Solution Atlas
SpecialisedUser storyConsultative playbook

Departing employees are a known leak risk and we can't see it happening

After a high-profile case where a departing executive took customer data to a competitor, the CISO needs visibility into the warning signs in the weeks before someone leaves. Microsoft Purview's insider risk capability would catch the signals, but the team has never deployed it; HR and Security don't currently share information about who is joining, moving, or leaving.

Trigger
Recent leak; board attention; HR and Security don't talk.
Good outcome
When HR flags that someone is leaving, the insider risk tools quietly watch for the warning signs — unusual downloads, copying to personal drives, sharing with outside addresses. HR, Security, and Legal review the signals together each week.
Discovery — signals and questions

Signals validating this story

  • ·Recent leak incident involving a departing executive or sensitive role
  • ·HR-to-Security signal not currently shared in real time
  • ·Insider-risk discussions never operationalised
  • ·Audit interest in pre-departure behaviour
  • ·Board attention on insider threat

Discovery questions

  1. 1.How does HR signal a departure to Security today?

    WhyThe HR-Security handoff is the load-bearing process. Often manual or absent.

    Listen for: “email when finalised” · “weekly batch” · “we don't formally”

  2. 2.What pre-departure behaviour have you investigated retrospectively after a known incident?

    WhyAnchors the discussion in concrete patterns.

  3. 3.What is your DLP posture on outbound channels — email, USB, cloud upload, personal email?

    WhyDLP coverage is the prerequisite. Without it, signal is invisible.

  4. 4.Who would own an insider-risk programme — Security, HR, Legal, or shared?

    WhyCross-functional ownership is the maturity threshold.

  5. 5.Have you mapped the most-sensitive content types — IP, customer lists, M&A material, pricing?

    WhyClassification is the foundation. Without it, Insider Risk has nothing to anchor on.

  6. 6.What does your offboarding process look like for privileged users specifically?

    WhySurfaces the gap between policy and practice for the highest-risk leavers.

Baseline architectureTarget architecture
Baseline architecture

HR departures do not trigger heightened Security scrutiny. DLP partial; no insider-risk policy. No pre-departure monitoring. Offboarding manual and reactive. No cross-functional review cadence. Past leak incidents investigated retrospectively without a continuous detection capability.

Typical concerns

  • ·Pre-departure behaviour invisible to Security
  • ·DLP coverage uneven; some outbound channels unmonitored
  • ·HR signal not integrated with Security tooling
  • ·Offboarding leakage — accounts and devices not removed promptly
  • ·No defensible answer for "how would we know?" if asked by the board

Capability gaps

  • ·Purview Insider Risk Management with HR-driven triggers
  • ·Sensitivity labels providing content classification baseline
  • ·Sentinel receiving Insider Risk signals into the SOC queue
  • ·Cross-functional cadence with HR + Legal + Security
  • ·Offboarding playbook integrated with identity
Target architecture

Purview Insider Risk Management policies live with HR-driven triggers (departing employees, internal moves into sensitive roles). Sensitivity labels classify content tenant-wide so Insider Risk can anchor on what is actually sensitive. Signals route into Sentinel for the SOC queue with correlation against identity and endpoint signals. Weekly cross-functional cadence with HR, Legal, and Security reviews flagged cases. Offboarding playbook automates access removal in identity.

Key capabilities

  • Insider Risk policies with HR-driven triggers
  • Content classification baseline
  • Signals into Sentinel SOC queue
  • Cross-functional review cadence
  • Identity-integrated offboarding playbook
Architecture decisions
  1. 1.Scope — privileged-users-only vs broader workforce

    Privileged users only

    Fits whenCost-sensitive; highest-risk slice; lighter privacy footprint.

    Trade-offsMisses non-privileged exfiltration (sales reps with customer lists, engineers with code).

    Broader workforce

    Fits whenDemonstrated insider-threat risk; willingness to navigate the privacy conversation.

    Trade-offsBroader privacy and employee-relations impact.

    Default recommendationStart with privileged users + sales (customer lists) + engineering (code/IP). Expand as the programme matures.

  2. 2.Trigger model — HR-driven vs anomaly-driven

    HR-driven (resignation triggers monitoring)

    Fits whenMature HR-Security integration; clear "departure" definition.

    Trade-offsMisses unannounced exfiltration ahead of resignation.

    Anomaly-driven (behavioural baseline triggers monitoring)

    Fits whenMature SOC; appetite for continuous behavioural signal.

    Trade-offsHigher false-positive load; privacy footprint broader.

    Default recommendationHR-driven for the first 12 months; layer anomaly-driven once HR-driven baseline is operational.

  3. 3.Disclosure model — transparent (employees informed) vs confidential

    Transparent

    Fits whenStrong employer-employee trust; legal jurisdiction requires it (some EU member states).

    Trade-offsMay reduce detection efficacy for the highest-intent actors.

    Confidential

    Fits whenLegal counsel advises; investigation-led model.

    Trade-offsTrust risk if disclosed without management.

    Default recommendationTransparent in EU jurisdictions; confidential elsewhere — always with legal counsel signed off.

Low-risk trial — proof of value

60-day Insider Risk pilot for HR-flagged departures

~8 weeks

Purview Insider Risk policies live for the HR-flagged departure trigger. Sensitivity labels classify the most-sensitive content types (M&A, IP, customer lists). Signals route into Sentinel. Weekly cross-functional cadence with HR, Legal, and Security stood up. Offboarding playbook validated against one real departure during the trial window.

Success criteria

  • Insider Risk policies live with HR-driven triggers
  • Sensitivity labels applied to top-priority content types
  • Signals visible in Sentinel SOC queue
  • Cross-functional cadence running weekly with named participants
  • At least one offboarding-validated departure end-to-end

InvestmentPurview Insider Risk in M365 E5 or as add-on. Sentinel consumption for the signal ingest. Estimated ~€3–5k/month for the trial scope at the privileged-user tier.

Proof metrics

  • ·Time-to-detect anomalous pre-departure behaviour measurable
  • ·Cross-functional cadence operating weekly
  • ·Offboarding access-removal SLA below 1 hour
  • ·Audit-defensible posture demonstrated to board or regulator

Recommended cards

The SKUs and capabilities most likely to be part of the solution, with the editorial rationale for each in the context of this story. Add the ones that fit your situation.

Why for this story

Insider Risk Management sits in Purview; sensitivity labels provide the content classification baseline that Insider Risk policies anchor on. Without labels, the signal has no context.

Why for this story

Routes Insider Risk signals into the SOC queue with correlation against identity, endpoint, and email signals. The cross-domain investigation graph is where the pattern becomes visible.

Back to Insider risk