The CERT Insider Threat Center, part of Carnegie Mellon University’s Software Engineering Institute, maintains a database of more than 600 insider threat cases.
Organizations must carefully consider employee communications during the time frame immediately preceding termination. Many insiders have stolen information within the 30 days prior to departure. Many of these thefts occurred via corporate email servers. A well-constructed rule set could be placed on a centralized logging application to identify suspicious mail traffic originating from soon-to-be-departing employees.
Read the full report here – http://resources.sei.cmu.edu/asset_files/TechnicalNote/2011_004_001_15368.pdf