The ubiquity of advanced technology has opened the door to efficiencies and innovation, but it has also introduced a new frontier of potential cybersecurity issues, including ones relating to current and former employees.
In particular, companies conducting layoffs or downsizing may face a variety of cybersecurity risks as employees exit the organization. Understanding possible cybersecurity threats is a key step as organizations prepare for employee reductions. From there, organizations can plan for how to mitigate these risks, preparing in advance for any threats.
Identifying Cybersecurity Risks
Layoffs and downsizing efforts may expose companies to myriad cybersecurity risks, including those introduced by company insiders and those that arise from resource constraints. Below are some possible risks companies may face.
Insider Threats. Given how enmeshed technology is in many employees’ everyday jobs, insider threats—whether intentional or accidental—are a major consideration when preparing for cyber risks during layoffs and downsizing. Employees may attempt to take company data and information, such as customer lists, trade secrets, templates, models, product information and more, to leverage at a competitor. Such actions could expose competitive intelligence and also raise confidentiality concerns.
Employees’ retention of firm data may be an even larger concern if employees have been permitted to use their own devices and save files and information without any restrictions in place. Another potential risk is that employees may delete important company documents and records, whether intentionally or accidentally, as they exit the organization.
In some instances, companies may also encounter cybersecurity risks stemming from disgruntled employees post layoffs. For example, employees may leak sensitive or nonpublic information, including to reporters, to embarrass the company or reveal company secrets.
Resource-Based Threats. Downsizing or conducting layoffs may also place significant resource constraints on an organization, opening it up to outside cybersecurity threats and internal risks. Without proper planning, shedding certain positions may result in fewer checks and balances in core areas across the company’s IT, management, and human resources functions. A lower headcount in IT and other tech-related departments could create gaps in supervision and coverage, and potentially make a company more vulnerable to cyber threats. And across the company, terminating employees with oversight responsibilities could affect proper management of access to repositories of information, databases, and confidential materials, possibly creating vulnerabilities.
Mitigating Potential Risks
When preparing for layoffs or downsizing—or when proactively planning for possible future staffing changes as part of a larger business plan—companies may implement certain measures to mitigate potential cybersecurity risks. The following is a non-exhaustive list of some approaches that companies may consider.
Conduct a robust exit interview process. Establishing a thorough exit interview process is a valuable tool for risk management. Through this process, organizations can confirm on the record that an employee has not inappropriately retained any company information and isn’t aware of any other breaches or cyber incidents that haven’t been disclosed or handled. The exit interview is also an opportunity to understand each employees’ duties and oversight responsibilities, as well as where all of the employees’ work product has been stored.
Focus on continuity. In the aftermath of layoffs or downsizing, emphasizing continuity can be invaluable for upholding security. As a first step, collecting information on the employee’s duties and work product during the exit interview, as described above, can yield a continuous chain of responsibility and oversight. Companies may evaluate how responsibilities of current employees should shift to account for any potential gaps, especially in tech-related departments. Simple steps like auto-forwarding a departing employee’s emails, communicating about where their documents are stored and notifying current employees about role changes can ensure that important information is not overlooked.
Establish clear policies. Creating policies in advance to govern data security, ownership of data, and acceptable uses and limitations for devices may prevent internal threats by fully informing employees of what is and isn’t permissible. Organizations can draft a written policy for employees to review and sign so that they are aware of the parameters of device use, corporate ownership of data, and limitations on privacy.
Keep track of devices. As part of this policy, it is important that companies create an inventory of all devices used by employees for work purposes—both company issued and “bring your own device”—and an established procedure for collecting and wiping devices once an employee leaves the organization. For BYOD equipment, companies may consider using containerization technology to separate and encrypt company apps and data so that IT can manage the security and remotely wipe this data when employment ends. Whatever method organizations use, it’s critical that they ensure all devices are accounted for and that company data has been returned or deleted at the conclusion of employment.
Disable access. In addition to collecting or wiping all devices, it’s also vital to restrict former employees’ credentials and passwords so that they no longer have access to company data and platforms.
Monitor data. Companies may also consider implementing data loss prevention tools that identify attempts to transfer data outside of the organization or unusual patterns of interacting with corporate data.
Destroy or return hard copies. While a lot of information is stored digitally, employees may also have hard copies of sensitive company data and passwords. Ensuring that all of this material is either turned in or destroyed—if appropriate—and not retained at an employee’s remote work location is a vital step in the offboarding process and can prevent possible vulnerabilities to an organization’s cybersecurity.
In today’s digital age, companies undergoing layoffs or downsizing may face a variety of cybersecurity risks, whether from insider threats, constraints on resources or other sources. Understanding the cyber threat landscape and crafting a plan to mitigate against potential issues can help companies prevent risk and focus on moving their businesses forward.
This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Author Information
John P. Carlin is a partner at Paul, Weiss, Rifkind, Wharton & Garrison and co-chair of the firm’s cybersecurity and data protection and digital technology practices.
Jeannie S. Rhee is the deputy managing partner of the Washington office at Paul, Weiss, Rifkind, Wharton & Garrison and co-chair of the firm’s cybersecurity and data protection practice.
Peter Carey is counsel in the litigation department and a member of the cybersecurity and data protection practice at Paul, Weiss, Rifkind, Wharton & Garrison.
Write for Us: Author Guidelines
