In the Wake of Mass Layoffs, Insider Threats Multiply

The numbers have been staggering—18,000 roles at Amazon, 10,000 people from Microsoft, 26,000 people from Meta, 6,650 people from Dell, more than 70 percent of the headcount at Twitter. The past six months have brought massive layoffs across the technology sector worldwide, particularly hitting companies in Silicon Valley and other tech hubs in the United States. But when such seismic personnel shifts occur, they inevitably spur ill will, bad publicity, and significant stress both among people who were laid off and the staff that remains. 

Layoffs and terminations are often a trigger for negative actions—employees on the way out the door might feel entitled to keep their laptop, their work, or other materials for which they feel a sense of ownership, says Chuck Randolph, chief security officer at protective intelligence firm Ontic. Even if they do not take tangible assets away from the company, they might be targeted by competitors or foreign firms to share some of their institutional knowledge about the inner workings of the company or a key product or process.

Chinese firms have been particularly focused on hyper-accelerating their growth by leveraging laid-off tech employees, he says, offering them well-compensated consulting gigs to share information on specific concepts. Many former employees are feeling the strain of unemployment and would not question the opportunity. The queries the company asks might seem benign, but a skilled interviewer will be able to pull out detailed, confidential information that could help the firm connect the dots or open a backdoor that they would not otherwise have access to, Randolph adds.

Beyond intellectual property theft, employees’ tech-savvy backgrounds could further open companies up to risk.

“The newsworthiness of these mass layoffs compounds the issue, ensuring that everyone—including ransomware gangs—are aware of what’s happening,” says Val LeTellier, founder of 4thGen, where he focuses on insider risk vulnerability assessments and countermeasures. “These gangs have been known to subtly publicize incentives to get the cooperation of existing employees.”

“Obviously, any employee who believes themselves unfairly laid-off may seek revenge, and that revenge could be taking funds, valuable data, or materials or harming the company’s reputation,” LeTellier says.

A single incident can have wide-reaching consequences. In 2022, sensitive information for more than 8 million users of Cash App Investing—a stock trading app run by Block—was exposed by a disgruntled former employee who downloaded corporate reports before leaving the company. Some of the data stolen included customers’ names and brokerage account numbers, and in some cases it included customers’ portfolio value, holdings, and trading activity, according to a filing with the U.S. Securities and Exchange Commission. A subsequent class action suit filed in August 2022 alleged that the mobile payments company had inadequate security measures that allowed the employee to steal the data.

“The growing availability of ransomware-as-a-service (RaaS) and even ChatGPT empowers disgruntled employees in new ways,” LeTellier says. “But the threat of departing and departed employees is greatly compounded when they’re connected to ransomware gangs who seek their assistance in accessing protected networks, craft convincing phishing campaigns or attacking infrastructure. The combination of a willing ‘agent’ and professional ‘handlers’ is a lethal combination.

“But more generally, the sheer scale of mass layoffs is dangerous enough as normal employee offboarding processes are overwhelmed,” he continues. “Employee credentials fail to be quickly deactivated, corporate devices aren’t returned, and monitoring oversight drops off.”

Remote work has complicated this even further because employees who work from home are using an array of networks and devices that can undercut data security policies and procedures while diminishing corporate oversight.

“And when working without oversight, employees often cut corners and neglect policies and procedures to save time and effort,” LeTellier says. “A good example is forwarding sensitive data to a personal device or account so that it can more easily be edited or printed. That information then rests unprotected on a personal device and outside the control of the organization—maybe even the employee.”

Remote work has also changed what layoffs look like. In early April 2023, McDonald’s asked its corporate employees to plan to work remotely instead of hybrid that week—instead of this being a shake-up for routines, the directive enabled the restaurant company to deliver the news virtually that it planned to lay off hundreds of employees, The New York Times reported. Google laid off thousands of people via email. Meta announced plans for a year of big personnel cuts in a 2,000-word memo. This change of procedure has pros and cons, but the sudden shift often lacks input and structure, leaving both employees and some department leaders in the dark.

The path to a mass layoff is often a long one, with many factors and discussions among HR, finance, legal, and executive functions—but security is often missing from that equation, Randolph says. Security can be brought in to perform a critical thinking role, poking holes in plans and stress-testing different concepts to find weaknesses and solutions.

“That sort of critical thinking helps us see around corners and deal with blind spots,” Randolph says. Non-security leaders might neglect to build out a plan for how to collect laptops that are returned and how to scrub them, or where to marshal laid-off employees so they can learn about and use post-layoff resources provided by the company.

Security teams could also lead efforts to identify which employees need to be reminded of their responsibility to maintain confidentiality of intellectual property as they leave the company, he adds.

But oftentimes mass layoffs are kept close to the vest until the last minute, and security might not be looped in for fear of layoff warnings leaking out. “The best thing a company can do at this late stage is to show empathy, compassion, professionalism, and generosity in the execution of the layoff,” LeTellier says. “Particularly when done as a cost-cutting measure due to external factors, layoffs can be very dramatic for individuals. Humane treatment is therefore critical. Generous severances and continued health insurance reduces employee trauma, which in turn reduces insider events.”

