I hadn’t thought of this, but it makes sense. Do layoffs increase cybersecurity risks? This article from Corporate Counsel discusses why it might.
Corporate Counsel (Layoffs Likely to Increase Tech Industry’s Cybersecurity Risks on Two Fronts, written by Isha Marathe) reports something we’re already well aware of – a stream of staff cuts has plagued the tech industry over the past few months. But in a world increasingly vulnerable to security threats, when economic fears push organizations to make large layoffs in short periods of time, are there repercussions to a company’s cybersecurity infrastructure?
Industry insiders and cybersecurity experts told Law.com that the concerns are likely twofold—the possibility of cutting too many roles that work to secure and strengthen IT departments and employees leaving in quick succession resulting in the failure to safeguard company credentials.
Mark Sangster, vice president and chief of strategy at Adlumin, noted that the cybersecurity repercussions of layoffs should not be taken lightly.
“When you go through any kind of transition as an organization, it creates both operational, and emotional upheaval,” Sangster said. “So you obviously have the human element of layoffs, [and then] the reassignment of duties,” meaning, if someone is performing a role and is laid off, “that role either goes away or is delegated to another individual.”
The time it may take to train a new person for the same role could result in delayed critical services, many of which could be IT related. Or, budget restrictions could lead to an individual having to take on too many duties resulting in security vulnerabilities.
Sangster pointed to the Capital One data breach announcement in 2019 that was the result of a misconfiguration of an Amazon firewall as an example of what could happen if an untrained individual took over the cybersecurity duties of a cut role.
There is also the risk of offboarding mistakes when many employees are let go at once, or ”employees leaving and taking information with them,” which can result in significant data loss, Sangster said. As businesses rely on cloud-based solutions, the need to meticulously seal off credentials becomes even more vital.
My friend and colleague, Brett Burney, principal at Burney Consultants and e-law evangelist at Nextpoint, told Law.com that he believes most layoffs are a “stabilizing move” or a “righting of the ship.”
What’s more, from a technical and logistical perspective, he thinks many of the significant security holes could be closed up by administrators accessing security dashboards post-cutbacks.
However, Burney sees what he refers to as the “people problem … where disgruntled or upset employees would surreptitiously take off with sensitive information, or somehow circumvent security protocols to take emails or other documents they believe could potentially help them land a new job.”
It isn’t too easy to avoid this problem. Not only is it difficult to track all the information each employee might leave with during a big layoff, it’s hard to gauge their mindset during exit meetings, he noted.
Do layoffs increase cybersecurity risks? Here are four stats from a Beyond Identity survey from last year when it was The Great Resignation, not layoffs, as the biggest reason for employee departures:
- 83% of former employees continued accessing accounts from their previous employer after leaving the company.
- 56% of former employees said they had used their continued digital access to harm their former employer.
- 71% of IT decision makers in the US and UK said the Great Resignation has increased security risks at their companies.
- 40% of American employees say they had taken data with them with they left their old jobs.
Do layoffs increase cybersecurity risks? If voluntary departures increase cybersecurity risks, I would think layoffs do so even more.
So, what do you think? Do you think layoffs increase cybersecurity risk? Please share any comments you might have or if you’d like to know more about a particular topic.
Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.