Skip to content

Layoffs Could Hatch a New Generation of Data Thieves and Hackers

As corporate layoffs keep coming, cybersecurity experts predict an uptick in insider risks. How you fire—and hire—can make all the difference.


Insider data breaches grew considerably worse during the pandemic with almost everyone working less securely from home. Now, with a stumbling economy triggering massive layoffs, organizations could face an even larger threat: ex-employees holding onto sensitive passwords and data or—worse—launching cyberattacks against their former employers.

Recent layoffs, especially in high tech, are staggering: Alphabet, parent of Google, slashed 12,000 jobs; Amazon eliminated 18,000; Dell let go of 6,650; IBM shed 3,900; Microsoft axed 10,000; and SAP handed pink slips to 2,800 people.

“We haven’t seen significant layoffs like this since the Great Recession ended around 2009,” says John Dooney, a knowledge adviser with the Society for Human Resource Management (SHRM). “It’s going to be interesting to see how employers handle the threats or problems that arise from these layoffs.”

Proactive risk management starts with an analysis of risk posture and an actionable improvement plan.

It’s not that every laid-off worker will be angry enough to hang onto passwords or company data as part of some malicious scheme to exact revenge at a later date. In fact, most laid-off employees quickly and quietly move on to landing other jobs. And in the case of high tech, nearly four in 10 have succeeded in securing new employment within a month of beginning their searches, according to a recent ZipRecruiter survey.

That said, companies can suffer serious consequences when laying off workers if they haven’t put cybersecurity at the center of their onboarding and offboarding plans and practices.

“One of the biggest HR [human resources] mistakes many companies make is failing to consider the cybersecurity implications of hiring and firing people until it’s too late,” argues Kyle Dewar, director of technical account management for Tanium. “Most often, employees just take inconsequential documents, like templates or presentations, that they’d like to use on their next jobs. But it only takes one thief selling intellectual property [IP] or one disgruntled ex-worker to hack a corporate network to hurt a company. Sadly, with the mass layoffs we’ve seen lately, that is happening more frequently.”

Indeed, about a third of employers with ineffective offboarding plans say they have had former workers take confidential data (29%), breach their networks (28%), or hack the back ends of their websites (32%) in the past year, a Beyond Identity survey found. A quarter of those firms experienced reputational damage as a result.

To avoid such difficulties, experts recommend defining what access people will have to network data and resources while employed, how that will be monitored and enforced, and what happens upon termination.

Safe firing starts with smart hiring

The first step is for HR and IT leaders to establish acceptable use policies (AUPs) as part of all those onboarding documents new hires sign before beginning work, advises Rajan Koo, chief customer officer and i3 lead at DTEX Systems, an insider threat management company. By legally agreeing to AUPs, employees are bound to follow rules for securely using company computers and network resources. They also acknowledge they know their employer could be anonymously monitoring their online activity while at work as part of efforts to identify suspicious or malicious digital behavior.

One of the biggest HR mistakes companies make is failing to consider the cybersecurity implications of hiring and firing people until it’s too late.

Kyle Dewar, director of technical account management, Tanium

Koo says none of this should be communicated coldly or with heavy hands. Rather, leaders should genuinely explain that while the company trusts its employees, it must still do its utmost to protect confidential financial and customer records for legal and regulatory reasons. If delivered well, this message can promote compliance while deterring improper behavior, even after a layoff, Koo adds.

Companies shouldn’t claim they are monitoring activity if they are not. Employees aren’t stupid; they’ll eventually figure out nobody is watching and may then feel free to exfiltrate company data without authorization, especially if they plan to quit or sniff out impending layoffs.

[Read also: Why workers violate cybersecurity policies]

Indeed, a Cyberhaven survey found employees are 68.7% more likely to divert data or passwords before resigning. Similarly, the survey showed fired workers are 23.1% more likely to exfiltrate data the day before they are let go and 109.3% more likely to take data on the day of their firing.

Sniffing out insider risks

Experts say organizations should be wary of such activities because it could indicate an employee is stealing trade secrets.

Case in point: convicted (and pardoned) autonomous vehicle engineer Anthony Levandowski, who left Google several years ago to start his own company, Otto (later acquired by Uber), and was accused of taking secret self-driving-car files with him. Unusual digital behavior could also point to employees downloading customer contact information to fuel their own businesses. Or it could suggest disillusioned workers are hoarding passwords to eavesdrop on internal communications, destroy company information, or launch cyberattacks down the road.

Plenty of real-time visibility, control, and remediation tools exist to help companies monitor and combat such digital activity. For example, some endpoint security solutions can protect companies from insider (or soon to be outsider) threats and zero-day attacks. They can also identify and close security gaps that may have been otherwise overlooked. In addition, some of these products create audit trails for tracking where stolen data, especially intellectual property, might have gone.

[Read also: The top cybersecurity trends for 2023]

“This is important because a lot of organizations don’t realize they’ve lost IP until many years later when it makes its way into a competitor’s product as a commercial offering,” says Koo. “An audit trail allows you to go back and see what data was moved, where it came from, who touched it, and where it went.”

Getting ready for “D-Day”

Ideally, by the time employees quit or receive pink slips, experts say having well-thought-through onboarding and offboarding processes should help companies limit data loss or hacking activity. But several steps still need to be taken on departure day, or D-Day, to minimize long-term risk.

Letting employees have some things they worked on can provide some relief and consolation to employees as they depart.

John Dooney, knowledge adviser, Society for Human Resource Management

One of the most important—and most neglected—considerations is this: Compassion counts. Make sure employees hear about their layoffs from empathetic human beings first rather than sending an electronic communication, shutting off their network access without explanation, or letting them read about their fates in the news. Such callous conduct could motivate some offended ex-employees to steal digital assets or launch future cyberattacks.

In a recent blog, Catherine Marinis-Yaqub, a principal with Control Risks Crisis and Security Consulting, recommends companies take a few other precautions as well, including:

  • Shutting down all access to corporate digital assets, including mailboxes, applications, cloud, company network, and other sources of data, as well as company-owned mobile devices. Again, this should concur with or follow the moment employees are told about their layoff.
  • Retrieving all company-supplied devices, equipment, and property issued to employees such as laptops, hard drives, USB drives, mobile phones, company credit cards, badges, access cards, and parking passes.
  • Deleting corporate data on employee-owned electronic devices.

[Read also: Here’s how every employee can—and must—be part of the cybersecurity team]

  • Conducting an exit interview with a security or risk officer present to “address outbound risks to the organization and remind employees of their obligation to protect company critical assets and of their noncompete agreements,” Marinis-Yaqub suggests. If this can’t be done live, she says, companies should address these key points in written communications sent to employees.
  • Arranging additional security at physical locations when departing employees are expected to be onsite for their final days and possibly escorting them offsite to prevent harm to people, data, or facilities.

To this latter point, the SHRM’s Dooney says HR teams should soften the psychological trauma of being escorted off property.

“Employers can be helpful and reassuring by telling employees they’ll have time to come back to gather personal belongings and documents the company is OK with them having,” he says. “Obviously, it won’t be customer contact information or anything like that. But letting employees have some things they worked on can provide some relief and consolation to employees as they depart.”

David Rand

David Rand is a business and technology reporter whose work has appeared in major publications around the world. He specializes in spotting and digging into what’s coming next – and helping executives in organizations of all sizes know what to do about it.

Tanium Subscription Center

Get Tanium digests straight to your inbox, including the latest thought leadership, industry news and best practices for IT security and operations.