Governance and procedures also matter—these inform security’s response to upheavals and the department’s continual monitoring efforts for red flags.

“Governance is the defensive building block upon which all security measures rest,” LeTellier says. “Without proper governance, there is no defensive bedrock for countering attacks. Ideally, companies have robust insider risk awareness training, and independent insider risk assessments executed by outside with any/all vulnerabilities addressed and mitigated. And to maintain their safety and security, they should have an automated whole person/whole threat continuous evaluation mechanism in place that creates efficiency and effectiveness for their trained insider risk analysts.”

Technology plays a significant role here. “Visibility and integration across cloud, email, endpoints, and Web are table-stakes in this game. Nothing says, ‘I’m leaving’ like a .zip file full of sensitive information sent to a personal email address,” he adds.

“Getting ahead of problems is key,” LeTellier explains. “New employee background checks and thorough pre-hire interviews can go far in creating a responsible, resilient, and rationale workforce. Confidentiality and non-compete agreements are necessary, and managers should be trained in best practices for identifying and addressing employee grievances in a constructive manner that reduces negative feelings and actions. The goal is a positive security culture in which employees feel valued, heard, and are fairly treated.

“Of course, scale plays a critical role here again,” he continues. “Many of the firms executing mass layoffs hired large numbers of employees quickly in the last few years, seeking to grab available unique technical talent before their competitors. The need to be aggressive meant cutting corners on traditional due diligence processes. The result is therefore predictable—people were hired that normally may not have, and some of those employees are responding to their layoff maliciously.”

The pathway to insider threats is similar to the pathway to violence, says Randolph. “At some point it goes down a very dark and terrible road that’s traumatic, or it might lead to information leakage or a backdoor being held open—more of what you might think of a traditional insider threat,” he notes. This necessitates an all-hazards approach to security, considering threat management, information security, identity management, physical security, and the organizational culture all together.

Having a holistic approach with many stakeholders around the table helps the organization anticipate issues it needs to have protocols around. “One thing we know about human behavior is: we don’t know about human behaviors,” Randolph says. “Why did somebody suddenly decide to take a very tragic ending to an event? We can make guesses, we can forensically and psychologically examine it, but at the end of the day, we don’t know in that moment why somebody decided to do what they were going to do. The only way to anticipate that is to bring everybody to the table, have those odd conversations, and get the protocols out so we can talk them through.”

And this process—including relationship-building—should begin long before a mass layoff or other potential trigger. “You never want to have a cold start when there’s an issue,” he adds.

Laid-off employees are not the only insider risk, however—organizations also need to focus on the employees who remain. Mass layoffs can result in both insider threat risks and morale crises, as currently seen at Meta, The New York Times reported in April. Additionally, significantly smaller staffs who try to manage the same workload can be more susceptible to mistakes, such as one engineer’s change to Twitter that caused a three-hour outage—part of a trend of outages exacerbated by a dwindling technical staff, according to Ars Technica.

Consider a young intelligence analyst in a global security operations center (GSOC) who monitors all hazards in a given area—everything from weather to employee travel to active assailants, Randolph posits. The analyst works in a small team, and although the team members are busy and under pressure, they have managed to handle the workload adequately. But an unexpected round of layoffs hits the organization, including the GSOC, and suddenly the young analyst has lost his work buddy Jane and has to handle all of her additional work. That analyst is now at heightened risk for burnout or other mental wellness issues.

“I think the human equity that leaders have to consider here is important,” Randolph says. “I think as leaders in a time like this, it’s important for us to remind folks who remain that they are important. Their work is important. Please take a break, take a breather, get up from the screen, walk away, and check in. Because culture has a say. It can take years to get the culture you want, and in a New York minute, it can change. It will take years to get it back. I think leaders have a responsibility to manage that culture, manage those people, and make sure that they’re taken care of.”

Without that focus on culture and remaining employees’ wellbeing, people who watch their colleagues lose their jobs can become threats themselves.

In some cases, a round of mass layoffs can cause remaining employees to mentally check out, quiet quit, or “thoughtfully plan the theft of trade secrets, customer lists, financial data, business strategies, acquisition plans, and marketing data to get a new job, start a business, or simply to take revenge,” LeTellier says. “With more time to plan and execute their actions, they may not trigger traditional countermeasures. Finally, remaining employees are particularly attractive to ransomware gangs who have brazenly shown no hesitation to directly offer to share bounties.”

While technological solutions can help connect the dots between different behaviors that together add up to an insider threat red flag, LeTellier adds, “there is no substitute for knowing your employees. Understanding your employees and applying that knowledge is even more important in the remote workplace. I recently learned a new term: ‘Problem in chair, not in computer’ (PICNIC), meaning that security events are often the result of employee action, whether malicious or not. Most organizations already collect the necessary data, and other enriching datasets are easily and affordably obtained. The key is using the right software to continuously examine your workforce for indicators of insider risk behavior.”

Claire Meyer is managing editor for Security Management. Connect with her on LinkedIn or reach out directly at [email protected].