Given that mode of thinking, I would assume you would check the image of returning employees laptop hard drive for malicious changes installed by professionals.
That is the funniest thing I've read in a long time. Thanks for the laugh.
Even if you trust your employee completely, the laptop has been in the hands of customs and other unknown people while in the world. It can't be assumed safe until re-imaged. Finding any attackers code would be a bonus of the 'standard' harddrive swap by IT on return.
Very true here. However, most IT departments have more important things to worry about, like making sure the new security patch isn't going to interfere with the CEO's favorite gambling website. Looking for malicious code isn't going to be on any priority lists when a wipe will "solve the problem".
And no it wouldn't be that bad. Employee has only had laptop for a few days. Tech pulls old drive, installs standard image replacement, checks for nonstandard flash, updates crypto, puts back on shelf. Tech installs old drive in USB enclosure, enters crypto key, scans then copies data folders to employees user folder, then runs paranoia process on OS and drive. If nothing found drive re-imaged and put back on shelf.
To the employee it looks like he turned in his machine and his data showed up in his folder 30 minutes later. To the tech it looks like he has a job doing paranoid shit, until one day he finds the next Stuxnet.
An anti-virus scan will only catch malware that is widespread and has been in the wild for several days. Look how old Stuxnet was before it was detected by A/V. Their are other custom jobs that have gone years without detection as well. The 'paranoia process' would require a forensic examination. A decent forensic triage takes at least 4 hours on a smallish drive. A full examination can take days just to determine if something unusual is present. Than you have to take apart that unusual piece of software just to find out you are chasing down the wrong rabbit hole. This is the kind of work it takes to find the next Stuxnet.
Unless you are in the security industry then some VP is going to look at a poorly done risk assessment, look at the pricetag as overhead, and slash the budget, thinking "that won't happen here" and put down on his next review how many millions he just saved the company. Even in the security industry this isn't done nearly as often as it should.