Seemingly every day, we receive news of another company retrenching and laying off several hundred people. These actions can leave a sense of anger for the people who are cut and uneasiness for the people who remain and are fearful they might be next. In both instances, it is not uncommon for employees to feel disillusioned and engage in risky workplace behavior. This might be malicious or accidental in nature and might manifest as IP exfiltration or system sabotage.
Regardless of whether a person’s actions are misinformed or malicious, companies should take proactive steps to prevent or deter data loss when preparing for layoffs. I would like to share some data loss prevention best practices for employee layoffs.
Have a Plan, Then Act
Before moving to announce layoffs, make sure you have a solid plan in place that includes understanding who’s responsible for data loss prevention (DLP) duties. Make sure that all the information about layoffs is limited to a need-to-know group of people. This cohort will usually include senior executives, HR, SOC teams and your insider risk team.
Ahead of the Announcement, Lock Things Up
People who have just been let go have a strong desire to take any assets they can to their next position, which includes content that they’ve worked on and, for 12% of employees, content from projects that they never touched. Employees who have been laid off might be mad and may act maliciously out of frustration. To prevent data loss or sabotage from occurring, companies should enact DLP controls at user endpoints ahead of layoff announcements. An example of these could be disabling Bluetooth and AirDrop at endpoints, blocking USB tools, and deploying file upload (network) blocking tools. If an employee needs special access until their termination date, HR and the insider risk teams should pay special attention to abnormal activity.
Timing User Lockouts
Sometimes, organizations are tempted to stagger when they announce layoffs, calling people into the office on an individual basis. This tends to have the negative effect of making everyone within the organization jumpy, prompting even people who are not on the layoff list to exfiltrate information for fear of not being able to do it down the road. To avoid this potential risk, the organization should simultaneously lock down the machines of everyone affected by the impending reorganization.
Employees who have been laid off sometimes try to gain access to the network, looking for assets they want to use in their current position. Companies should continue to monitor the accounts and devices of laid-off employees for unusual activities to prevent unauthorized account access.
The DTEX i3 Team works with customers to understand trends like these on a regular basis and enable organizations to align their business processes with the best strategy for insider risk mitigation. The team has recently released its 2023 Insider Risk Investigations Report, which includes a number of takeaways and recommendations for mitigating data loss associated with employee layoffs. Be sure to download your copy to learn how you can keep your data safe and prevent exfiltration.