Join top executives in San Francisco on July 11-12 to hear how leaders are integrating and optimizing AI investments for success. Learn more
As Meta faces backlash from its employees over its handling of mass layoffs, security experts warn that such actions could pose new threats to corporate data and systems.
Facebook’s parent company Meta announced last week that it would cut 21,000 jobs, or about 10% of its global workforce, as part of a restructuring plan. The movement sparked outrage among some employees, who accused senior executives of being out of touch and insensitive to their plight.
>>Don’t miss our latest special issue: Data centers in 2023: doing more with less.<
But Meta isn’t alone in resorting to layoffs amid economic uncertainty. A recent KPMG report found that 85% of organizations believe layoffs will be necessary as the economy slows.
Such drastic measures can also expose companies to heightened cybersecurity risks from disgruntled former employees, who may seek revenge or compensation by stealing or sabotaging sensitive data or systems.
“Mass layoffs can lead to unintentional threats from within,” says Kyle Kappel, chief of the US Cyber Division at KPMG in an interview with VentureBeat. “Risks from internal threats include theft of sensitive data, embezzlement, sabotage of critical systems, creating backdoors in corporate environments or even causing reputational damage.”
According to the Palo Alto Networks Unit 42 team, 75% of internal threat cases concerned dissatisfied former employees. Internal threat incidents include transferring protected data to personal accounts, transferring property to a competitor, or exploiting employee internal knowledge to gain access to privileged information.
Dealing with malicious insiders
Controlling access to data assets is difficult when defending against external threat actors, but becomes much more challenging when dealing with an employee who not only has physical access to key data assets and resources, but also has first-hand knowledge of the internal processes of an organisation.
The moment an employee becomes dissatisfied or, in the Meta example, fired, any app or service they had access to needs to be re-secured in case the individual tries to retaliate against the organization.
“Removing access to systems and applications is critical during a mass layoff, and there are several unique challenges during these types of events,” said Kappel. “A common area that gets overlooked is removing access to third-party applications.”
Kappel notes that access to third-party applications can be misused not only to access critical data, but also to steal money.
The challenges and difficulties of offboarding
Unfortunately for security teams, it’s not always easy to determine which services an employee had access to, especially when they were trying to offboard a large number of employees at once.
“If you lay off huge numbers of employees at once, things get very complicated,” says Frank Price, CTO of a third-party cyber risk management provider CyberGRX.
“Given how interconnected we are these days, there is a lot of access and active sessions to inventory and manage well at these times. That one disgruntled engineer or salesperson who realizes they’re still logged into GitHub or Salesforce on their personal device can cause a lot of trouble,” said Price.
The disparate nature of these applications can prevent security teams from revoking access to important applications from potentially disgruntled employees.
As a result, organizations need to be proactive in understanding employee access rights. One way to do this is by using an identity provider (IDP), a type of identity and access management (IAM) platform, that can centralize the management of user identity and authentication.
Introduction of ‘phygital’ attacks
At the same time, security leaders can’t afford to overlook the risks associated with an employee’s physical access to resources and equipment – as Will Plummer, former U.S. military security expert and CSO at mail screening technology provider RaySecurrefers to “phygital” attacks – “the convergence of physical and cyber.”
“These attacks exploit weaknesses in physical security to gain access to digital infrastructure. They represent a type of modern trojan horse strategy known as ‘war shipping,'” Plummer said.
Plummer explained that a typical warship attack occurs when a user is asked to return work equipment by mail and takes the opportunity to tamper with the equipment, such as installing a battery-operated microcomputer that searches for data or searching for a network vulnerability.
Implementing endpoint or mobile device management and monitoring equipment when it returns can help minimize the risks of these types of attacks.
Other ways to mitigate internal risks
While mitigating breaches caused by malicious insiders and ex-employees is easier said than done, organizations can mitigate data exposure risk by better monitoring and controlling access to data as part of what Kappel calls an “established insider threat program” .
In practice, this means monitoring user activity and access to resources in real-time and post-event to ensure privileged users are not performing malicious activities, such as exfiltrating data or installing malware.
In addition, perhaps the most valuable defense organizations have is against threats from disgruntled ex-employees Empathy.
Approaching layoffs with compassion, clearly communicating reasons for cuts, and providing employees with support in the form of severance pay can reduce the likelihood of employees feeling betrayed and seeking revenge against the organization. Ultimately, if you want to avoid a moral crisis, invest in building morale.
VentureBeat’s mission is to become a digital city plaza where tech decision makers can learn about transformative business technology and execute transactions. Discover our Briefings.