Security considerations during layoffs: Advice from an MSSP

Navigating layoffs is complex and difficult for many reasons. Not only do human resources and direct managers bear the onus of responsibility when conducting exit conversations, but security teams should also make the necessary preparations for monitoring anomalies in employee behavior and organizational risk – before, during, and after layoffs.

As a managed security services provider and incident response professional, I’ve witnessed first-hand how a well-prepared organization handles layoffs versus an unprepared one, and the repercussions of these events on the latter’s cybersecurity posture. More than half of our incident response engagements this year were due to concerns of intellectual property theft that in some cases involved disgruntled ex-employees who mishandled company data.

As a result of the work-from-home migration, followed by the “great resignation” and mass layoffs we continue to witness, security teams are struggling to re-acquire security visibility. Of particular concern is the gap in intellectual property visibility that occurred during the migration, followed by departed employees who may have committed theft through unintentional actions or deliberate measures.

Determining what access needs to be revoked and outlining how to revoke that access should be planned well before layoffs commence. Security teams must be part of the conversation because terminated employees – whether through unintentional actions or deliberate measures – have the potential to inflict harm on the company.

Transparency during layoffs

One of the first decisions an organization should make before any downsizing efforts is to decide how transparent they will be about the layoff process with the affected employees. Will it be a protracted one, where employees receive advance notice or a sudden one that catches them by surprise? In either case, the primary concern is protecting their intellectual property before, during, and after transitioning the employee out of the environment.

When employees have advanced notice, they may start downloading their work and past projects. This situation can be a security and intellectual property risk. If an employee knows they’ll be let go in a few months but still has access to all company data, it’s important to prepare in advance for potential data exfiltration attempts. In sudden layoffs, the same security principles apply, but there’s no luxury of time for ongoing preparations.

Establish a well-documented termination process

If you don’t have a well-documented termination and off-boarding process, start there, so that in the event of mass layoffs, you are confident that you can quickly and efficiently eliminate those employees’ access to all systems. This process should also be readily accessible to HR and relevant personnel.

Utilizing single sign-on (SSO) and password reset mechanisms can simplify access revocation since making one change propagates throughout the entire system. Access revocation can be role-based, and it should be documented in advance.

Managing equipment returns is also crucial to safeguarding your data and IP. Ensure that employees return laptops and equipment as required and have a plan for handling situations where they don’t. If it’s not returned, do you have a process in place to wipe said device?

Keep data obligations in mind when developing your process. Depending on the employee’s role or where they live, the business may have obligations to either protect or destroy the employee’s data.

Ways to prevent a security breach in the wake of layoffs

Managing and mitigating risk during layoffs presents numerous challenges. Consider implementing and incorporating these security measures into your organization and include them in your termination process to enhance efficiency:

1. Enforce strong password policies: Encourage strong password practices. Organizations should enable multi-factor authentication whenever possible. Passwords should also be more than 14 characters and complex, meaning they shouldn’t be the same across all accounts.
2. Protect data at rest: The standard deployment of your workstations should already have whole-disk encryption, such as Bitlocker or FileVault deployed. Utilize these settings to protect your data as remote employee assets are being returned.
3. Deploy remote wipe capabilities: This should be done through mobile device management solutions like Microsoft Intune or standalone alternatives. If you don’t have MDM deployed, remember that both Google Workspace (formerly G Suite) and Microsoft 365 have native remote wipe capabilities if the device is still joined to the corporate communication solution.
4. Implement single sign-on (SSO): SSO helps facilitate quicker password changes and ensures all devices have been disconnected from services like Microsoft 365 and Google Workspace.
5. Protect your data: Decide whether to require a data shift-back to retain the employee’s data or perform a force wipe, based on your organization’s policies and corporate responsibility.
6. Continuously monitor your environment: Ensure you are investing in 24/7 network monitoring capabilities, so you won’t miss a thing, and have an incident response playbook ready to deploy in the event of a breach.
7. Don’t overlook physical security: Monitor previous employee access to the building and manage keys and access control. Make sure to account for all keys and copies and collect them.