The last year-and-a-half has brought unusual mass movements of people leaving and entering the workplace. Trends have included record-breaking resignations, quiet quitting, and most recently, layoffs across industries including tech, financial services, food and beverage, and media. These shifts have led anxious employees to the latest trend of “career cushioning”—enhancing their skills, pulsing networks, and updating resumes.
According to a Challenger, Gray, & Christmas Inc. report, U.S.-based employers announced that cuts in November 2022 were 417% higher than in November 2021, and financial analysts have predicted additional layoffs as we head into the new year.
This instability across industries has created a ripe environment for increased insider risk—leaving companies more vulnerable than ever. Internal threats are quickly becoming a serious concern for companies and sharing space on security radars along with external cyberthreats. Additionally, companies are beginning to come to the realization that insider threats can frequently cause more damage than external cyberthreats given employees’ authorized access to critical assets.
Continuing economic uncertainty and shifts in the workplace introduce insider risks to companies’ people, facilities, and particularly their sensitive data to malicious and unintentional insiders. One of the greatest concerns during layoffs is employees taking sensitive company data with them, including trade secrets, customer lists, financial data, business strategies and acquisition plans, and marketing data. According to a Biscom survey, 87% of employees take data with them when leaving a job.
Sensitive data is often taken:
- To secure or gain advantage in a new job
- For personal financial gain by selling it or starting a business
- To compete with a former employer
- To maliciously destroy it
This can harm companies by putting them at risk of regulatory violations and fines, eroding customer trust, negatively impacting finances and revenue, engaging in litigation, or creating headline risk and reputational damage.
On average, employees take sensitive company data within the 90-day period prior to leaving. Many employees see nothing wrong with taking sensitive data and may feel entitled to it, rationalizing that they created or worked on it. While companies are focused on the outbound risk of sensitive data, they should also be concerned about the inbound risk associated with new employees bringing in previous employers’ sensitive data, which can expose companies to legal liability.
Additionally, layoffs can also create disgruntlement, leading to various malicious activities. Some employees may sabotage systems, products, and services or cause workplace violence incidents directed against people and facilities. Being faced with financial uncertainty, others may commit fraud or theft for their personal benefit.
Then there are implications for those who remain in the organization that is now understaffed and whose future seems uncertain. If restructuring occurs after layoffs, employees may get repositioned elsewhere in the organization, causing frustration and disgruntlement that can lead to malicious acts. Moreover, remaining employees take on additional workloads, becoming overworked, overwhelmed, and overstressed, thereby increasing the probability of making mistakes or circumventing security processes which can compromise critical assets.
Insider Threat Indicators
While insider threats might seem impossible to monitor for and prevent, there are indicators that employers should pay attention to that may signal insider threat activity, including:
- A change in behavior from the norm, generally exhibiting disgruntlement, hostility, anger, resentment, or revenge
- Disagreements with coworkers, management, or disregarding company policies
- Frequent or unexplained tardiness, absence from work, or missed deadlines
- Working odd hours; accessing corporate systems and facilities at unusual times and different from the normal pattern of activity
- Trying to access data on systems or restricted areas that is not in the purview of one’s job responsibilities
- Attempting to transfer sensitive company data to personal email accounts and devices, USB drives, or a file hosting service or deleting large amounts of data
- Frequent or repeated security violations
- Attempting to manipulate and compromise individuals who have access to critical assets
- Email or telephonic communications with competitors
- Unusual logins
- Unexplained or sudden affluence and travel
- Substance misuse or dependence
Protecting Your Company and Mitigating Risk
As a best practice, insider risk prevention should be holistic and incorporate an enterprise-wide approach that spans the entire employee lifecycle from pre-hire to separation, overseen and directed by a collaborative, cross-functional body. Assuming that robust insider risk prevention measures are not already in place, here are a few tips to minimize your insider risk:
- If critical assets haven’t already been mapped across the organization, inventory those that separating employees have access to. Once completed, prioritize monitoring based on the most sensitive and important critical assets and use the inventory to ensure that all files and materials are returned by the employee prior to separation.
- Ensure that there is cross-collaboration among HR, Security, IT/cyber, legal, and supervisors to coordinate a plan of action with timelines, function-specific action items pre- and post-layoff, and communications.
- Monitor employees for out-of-pattern activities, attempts to access unauthorized critical assets, data exfiltration, and attempts to gain physical access to restricted areas. Continue post-employment monitoring of data sources used by employees.
- Monitor employees’ behaviors for any changes or deviations from usual patterns of behavior.
- Have employees sign confidentiality and non-compete agreements.
- Retrieve all company-supplied devices, equipment, and property issued to employees such as laptops, hard drives, USB drives, mobile phones, company credit cards, badges, access cards, and parking passes. Have employees sign a document acknowledging that they have returned all corporate data assets.
- Conduct an exit interview, and have a security or risk officer present in conjunction with the HR representative to address outbound risks to the organization and remind employees of their obligation to protect company critical assets and of their noncompete agreements. In cases of mass layoffs where individual exit interviews cannot be performed, address these key points in corporate communications sent to employees.
- Arrange for additional security at facilities where departing employees will be onsite on the day of separation, and escort employees out of the building to prevent harm to people, data, or facilities.
- Disable access to accounts, mailboxes, applications, cloud, company network, and other sources of data as well as company-owned mobile devices.
- Delete corporate data on employee-owned electronic devices.
- Remove employees from all distribution lists and reoccurring calendar meeting invites. Delete voicemails and change passwords.
- Communicate the company’s strategic plans to remaining employees and how they will be a part of it to distill fear and uncertainty and prevent good employees from leaving.
- Consider how layoffs will impact your trusted third parties (e.g., contractors, suppliers, vendors) and if there is a cascading effect. ensure that they are putting proper measures in place to protect your critical assets.
While layoffs create various stressors for leadership, laid-off and remaining employees, as well as increase insider threat vulnerabilities, companies can manage their risk through appropriate planning and processes and cross-functional collaboration. Mitigating insider risks during layoffs is a team sport, requiring the cooperation and collaboration of multiple business functions to protect a company’s critical assets.
Catherine Marinis-Yaqub is a principal in Control Risks’ Crisis and Security Consulting practice based in New York, where she oversees key client relationships in the risk and business resilience arena. Catherine previously spent 11 years in U.S. federal service conducting global national security operations as an Operations Officer for the CIA and DIA, and as an Intelligence Analyst at the FBI’s Joint Terrorism Task Force.