Proactive Insider Threat Strategy for Anticipated Layoffs

According to Crunchbase, more than 90,000 workers were laid off in 2022 in the US tech sector alone.^[1] With continued economic uncertainty in 2023, many organizations are continuing to consider the potential need to lay off employees and downsize their operations. This is causing employees to have anxiety concerning their employment status. 

Such anxiety will inevitably lead those with access to the organization’s valued intellectual property (IP) to consider exfiltrating it from the organization’s network to somewhere they can maintain access, if and when their employment status changes.  Most of these incidents will not be made with the intent to steal the IP, or damage the organization, but to preserve their access to the material for later referral. 

However, there will be other employees who recognize the value of the IP and will feel they are justified in maintaining access because they participated in the creation and therefore feel they deserve to reap the associated perpetual rewards. These same individuals may offer their related IP expertise to competitors during their efforts to find their next employment and want to be able to have an example of their work to share.  All of these cases represent a challenge to any organization’s Insider Team and their ability to respond to the changing conditions.

Following are the four measures that insider threat teams can proactively take to secure the organization’s IP in these challenging times. 

#1 As soon as identified, conduct enhanced monitoring of the employees who are mostly likely to be affected by layoffs. 

Studies show that half of departing employees leave with confidential company information — either deliberately or unintentionally. By determining the work units who will be laid off in advance of their notice, the insider threat teams can set up a monitoring system that will capture the affected employee's efforts to exfiltrate data as a response to the notice. 

For this monitoring to be effective, however, the insider threat teams need to know what information is most critical to the organization, and they need to have the capacity to respond quickly to recover this material when exfiltration is detected.  

Additionally, insider threat teams need the ability to prioritize their investigative response so that they are focused on the greatest long-term risks to the organization.  While conducting enhanced monitoring of every employee exiting the organization may be possible, responding to every incident in which a departing employee has exfiltrated data will be a challenge.  

Prioritizing the response, so the insider threat teams are focused on the greatest risk, is essential to mitigating damage.

#2 Offer departing employees the opportunity to submit materials they want to take with them for a review. 

This opportunity allows the employee to consciously think of the material they want to remove from their computer hard drives, recognize that they are not allowed to make this decision independently, and give them the opportunity to obtain approval to remove non-sensitive material. 

The vast majority of departing employees will have personal items, such as family photos, tax returns, and personal correspondence that they would like to keep access to - even if the organization had prohibited the storing of personal material on their equipment all along. And while employees conduct large volume data transfers from their work computers to their home computers, it is highly likely that the organization’s valued IP will be mixed in with those personal material. By having the review process, such mix-up can be prevented. 

It is also critical when reviewing the items to determine the intent and the damage of the exfiltration, the insider threat teams look for materials that contain the organization’s Crown Jewels and for materials which are desired by competitors, including nation-state actors, as they represent the greatest potential to harm the organization.   

#3 Raise employee awareness about the organization’s governance regarding the exfiltration of data prior to announcing layoffs.

This applies to both the employees who are about to be terminated and those employees with long-term future with the organization.  The most common answer provided when an employee is questioned about unauthorized exfiltration is, “I did not know I was violating an organization policy.”  Raising the awareness for supervisors and employees is a proactive step to prevent the loss of IP and reduce the amount of unauthorized IP exfiltration. It can also be a positive message shared with employees to collectively work together to protect the organization’s future.  If this training is shared after announcing layoffs, it will be interpreted as a threat and could lead to unintended consequence of further damaging company morale and culture.

#4. Maintain awareness of which external entities could benefit from the organization’s layoffs.

Organizations can’t dictate where their laid-off employees find their next employment.  However, maintaining an awareness of which entities could benefit from the organization’s former employees is extremely valuable. 

After layoff announcements are made, the departing talent is likely to draw the attention of nation-state actors, competitors, or startup companies, looking to reap the benefits. Limiting the ability of these actors to contact and communicate with the departing employee could reduce their success.  Nation-state actors are known to guess the employee’s email addresses by utilizing a person’s name and their company’s email domain in order to establish a channel to communicate.  If successful, nation-state actors will use this method to determine the employee’s interest in future employment with one of their favored enterprises.

Conclusion

Company layoffs, real or perceived, represent a real threat to organizations’ ability to safeguard their most valued IP. Insider threat teams must implement proactive measures and processes to effectively minimize such threat.

^[1] Vedantam, K. (2022, December 16). Tech Layoffs In 2022: The U.S. Companies That Have Cut Jobs. Crunchbase News. https://news.crunchbase.com/startups/tech-layoffs-2022/