In the shadowy corners of the tech world, there are plenty of stories of admins locking organisations out of their own IT environment, greedy employees selling data, or security engineers backdooring the network.
The motivations for these acts can touch on anything from financial gain to revenge, and the consequences are generally disastrous for everyone involved.
The recent tech layoffs that have swept across various industries have only heightened the phenomenon.
“Very large organisations only need one poorly vetted and treated [employee] to inflict a lot of harm,” says Frank Price, CTO of CyberGRX, a company that helps organisations manage, monitor, and mitigate risk in their partner ecosystems.
Internal sabotage can start even before workers are laid off. The mere rumor that a company will downsize can create a sense of panic and confusion, which may cause people to react in harmful ways.
“Three things determine whether or not an employee leaving the organisation might turn sour if not managed properly: access, motive, and opportunity,” says Tom Van de Wiele, principal threats and technology researcher at WithSecure.
Data show that employee termination can lead to brand damage, reputational damage, or financial loss. According to DTEX Systems' 2023 Insider Risk Investigations Report, 12% of employees remove sensitive intellectual property upon departing an organisation.
This frequently includes customer data, health records, sales agreements, and other vital documents. The people most likely to cross the line are those with side gigs or searching for new career opportunities, perhaps at a competitor.
These are all serious concerns for organisations, but luckily, such situations can be prevented. Here are some steps that can be taken to mitigate negative outcomes during the layoff process.
Show empathy and respect
Layoffs are almost always emotional experiences for employees. “Businesses need to realise that every human deserves respect and care,” says Armaan Mahbod, director of security and business intelligence for counter-insider threat at DTEX Systems. “Whether the outcome is positive or negative, empathy can go a long way.”
To ensure fairness during such difficult times, organisations should prioritise transparency, directness, and integrity in their leadership. According to Price, “the pain can be managed far easier when a high-integrity process is run, offering impacted employees respect and general reasoning as to why an organisation is making the hard call to reduce its staff.”
Providing real support, such as counseling or career coaching services, can also help to minimise the impact of layoffs and reduce the likelihood of careless or intentional security breaches, says Bob Burke, VP of security and infrastructure at Beyond Identity.
Moreover, empathy and respect should extend to all employees, not just those being let go. As Van de Wiele puts it, “Keeping your employees happy by listening and acting is key in making the difference between someone working for your organisation and doing their job versus someone looking out for your company with their best intentions.”
By prioritising the well-being of all employees and fostering a culture of empathy and respect, organisations can promote a positive and supportive work environment, even during challenging times.
Collaboration across departments can prevent insider threats
The offboarding process goes much more smoothly if HR departments, finance experts, internal IT, CISOs and other stakeholders work together. CISOs are particularly crucial to the equation, as they play a critical role in the organisation's overall security.
“Ensure… key security staff members are in the inner circle of large layoffs and have a plan for all actions,” is the advice Price gives to companies.
Including CISOs in the conversation can help prevent situations in which disgruntled engineers or salespersons realise they are still logged into GitHub or Salesforce and can do damage.
These situations are particularly common, as many laid off employees have insider knowledge as well as access to passwords, software, and systems that can be leveraged.
“Without the proper access controls, malicious privilege escalations will be incredibly hard to notice,” Price says. “This can be handled well if ample time, resources, and protocols are all implemented and followed, but in the instance of massive layoffs, this process is often more chaotic.”
It helps if organisations prepare and strategise everything ahead of time, as Mahbod suggests: “Designate a specific committee that is notified of upcoming layoffs as far in advance as possible to prepare for the potential fallout.”
Prevent data and code loss
When an employee leaves a business, abruptly or not, the potential for data or code loss can significantly impact the organisation's security posture.
While most employees don't think of themselves as a cybersecurity risk, a study done by DTEX Systems shows that “roughly 50% of people in any organisation” save confidential intellectual property from projects to which they’ve contributed.
They do it just in case they leave the company, Mahbod says. What’s even more concerning is that 12% of these employees take data from projects they haven't even worked on.
Enterprises should realise that “the real risk is coming from within their own corporate firewall,” Mahbod adds. “The future of data loss prevention and protection is human-centric, not data-centric.”
Businesses should monitor data loss activities and implement policies to limit unnecessary data movement within and outside of the organisation. This could include enforcing device lockdowns on file uploads to personal webmail, file-sharing sites, or USB ports to prevent successful exfiltration events, especially those that occur from layoffs.
This approach could also help address the “request via colleagues” risk. “Disgruntled, malicious employees may look to lean on colleagues that may not be aware of their termination for additional access to data,” says Amit Tailor, director of system engineering for UK Enterprise, Palo Alto Networks.
This applies to both digital and physical access, he adds. “Ex-employees will be familiar with office layouts and access methods to physical facilities. In some cases, they will be a familiar face and known to reception and security staff.”
Pay attention to dormant accounts
Hackers often attack companies that have suffered downsizing. “They may try to compromise dormant accounts that have not yet been suspended or intercept hardware that is in-transit back to company headquarters,” Price says.
“This is why it is critical to be diligent in inventorying all devices, monitoring and properly archiving old accounts and verifying that all access, equipment, and other attack surface areas are fully addressed.”
The risk of account and device hijacking can be reduced if organisations can easily revoke access to company assets immediately. Having a single identity system will allow a consistent single revoking or disabling of an account and all corporate resources, Tailor says.
Fully adopting single sign-on (SSO) across all services should be “the top priority,” adds Dimitri Stiliadis, CTO and co-founder at Endor Labs. “Static credentials and privileged access that cannot be revoked by using single sign-on mechanisms is probably the highest risk.”
Stiliadis also emphasises that when it comes to software supply chain security, “SSO and proper integration with development services, such as supply chain management (SCM) tools and CI/CD pipelines are essential safeguards.”
Be mindful of existing security gaps
In times of stress, everyone, not just employees who have been laid off, can make mistakes. “Uncertainty and stress can distract individuals from going about their work as diligently as normal, introducing security gaps caused by unintentional negligence,” says Mahbod.
It always helps to know what the organisation's weakest security points are and address them proactively, thinking about potential ways in which they could turn into threats. Awareness, education, and policy change might help address those risks.
Make business continuity a priority
Security leaders should be involved in every conversation about business continuity. Even better, they should spearhead the conversation. “Those business continuity plans should include the identification of single points of failure and other pertinent info to be reviewed prior to layoffs occurring,” Price says.
If a person leaves unexpectedly a lack of decent processes for business continuity could translate to loss of data or system availability, among others.
Consider gradual offboarding
Sometimes, adopting a phased approach for offboarding can be beneficial for both laid-off employees and the organisation.
HR teams might have more time to help people deal with the situation, and, at the same time, business continuity might be better preserved. Laid-off employees can wrap up work, hand over tasks, and pass on key information.
“This also allows the security team more time to review all access and revoke when possible,” says Burke.
But regardless of how smoothly the phased offboarding process goes, critical knowledge or expertise is always lost.
According to Burke, this can be mitigated by cross-training employees where possible as a general practice to create redundancy and reduce siloing and by asking teams to provide updated documentation and runbooks on processes, to ensure that critical knowledge is easily accessible to everyone who needs it.
Identify and delegate access to information where possible
Relying on a single person for any system or business function is not a good idea. “When an employee leaves an organisation, there should be a designated person who remains part of the business and has access to all information, systems, and data,” Tailor says.
“In some cases, this could be more than one person, and access could be split by sensitivity or function.”
Of course, granting access to sensitive information to the wrong level of employees could heighten potential risks.