Power

How to manage Slack and email for laid-off and furloughed workers

Mass layoffs carry a cybersecurity risk, experts warn.

A disgruntled worker sitting at her computer in the dark

Cybersecurity professionals have long recognized that data breaches can come from disgruntled or fired employees.

Photo: FG Trade via Getty Images

As more people are laid-off and furloughed due to the economic impacts of the coronavirus pandemic, businesses are left with the difficult task of removing employees from company systems securely and protecting data and IP.

Cybersecurity professionals have long recognized that data breaches can come from disgruntled or fired employees. These insider threat incidents might be more destructive and costly now than they have been in the past, such as during the mass layoffs of the 2008 financial crisis, because many employees have access to huge amounts of data through tools including Slack, Box and OneDrive that can be transferred with ease to a personal email or thumb drive, said Joe Payne, chief executive of cybersecurity firm Code42.

"The collaboration tools that are helping us survive this crisis … make it easy for employees to take critical company data — customer lists, product plans, source code — when they leave the organization. They are especially likely to do this when laid off," Payne said in an email.

It's likely necessary to lock down access to email and other data quickly in both cases of layoffs and furloughs. But Shawn Henry, chief security officer at CrowdStrike. said communicating this empathetically can go a long way toward quelling employee resentment, particularly in situations where it's possible the employee will be rehired in the future. For example a manager might say, "We're looking to minimize the risk to our company, and in doing that we're minimizing who has access to that data."

In his advice on managing layoffs, Andreessen Horowitz's David Ulevitch recommended that companies revoke access to resources like email on the day an employee is notified of termination. He also wrote that it might be appropriate to let employees use their laptops after their last day, especially in current situations when people are working remotely, and you can't retrieve the device immediately. Still, he cautions to evaluate the security and intellectual property implications before letting employees keep devices indefinitely.

Staying ahead of insider threats

Cybersecurity experts said there are a number of tools and procedures that organizations should have in place to detect and prevent insider threats from laid-off employees. The first step is identifying the company's "crown jewels," or the data and systems that are the most valuable and vulnerable, said Jon Ford, a director at the cybersecurity and incident response firm FireEye. Companies should limit who has access to these systems and data in the first place, and should cut off access quickly when employees leave the company, said Shuman Ghosemajumder, global head of AI at F5 Networks, a maker of application security technology.

Security teams can deploy technology that monitors employee behavior and actions to identify early signs of an insider threat, said McAfee Chief Technology Officer Steve Grobman. "If all of a sudden you see an employee who has never accessed the customer database download the whole thing, you need to look for those types of events," he said. Other tools can block attempts to exfiltrate that data by preventing screenshots, print jobs or transferring it to another device, depending on how sensitive the data is, Ford said.

Security teams should also involve HR and business leaders in their insider threat detection plans to better understand who has rich access to company systems and data, and who is likely to take out their frustration on the organization if they're fired.

"Insider threats are going to become much more prevalent as we look ahead," Ford said. "Our practices have evolved around external hackers … but insider threats can have a much more detrimental impact, and remediation can be much more exorbitant for an internal attacker versus an external one."

Furloughs make things more complicated

Companies might want to consider allowing furloughed employees or other workers who they hope to rehire to retain temporary access to their corporate devices and some applications, said Sandra Sucher, a professor of management practice at Harvard Business School who has written extensively on layoffs and workforce changes.

"You need to ask what the application is being used for; if Slack is being used to communicate in detail about confidential work information, that's a different story, but if it's being used the way I see it being used in a lot of organizations, it's more of a social network," she said. "Allowing them to keep access will maintain a connection, and the company will be rewarded when they need to reconstitute their workforce." Companies in highly regulated industries, such as finance or health care, might be required to cut off access completely, she added.

Some good news for companies is that there are technologies they can deploy to help closely manage who can access what corporate data. Okta, an identity and access management firm, has tools that allow businesses to immediately deprovision an employee's access to sensitive applications following a layoff, but maintain access to other services, such as a general Slack channel. The tools can also retain all the data, so if an employee rejoins the company, they will still have access to documents or other information that was temporarily made inaccessible, said Okta co-founder and Chief Operating Officer Frederic Kerrest.

"There are a lot of humane reasons to do things like allowing people to keep access to specific Slack channels and video conferencing apps," he said. "You definitely want to ensure that [if they rejoin the organization] you get them with a high morale and get reintegrated as fast as possible."

The danger is very real

One challenge to managing technology access of employees who are being let go is that the results can be devastating. F5 Networks' Ghosemajumder said that while most laid-off workers will behave professionally and ethically, a small percentage will try to harm their former employers. These types of incidents can be particularly damaging and difficult to detect because the employee might have legitimate access to the data and systems that they are targeting and likely know the organization better than an external hacker would. The average cost of an insider threat incident was $8.7 million in 2018, according to a report by the Ponemon Institute. This can include the cost of an investigation, remediation, legal fees, reputational damage, and the value of lost or destroyed IP.

One example that shows how much damage an employee can do to a corporate computer network happened at the Canadian Pacific Railway and resulted in a felony. In 2018, the U.S. Department of Justice announced that Christopher Grupe, a former IT employee of the CPR, was sentenced to a year in prison for intentionally damaging the company's computer network. Upon being informed that he was going to be fired, Grupe "strategically deleted files, removed administrative-level accounts, and changed passwords on the remaining administrative-level accounts, thereby locking CPR out of" its core computer network that handled critical data, according to the announcement. "Grupe then attempted to conceal his activity by wiping the laptop's hard drive before returning it to CPR."


