The great downsizing has commenced

In 2022, we saw record levels of employee layoffs from some of the world’s most prominent companies, including Amazon, Meta, and Twitter. In 2023, companies like Goldman Sachs and Salesforce have conducted layoffs affecting tens of thousands of employees. Today’s uncertain macroeconomic conditions and turbulence in capital markets makes it likely more layoffs will happen this year.

If your management team is planning a reduction in force (RIF), it’s imperative that you protect company data while doing so, because there’s been a surge of employees taking customer records, source code, product designs, and more around their departures. There’s a strong incentive for disgruntled employees to try to take this information to your competitors to land a new job or leak it to the media.

New data also shows that employees take sensitive company information well in advance of a layoff as well, requiring a two-prong strategy to protect data.  

Top questions to ask if you’re planning layoffs

If you’re planning a reduction in force, there are several important questions to address from a security perspective:

• At a foundational level, what are your sensitive data repositories? Which assets are processing sensitive data?
• How do you stop an employee from taking sensitive company data with them on their way out the door?
• What corporate data has an employee already transferred out of a company’s walls, whether maliciously or out of convenience to work in other apps or devices?
• How do you ensure data privacy compliance to prevent penalty fines, or loss of reputation with customers over mishandled data?
• How do you defend against external attackers looking to take advantage of stale SaaS app accounts of departed employees?
• How do you stop employees who remain after a layoff from proactively taking copies of data, having seen their colleagues dismissed and lose access to data?

Why a secure offboarding process is important

Developing a robust procedure for secure offboarding is important in order to defend the company against security risks, while maintaining productivity of the team. Enterprises need a process in order to:

• Revoke access – companies should revoke access to accounts and SaaS applications in a timely manner and rotate API/SSH keys.
• Physically collect devices – retrieve laptops, phones, tablets, etc. as soon as possible.
• Ensure continuity of operations – develop a plan to delegate projects and handoff accounts and data.

Additionally, careful coordination between various teams is required to prevent insider data leaks. An optimal approach involves collaboration between the human resources, legal, IT, IT security, and physical security department. Each team plays a key role in enabling a secure offboarding:

• Human resources team finalizes departures and notifies employees
• IT team deprovisions and revokes access to applications and ensures company devices are locked and wiped in a timely manner. Ideally, the HR system can serve as an authoritative source for identity, wherein offboarding in the HR system would also remove access to downstream systems via platform integrations.
• Physical security team disables access to company facilities and in some cases escorts departing employees from facilities
• Security team monitors for unusual behavior, network log-ins, and data exfiltration attempts.
• In a remote world, the HR team organizes a recovery of corporate laptops/phones, and in cases where devices can’t be retrieved data is wiped remotely.

The timing of these tasks should be coordinated amongst teams. According to Sounil Yu, CISO at JupiterOne, “timing is critical when it comes to employee departures, as the security team needs to be ready and able to terminate someone’s access to every and all systems and devices as soon as the layoff happens. You want to synchronize the cutting of access all at the same time. That includes the obvious things around network log-ins or access to various enterprise services, but [security teams] often forget about cloud services or service accounts.”

Be proactive, not reactive

In addition to navigating RIFs with a secure offboarding process, it’s important to take sufficient preventative measures *prior* to layoffs. In our Insider Risk Report, we observed that when people are laid off or fired, they are more likely to take data.

There is an increase in data exfiltration attempts the day before an employee’s termination — Employees who are fired are 23.1% more likely to exfiltrate data the day before they were fired and 109.3% more likely to exfiltrate data the day they are fired. But data taken on these two days is dwarfed by the data taken every day.

So the question boils down to – what data have insiders already taken before they lost access to company accounts? And what data did insiders take weeks, or months ago? How do you get that data back, or delete copies of it? What data do employees still have access to, post-termination?

The key to answering these questions requires the ability to track the movement of your company’s data – in a way that doesn’t require physical custody of a device, in order to image a laptop. This is critical, because in a remote organization, you may not be able to get an employee’s laptop back in a timely manner, or back at all!

Forensics tools used on a laptop in physical custody can be effective for one-off investigative purposes, as seen in the Apple Car case. However, for a larger reduction in force consisting of thousands of employees, forensics tools simply don’t scale efficiently to track data misuse in a timely manner. When it comes to preparing for layoffs, a more preventative, and programmatic solution trumps forensics tools.

Another risk to watch for is employees that regain access to accounts after they’re let go. Employee accounts should be monitored for unauthorized access. For example, recently a former Cash App employee downloaded reports containing customer information without permission, after their employment ended.  

