We are a little over halfway into 2023 and have already seen more than 100,000 tech employees laid off from their jobs due to budget cuts, corporate consolidations and general economic uncertainty. From the largest enterprises to the smallest firms and startups, substantial cuts to an organization's workforce require a careful handling to ensure proper consideration for the well-being of outgoing and remaining employees.
The digital age has seen the emergence of countless software-as-a-service (SaaS) applications that most workers use to accomplish business-critical tasks each day. This has created a new and serious risk for organizations—former employees exfiltrating or compromising the SaaS data of the organizations they worked for and the vendors they worked with. Whether nefarious or innocent in nature, companies need to consider these security concerns as they would any other aspect of the layoffs process to reduce risk and ensure smooth operations.
The Over Accessibility of Digital Assets
When employees are off-boarded, they often retain access to SaaS data that lives in the company’s collaboration apps like Microsoft Teams and Slack, cloud storage apps like Google Drive and AWS, code repositories like GitHub, and more. According to DoControl's Q12023 SaaS Security Threat Landscape Report, 61% of companies have employees who have shared company-owned assets with their personal email. This can result in shadow accounts gaining access to company assets even after the employee's work email has been disabled.
There is often a lack of oversight and control over who has access to sensitive data during a turbulent process like mass workforce reductions. If access entitlements and permissions are not dealt with in parallel with the employment status change (i.e., terminations or layoffs), the risk of sensitive data theft or misuse rises significantly.
From a data perspective, these former employees may still have access to financial information, intellectual property, trade secrets and customer data. Significant data leaks and breaches are often accompanied by negative outcomes such as financial losses, legal penalties and reputational damage for the company. To mitigate this risk, it is important for organizations to have robust access management policies and procedures in place.
The level of risk and the types of data that can be accessed vary greatly based on the former role of the employee. It is not uncommon for employees, especially those who work in sales or business development, to take their book of business or customer list with them during their departure. A customer list is in essence a privileged document that should never depart the business and demands appropriate controls be wrapped around it. Another example would be a developer leaving with key portions of code, which should also raise red flags.
Another consideration is the fact that laid-off employees may be more susceptible to social engineering attacks. Malicious actors can leverage social manipulation like phishing, spear phishing and impersonation to gain access to sensitive data or systems. For example, they might pose as a company representative and play on fear to request that a former employee provide login credentials from their previous employer. This played out in 2019, for example, when the CEO at a U.K. energy provider received a phone call that sounded exactly like the chief executive at the company's German parent company. This U.K.-based CEO proceeded to send close to half a million dollars to fraudsters who had utilized AI to mimic the CEO’s voice.
The most concerning data security risk that is amplified during mass layoffs is the possibility of malicious intent. In certain instances, affected employees become highly incentivized to steal or leak sensitive data as a form of retaliation or revenge. This can be particularly damaging if the employee continues to have access to confidential or proprietary information. For example, in January 2021, four lawyers of the Elliott Greenleaf law firm stole the organization’s files and deleted its emails as a ploy for personal gain. The attorneys had been planning their attack for four months, copying the firm’s files, client databases, and downloading large numbers of files to their personal Google Docs, Gmail accounts and iCloud.
DoControl’s report found that large companies had roughly 5.5 million assets on average stored in SaaS applications. This provides an opportunity for a former employee with lingering access to steal substantial amounts of data if they decided to act with nefarious intent. Compound this with third order effects like bad actors gaining access to that data once it is on the internet, and it becomes clear why this risk vector needs to be closed as quickly as possible following employment termination.
Putting Data (and Risk) to Rest
The threat of data loss and insider risk will likely continue to rise with corresponding layoffs. To mitigate this possibility, there are a few steps that all organizations should take. These include revoking access to sensitive data as soon as employment status changes are triggered, maintaining close oversight into suspicious sharing and permission activities, and implementing stricter data security measures to flag and prevent any unapproved exfiltration of corporate data.
All of these steps can be accomplished swiftly through the implementation of SaaS security tools and platforms. These tools have many forms and focuses that can address individual use cases. However, more powerful platforms are also emerging to address this problem at scale through automated remediation workflows.
The ability for companies of all sizes to protect their SaaS platforms and tools with security controls gets easier by the day, and organizations should take a more proactive and aggressive approach when navigating this process. It is crucial that employers be aware of the risks associated with layoffs and have processes already in place to mitigate them.