A Human-centric Approach to Operational Awareness and Risk Management.

Data Loss Planning for Layoffs

As the economy heads towards a predicted recession, companies across multiple sectors are making staff cuts.  Actions like these, no matter how well executed and done, with employee well-being, both mentally and financially, in mind, can create bitterness. During layoffs, employees often feel personally attacked and, in response, can behave irrationally and retaliate.

Retaliatory behavior could include data theft, system/business sabotage, or even physical harm. During these times as well, not all data loss will occur with intentional harm to the business. Employees could simply be trying to take files that they believe they have ownership over, even though they are intellectual property of the business. I wanted to share some tips that insider threat teams can exercise as their business might be having to execute layoffs. These tips are in no way an all-inclusive list but could become helpful reminders.

Plan, Then Announce
A solid plan in place before making a companywide layoff announcement will have individuals tasked with DLP duties prepared to handle the influx in data loss incidents. Keep news about layoffs confidential and only share the news with parties that need to know. This usually includes executives, HR, SOC teams, and Insider Threat teams.

Enable Lock Down Controls
When layoffs occur, users are more than likely to try and take files with them as they exit the business. To counter the issue of having to exhaust analysts reviewing data loss incidents and have things slip through the cracks, it is recommended prior to layoff announcements that DLP controls be applied to user endpoints. This could be USB blocking tools, file upload (network) blocking tools, and disabling things such as Bluetooth and AirDrop on endpoints. Some exceptions might be needed as some employees could still need file transferring access for job roles until their termination date. Employees who fall under that group would need specialized attention to catch any abuse of the transferring privileges.

Timing User Lockouts
Some businesses announce layoffs on an employee-to-employee basis. This means that one employee at a time is told about their layoff and then IT will usually lock out their device. The issue with this approach is that employees who have already had their devices locked out usually spread the message to those who have not had lockouts yet. The employees who still have access sometimes use their remaining time to carry out unwanted behaviors before they get the layoff message. To counter this problem, employees who are in a layoff group should all simultaneously receive device lockouts ensuring that no rogue employee is given a chance to cause unwanted behavior.

Post Layoff Monitoring
Employees who have been laid off sometimes might want to regain access to their companies’ networks for reasons of their own. Employee accounts and devices that were once associated with laid-off employees should continue to be monitored for any unusual activity to detect any unauthorized system or user account access.    

The DTEX i3 Team works with customers to understand trends like these on a regular basis, to help improve our products, as well as enable customers to align their business processes with the best strategy for risk mitigation. Contact us today to learn more.