As more people are laid-off and furloughed due to the economic impacts of the coronavirus pandemic, businesses are left with the difficult task of removing employees from company systems securely and protecting data and IP.
Cybersecurity professionals have long recognized that data breaches can come from disgruntled or fired employees. These insider threat incidents might be more destructive and costly now than they have been in the past, such as during the mass layoffs of the 2008 financial crisis, because many employees have access to huge amounts of data through tools including Slack, Box and OneDrive that can be transferred with ease to a personal email or thumb drive, said Joe Payne, chief executive of cybersecurity firm Code42.
"The collaboration tools that are helping us survive this crisis … make it easy for employees to take critical company data — customer lists, product plans, source code — when they leave the organization. They are especially likely to do this when laid off," Payne said in an email.
It's likely necessary to lock down access to email and other data quickly in both cases of layoffs and furloughs. But Shawn Henry, chief security officer at CrowdStrike. said communicating this empathetically can go a long way toward quelling employee resentment, particularly in situations where it's possible the employee will be rehired in the future. For example a manager might say, "We're looking to minimize the risk to our company, and in doing that we're minimizing who has access to that data."
In his advice on managing layoffs, Andreessen Horowitz's David Ulevitch recommended that companies revoke access to resources like email on the day an employee is notified of termination. He also wrote that it might be appropriate to let employees use their laptops after their last day, especially in current situations when people are working remotely, and you can't retrieve the device immediately. Still, he cautions to evaluate the security and intellectual property implications before letting employees keep devices indefinitely.
Staying ahead of insider threats
Cybersecurity experts said there are a number of tools and procedures that organizations should have in place to detect and prevent insider threats from laid-off employees. The first step is identifying the company's "crown jewels," or the data and systems that are the most valuable and vulnerable, said Jon Ford, a director at the cybersecurity and incident response firm FireEye. Companies should limit who has access to these systems and data in the first place, and should cut off access quickly when employees leave the company, said Shuman Ghosemajumder, global head of AI at F5 Networks, a maker of application security technology.
Security teams can deploy technology that monitors employee behavior and actions to identify early signs of an insider threat, said McAfee Chief Technology Officer Steve Grobman. "If all of a sudden you see an employee who has never accessed the customer database download the whole thing, you need to look for those types of events," he said. Other tools can block attempts to exfiltrate that data by preventing screenshots, print jobs or transferring it to another device, depending on how sensitive the data is, Ford said.
Security teams should also involve HR and business leaders in their insider threat detection plans to better understand who has rich access to company systems and data, and who is likely to take out their frustration on the organization if they're fired.
"Insider threats are going to become much more prevalent as we look ahead," Ford said. "Our practices have evolved around external hackers … but insider threats can have a much more detrimental impact, and remediation can be much more exorbitant for an internal attacker versus an external one."
Furloughs make things more complicated
Companies might want to consider allowing furloughed employees or other workers who they hope to rehire to retain temporary access to their corporate devices and some applications, said Sandra Sucher, a professor of management practice at Harvard Business School who has written extensively on layoffs and workforce changes.
"You need to ask what the application is being used for; if Slack is being used to communicate in detail about confidential work information, that's a different story, but if it's being used the way I see it being used in a lot of organizations, it's more of a social network," she said. "Allowing them to keep access will maintain a connection, and the company will be rewarded when they need to reconstitute their workforce." Companies in highly regulated industries, such as finance or health care, might be required to cut off access completely, she added.
Some good news for companies is that there are technologies they can deploy to help closely manage who can access what corporate data. Okta, an identity and access management firm, has tools that allow businesses to immediately deprovision an employee's access to sensitive applications following a layoff, but maintain access to other services, such as a general Slack channel. The tools can also retain all the data, so if an employee rejoins the company, they will still have access to documents or other information that was temporarily made inaccessible, said Okta co-founder and Chief Operating Officer Frederic Kerrest.
"There are a lot of humane reasons to do things like allowing people to keep access to specific Slack channels and video conferencing apps," he said. "You definitely want to ensure that [if they rejoin the organization] you get them with a high morale and get reintegrated as fast as possible."
The danger is very real
One challenge to managing technology access of employees who are being let go is that the results can be devastating. F5 Networks' Ghosemajumder said that while most laid-off workers will behave professionally and ethically, a small percentage will try to harm their former employers. These types of incidents can be particularly damaging and difficult to detect because the employee might have legitimate access to the data and systems that they are targeting and likely know the organization better than an external hacker would. The average cost of an insider threat incident was $8.7 million in 2018, according to a report by the Ponemon Institute. This can include the cost of an investigation, remediation, legal fees, reputational damage, and the value of lost or destroyed IP.
One example that shows how much damage an employee can do to a corporate computer network happened at the Canadian Pacific Railway and resulted in a felony. In 2018, the U.S. Department of Justice announced that Christopher Grupe, a former IT employee of the CPR, was sentenced to a year in prison for intentionally damaging the company's computer network. Upon being informed that he was going to be fired, Grupe "strategically deleted files, removed administrative-level accounts, and changed passwords on the remaining administrative-level accounts, thereby locking CPR out of" its core computer network that handled critical data, according to the announcement. "Grupe then attempted to conceal his activity by wiping the laptop's hard drive before returning it to CPR."
Get in touch with us: Share information securely with Protocol via encrypted Signal or WhatsApp message, at 415-214-4715 or through our anonymous SecureDrop.
Cybersecurity experts say a more common scenario involves employees who take sensitive corporate data or valuable intellectual property when they leave an organization. Last month, for example, former Google engineer Anthony Levandowski admitted to downloading thousands of documents about the company's self-driving program in 2015 and transferring them to his personal laptop.
This type of behavior is surprisingly common, studies show. According to a 2019 report from Code42, 65% of security professionals admit to taking company information to their next job.
FireEye has also noticed a new trend where employees don't just take data on their way out the door and use it in their new job — they try to extort the company for money, Ford said. "Last year we saw several cases where an insider extorted a company with data they had stolen. In several cases, they stated they were an external actor, but forensic evidence pointed towards them, and law enforcement either arrested or interviewed them," he said.
