How mass layoffs can create new risks for corporate security

As Meta faces backlash from its employees over its handling of mass layoffs, security experts warn that such actions can create new threats to corporate data and systems.

Facebook’s parent company Meta announced last week that it would cut 21,000 jobs, or about 10% of its global workforce, as part of a restructuring plan. The move sparked outrage among some workers, who accused senior executives of being out of touch and insensitive to their plight.

>>Don’t miss our newest special issue: Data centers in 2023: How to do more with less.<<

But Meta is not alone in resorting to layoffs amid economic uncertainty. A recent KPMG report found that 85% of organizations believe that layoffs will be necessary as the economy slows down.

Such drastic measures can also expose companies to increased cybersecurity risks from disgruntled former employees, who may seek revenge or compensation by stealing or sabotaging sensitive data or systems.

“Mass layoffs can result in the unintentional creation of insider threats,” said Kyle Kappel, U.S. leader for cyber at KPMG in an interview with VentureBeat. “Insider threat risk includes theft of sensitive data, embezzlement, sabotage of critical systems, creation of backdoors into corporate environments or even causing reputational harm.” 

According to the Palo Alto Networks Unit 42 team, 75% of insider threat cases involved disgruntled ex-employees. Insider threat incidents include transferring protected data to personal accounts, transporting property to a competitor, or exploiting inside knowledge of employees to access privileged information. 

Getting to grips with malicious insiders 

Controlling access to data assets is difficult when defending against external threat actors, but becomes much more challenging when dealing with an employee who not only has physical access to key data assets and resources, but firsthand knowledge of an organization’s internal processes. 

The moment an employee becomes dissatisfied or, in the Meta example, laid off, every app or service they had access to needs to be resecured in the event that the individual attempts to take revenge on the organization. 

“Removal of access to systems and applications is critical during a mass layoff, and there are several unique challenges during these types of events,” Kappel said. “A common area that is overlooked is the removal of access to third-party applications.”

Kappel notes that access to third-party applications can be exploited not just to access critical data assets, but also to steal money. 

The challenges and difficulties of offboarding 

Unfortunately for security teams, it’s not always easy to identify what services an employee had access to, particularly when trying to offboard a high volume of staff at once. 

“When you’re letting go of massive numbers of employees at once, things get very complicated,” said Frank Price, CTO of third-party cyber-risk management vendor CyberGRX. 

“Given how interconnected we are these days, there are a lot of access and active sessions to inventory and properly manage in these moments. That one disgruntled engineer or salesperson who realizes they are still logged into GitHub or Salesforce on their personal device can cause a lot of trouble,” Price said. 

The disparate nature of these applications can lead to security teams failing to revoke access to key applications from potentially disgruntled employees.  

As a result, organizations need to be proactive about understanding employee access privileges. One way to do this is by using an identity provider (IDP), a type of identity and access management (IAM) platform, which can centralize the management of user identity and authentication. 

Introducing ‘phygital’ attacks 

At the same time, security leaders can’t afford to overlook the risks presented by an employee’s physical access to resources and equipment — what Will Plummer, former U.S. Army security expert and CSO at mail-screening technology provider RaySecur, refers to as “phygital” attacks — “the convergence of physical and cyber.” 

“These attacks exploit weaknesses in physical security to gain access to digital infrastructure. They represent a sort of modern day trojan horse strategy known as ‘warshipping,’” Plummer said. 

Plummer explained that a typical warshipping attack occurs when a user is asked to return work equipment by mail, and uses the opportunity to tamper with the equipment, such as installing a battery-powered microcomputer that either mines for data or searches for a network vulnerability. 

Implementing endpoint or mobile device management and auditing equipment as its returned can help to minimize the risks of these types of attacks. 

Other ways to mitigate insider risk 

While mitigating breaches caused by malicious insiders and ex-employees is easier said than done, organizations can mitigate the risk of data exposure by better monitoring and controlling data access as part of what Kappel calls an “established insider threat program.”  

In practice, that means monitoring user activity and access to resources in real time and post event to ensure that privileged users aren’t engaging in any harmful activity, such as exfiltrating data or installing malware. 

In addition, perhaps the most valuable defense that organizations have against threats from disgruntled ex-employees is empathy. 

Approaching layoffs with compassion, clearly communicating the reasons for cutbacks, and offering employees support in the form of a severance package can help reduce the chance of employees feeling betrayed and attempting to take revenge on the organization. Ultimately, if you want to avoid a morale crisis, invest in building morale.