Get in touch with us: Share information securely with Protocol via encrypted Signal or WhatsApp message, at 415-214-4715 or through our anonymous SecureDrop.


Cybersecurity experts say a more common scenario involves employees who take sensitive corporate data or valuable intellectual property when they leave an organization. Last month, for example, former Google engineer Anthony Levandowski admitted to downloading thousands of documents about the company's self-driving program in 2015 and transferring them to his personal laptop.

This type of behavior is surprisingly common, studies show. According to a 2019 report from Code42, 65% of security professionals admit to taking company information to their next job.

FireEye has also noticed a new trend where employees don't just take data on their way out the door and use it in their new job — they try to extort the company for money, Ford said. "Last year we saw several cases where an insider extorted a company with data they had stolen. In several cases, they stated they were an external actor, but forensic evidence pointed towards them, and law enforcement either arrested or interviewed them," he said.

Workplace

It's OK to cry at work

Our comfort with crying at work has changed drastically over the past couple years. But experts said the hard part is helping workers get through the underlying mental health challenges.

Tech workers and workplace mental health experts said discussing emotions at work has become less taboo over the past couple years, but we’re still a ways away from completely normalizing the conversation — and adjusting policies accordingly.

Photo: Teerasak Ainkeaw / EyeEm via Getty Images

Everyone seems to be ugly crying on the internet these days. A new Snapchat filter makes people look like they’re breaking down on television, crying at celebratory occasions or crying when it sounds like they’re laughing. But one of the ways it's been used is weirdly cathartic: the workplace.

In one video, a creator posted a video of their co-worker merely sitting at a desk, presumably giggling or smiling, but the Snapchat tool gave them a pained look on their face. The video was captioned: “When you still have two hours left of your working day.” Another video showed someone asking their co-workers if they enjoy their job. Everyone said yes, but the filter indicated otherwise.

Keep Reading Show less
Sarah Roach

Sarah Roach is a news writer at Protocol (@sarahroach_) and contributes to Source Code. She is a recent graduate of George Washington University, where she studied journalism and mass communication and criminal justice. She previously worked for two years as editor in chief of her school's independent newspaper, The GW Hatchet.

Sponsored Content

Foursquare data story: leveraging location data for site selection

We take a closer look at points of interest and foot traffic patterns to demonstrate how location data can be leveraged to inform better site selecti­on strategies.

Imagine: You’re the leader of a real estate team at a restaurant brand looking to open a new location in Manhattan. You have two options you’re evaluating: one site in SoHo, and another site in the Flatiron neighborhood. Which do you choose?

Keep Reading Show less
Enterprise

Arm’s new CEO is planning the IPO it sought to avoid last year

Arm CEO Rene Haas told Protocol that Arm will be fine as a standalone company, as it focuses on efficient computing and giving customers a more finished product than a basic chip core design.

Rene Haas is taking Arm on a fresh trajectory.

Photo: Arm

The new path for Arm is beginning to come into focus.

Weeks after Nvidia’s $40 bid to acquire Arm from SoftBank collapsed, the appointment of Rene Haas to replace longtime chief executive Simon Segars has set the business on a fresh trajectory. Haas appears determined to shake up the company, with plans to lay off as much as 15% of the staff ahead of plans to take the company public once again by the end of March next year.

Keep Reading Show less
Max A. Cherney

Max A. Cherney is a senior reporter at Protocol covering the semiconductor industry. He has worked for Barron's magazine as a Technology Reporter, and its sister site MarketWatch. He is based in San Francisco.

Policy

The great onshoring: Inside the transcontinental chip race

The second annual Trade and Technology Council emphasized the centrality of semiconductor onshoring to U.S.-EU military objectives.

For chip manufacturers, free-flowing subsidies for now might come at the cost of a potential overcapacity problem in the longer term.

Illustration: Christopher T. Fong/Protocol

The prospect of global conflict permeated the room at this year’s Trade and Technology Council, which concluded in France earlier this week. The second annual gathering of U.S. and EU officials yielded a joint statement that mentioned some form of “Russia” or “Ukraine” more frequently than “technology,” “regulation,” “investment,” “security” or “competition.”

The conflict in Ukraine, having already escalated into a U.S. proxy war, seemingly convinced the EU to fall in line with the American tech policy agenda.

Keep Reading Show less
Hirsh Chitkara

Hirsh Chitkara ( @HirshChitkara) is a reporter at Protocol focused on the intersection of politics, technology and society. Before joining Protocol, he helped write a daily newsletter at Insider that covered all things Big Tech. He's based in New York and can be reached at hchitkara@protocol.com.

Climate

2- and 3-wheelers dominate oil displacement by EVs

Increasingly widespread EV adoption is starting to displace the use of oil, but there's still a lot of work to do.

More electric mopeds on the road could be an oil demand game-changer.

Photo: Humphrey Muleba/Unsplash

Electric vehicles are starting to make a serious dent in oil use.

Last year, EVs displaced roughly 1.5 million barrels per day, according to a new analysis from BloombergNEF. That is more than double the share EVs displaced in 2015. The majority of the displacement is coming from an unlikely source.

Keep Reading Show less
Lisa Martine Jenkins

Lisa Martine Jenkins is a senior reporter at Protocol covering climate. Lisa previously wrote for Morning Consult, Chemical Watch and the Associated Press. Lisa is currently based in Brooklyn, and is originally from the Bay Area. Find her on Twitter ( @l_m_j_) or reach out via email (ljenkins@protocol.com).

Latest Stories
Bulletins