Maintaining Control During Layoffs
BackBy Carmi Levy — January 2009
Hardly a day goes by without headlines announcing another round of layoffs. As painful as the numbers are — these are people’s lives, after all — the pain can be infinitely worse if the firms doing the cutting don’t also actively control security both before and after employees head out the door.
Recent examples of the scary behaviors of disgruntled employees should give IT and security managers pause. In one high-profile case from last summer, a discontented systems administrator changed the access codes for the city of San Francisco’s network and refused to share the information. The city’s administration was essentially shut down for days while lawyers and prosecutors tried to work things out with the rogue employee.
As the layoffs continue, expect more soon-to-be-ex-employees to take matters into their own hands as they empty their cubicles. Once upon a time, the company’s biggest worry was stolen office supplies. But today the stakes are much higher. Whether they’re dumping confidential data onto flash drives (sometimes called podslurping), stealing it via Bluetooth (bluesnarfing) or simply e-mailing it home, laid-off staff members with nothing to lose are placing vulnerable organizations in ever greater peril.
In many cases, the firms have no one to blame but themselves. Layoffs often are executed haphazardly, with little advance notice to supporting departments and no adherence to repeatable processes. IT is rarely involved in the initial planning. As a result, system accesses remain in place, often indefinitely, which means there’s nothing stopping an ex-employee from connecting to the VPN from home weeks after being terminated.
While open doors such as this make it easy for anyone with a little knowledge to wreak havoc on organizational systems, criminally focused ex-staffers with major malice on their minds aren’t the only ones who can cause permanent damage. Some employees, worried about their tanking 401(k)s and frightening future career prospects, may use their access to steal confidential information and sell it on the black market. Like parents stealing bread to feed their starving families, these people normally would not cross that line, but they do so because they see no other alternative — and there’s no oversight.
Whatever the intent, the bottom-line impact is severe and potentially irreversible. Loss of productivity, identity theft and exposure of company secrets to competitors are only the beginning. Some sectors, such as health care and financial services, are particularly sensitive to regulatory breaches. In all cases, prevention is a lot less expensive than the cure.
Thankfully, prevention doesn’t have to be complex or expensive. Regardless of whether they’re planning layoffs, all companies should consider tightening their internal security processes — at least as a first step. Here are three good places to start:
- Control USB port access. Implement policies and monitoring tools to control what can and cannot be connected to a PC.
- Implement device-specific policies. Allow only approved USB devices to be connected to corporate equipment. Third-party solutions can grant access to specific devices — validated by serial number or vendor ID number — and prevent employees from connecting their own.
- Get serious about reporting. Forensic analysis of attempted breaches allows future policies and tools to be further refined.
Once the inside has been cleaned up, take some time to assess how employees are actually shown the door. The so-called exit process needs to be just that: a process. Define every milestone that must be met — including removal of systems access, identifying who is accountable for their removal, when each one must occur, what resources are required and what metrics must be tracked. Ensure nothing is left to chance.
Partnerships are important here, too. IT must work closely with the business side to guarantee early involvement in planning and execution. If IT hears about layoffs after the fact, it’s too late. The only way to mitigate risk is to have the tech folks at the table as soon as any staffing changes are considered.
Airline pilots religiously follow checklists to ensure they deliver their passengers to the gate and don’t bend the metal in the process. It’s unimaginable that they’d get up in the sky and wing it to the next airport. Yet, companies of all sizes and in all sectors are doing just that every time they send employees home for the last time. The resulting security risks may ensure the company’s final layoff notice, as well.
Carmi Levy is a technology journalist and analyst with experience launching help desks and managing projects for major financial services institutions. He offers consulting advice on enterprise infrastructure, mobility and emerging social media. He can be reached at email@example.com.