, and those require carefully tuned baselines.
Second, DLP cannot protect files after they leave. Once a document lands in a personal cloud account or on a USB drive, DLP has no visibility. The file exists entirely outside the corporate control boundary.
Third, access revocation is often too slow. Only 44% of companies revoke all access within 24 hours of departure. Consequently, former employees often retain access to cloud platforms and SaaS tools for days or weeks after their last day.
How Can Organizations Reduce Pre-Termination Risk?
No single control eliminates this risk. Instead, a layered approach combining people, process, and technology closes the most dangerous gaps.
Apply document-level encryption before the offboarding process begins. A file protected with persistent DRM remains encrypted regardless of where it travels. Even if an employee moves it to personal cloud storage or a USB drive, the document cannot be opened without authorization. Crucially, that authorization can be revoked the moment employment ends — rendering any previously exfiltrated files useless.
Enable audit trails that capture file-level activity. Knowing a file was opened is useful. Knowing it was opened 47 times in a single day, printed multiple times, and accessed outside of company network at 11 PM is actionable. Detailed audit logs make anomalous behavior visible before the departure date arrives.
Revoke access immediately and completely. Build an offboarding checklist that revokes cloud platform access, DRM permissions, and SaaS tokens simultaneously — not over days or weeks. Besides that, verify each revocation rather than assuming it succeeded.
Treat printing as an exfiltration channel. Watermarked documents — visible or invisible — allow organizations to trace the source of a physical leak long after departure. Moreover, print audit trails provide legal evidence if a case proceeds to litigation.
Offboarding Is a Security Event — Treat It That Way
HR and security teams rarely operate in sync. As a result, the window between a departure decision and a revocation action is longer than most CISOs realize. That gap is exactly what departing employees exploit.
Closing it requires treating offboarding as a security event with the same urgency as an external breach. Document-level controls, audit trails, and immediate access revocation together shrink that window to near zero.
Fasoo’s data security platform provides persistent file-level encryption, granular access controls, and audit trails throughout full document lifecycle. Access can be revoked in real time — including for files already downloaded to personal devices. For organizations managing workforce reductions in 2026, these controls directly address the highest-risk moment in the insider threat lifecycle.