How to leverage security tools before and during a layoff

Several security tools are useful for secure offboarding, including:

• Single sign-on (SSO) software (like Okta) – to immediately turn off access to all work applications as soon as an employee is terminated
• Mobile device management (MDM) software (like JAMF) – to remotely lock and wipe a laptop, without physical custody of corporate devices.
• Password management tools (like 1Password) – to automatically change passwords of team and shared accounts, and revoke access.

In addition to SSO, MDM, and password management tools, enterprises can also use data loss prevention (DLP) and insider risk management (IRM) products to protect data everyday and in the days leading up to a layoff when data theft surges.

1. DLP – Data loss prevention tools include offerings that provide visibility into data usage and movement across an organization. If you have a DLP product, you must turn on blocking capabilities – you can’t just operate in monitoring mode.
2. IRM – Insider threat/risk management tools measure, detect and contain undesirable behavior of trusted accounts. While many are designed to send alerts but to stop or block data from leaving they can provide early warning of data exfiltration so that security teams can take steps to prevent future data loss.

From an offboarding perspective security products play a critical role in helping enterprises ensure that employees and contractors don’t have access to or copies of confidential company information after they depart the company.

Two security approaches companies can take:

There are two tactical approaches companies take to prevent data loss, that we see:

1. Block employees from transferring ANY sensitive data out

This is a tougher stance against exfiltrations, and requires a data loss prevention tool that’s capable of blocking data exfiltration – via cloud storage, email, and USB blocking, and modern sharing technologies like AirDrop. While taking a hard stance on data exfiltration offers increased prevention from insider-driven data leaks, the tradeoff is that employees may be blocked from performing their jobs efficiently. There are legitimate reasons for employees to egress data as a part of their job functions as well – for example, when sharing a file to collaborate with a contractor, or customer. Given these scenarios, taking a strict blocking data stance can be seen as prioritizing security at all costs – even if it means constraining employee productivity.

2. The “claw it back” approach

The “claw it back” approach allows for more freedom for employees to collaborate and maintain productivity, while still being vigilant of data movements and possible misuse of data. Leveraging a data loss prevention tool’s monitoring features is key here, in order to reveal the confidential data an employee may have exfiltrated. In cases where unwanted data exfiltration is discovered, companies can design legal contracts to minimize their business risk. For example, offboarding contracts can include a clause that reminds employees of their confidentiality legal responsibilities, ensuring they are not taking any sensitive company information on their way out. In addition, severance agreements can be made contingent on employees returning copies of confidential files, and/or deleting sensitive data.

Data tracing is key to secure offboarding

Data lineage solutions that can trace or track data from creation through modification, to its ultimate exfiltration is key for data protection. An automatic data tracing solution that’s able to combine the functionality of both aforementioned security approaches is ideal.  

Knowing where data originated (e.g. the customer data warehouse in Snowflake), how it was handled (e.g. the Board Meeting prep folder on Google Drive), and when employees attempt to remove it (e.g. Apple AirDrop) is now mission critical intelligence for the coming era of sophisticated risks and threats.

The context can also allow for smart policies, or logic that can define different user actions to determine their riskiness. For example, an employee downloading open-source code from Github could be ignored, but an attempt at downloading the company’s source code could trigger an alert and investigation.

It’s important to leverage data tracing as a preventative measure, not just a post-breach forensics last resort. For context, data tracing solutions need to be deployed well in advance of a reduction in force (RIF). Once a RIF has occurred, it’s not possible to retroactively track what occurred before, so companies should pursue and implement solutions proactively *before* conducting a RIF.

The modern way to manage offboarding and RIFs

If you’re planning a reduction in force, it’s important to gain visibility around malicious and negligent misuse of data before, not after.

To recap, some important steps to take as part of your RIF security strategy include complete visibility, contextual intelligence, gentle remediation, and instant blocking. Thorough visibility, similar to a “flight recorder”, into data activity automatically across all data silos is important, to match the ever-expanding amount of new SaaS apps used by employees nowadays. Context around each data action (source, destination, people, action, content) is crucial to understand access, exposure, and intent of data usage. A gentle mode of remediation is helpful to educate employees and drive better user behavior in real time, without sacrificing productivity or security. Instantaneous blocking is critical to prevent the loss or risky spread of data – regardless of whether the intent is malicious or negligent.

As more departures at companies increase, whether voluntary or not, we anticipate the surface area for business risk will amplify. Now is the time to proactively leverage modern solutions to tackle these modern security problems in 2023 and beyond.