CISO’S GUIDE TO SECURELY HANDLING LAYOFFS

To limit the potential for a security incident as layoffs occur, follow these 10 best practices:

Be part of the decision-making team

CISOs should be included as soon as discussions about possible layoffs start, experienced security leaders say. That allows CISOs and their teams to put in place as early as possible their plans to limit risks, something that’s usually needed ASAP as employees often learn about possible job cuts even before they’re formally announced.

Communication between human resources and the security staff needs to be timely and coordinated, so that when an individual has to part ways with the company, the CIO can be sure they’re safeguarding the organization.

Without that kind of early and ongoing communication and coordination with CISOs, he says, the organization faces a heightened chance that one or more employees could take away sensitive data or make malicious moves that might seem innocuous in regular times but raise red flags on an employee’s last days.

Revisit who can access what

Experts advise CISOs to review their access, authorization and authentication programs well in advance of any terminations and ensure they have adequate controls in place to monitor activity as well as detect anomalies that could indicate data leaks, breaches or threats related to layoffs.

Such work is a bedrock of a solid security program, and as such security teams generally have such policies and controls already in place. And while CISOs should be periodically reviewing them as a matter of routine, they’d be well advised to revisit them now and adjust as needed for these particularly turbulent times and limit access wherever it makes business sense.

Even if you’re not contemplating cuts, it’s a good thing to do and it should be done frequently.

Document and audit the environment

Similarly, potential layoffs should prompt CISOs to document and audit the environment, reviewing and updating such information if it’s already in place and confirming that they have the appropriate security technologies in place to flag, report and even address suspicious actions.

CISOs need good documentation so they’re confident that as soon as layoffs happen they can eliminate those employees’ access to all systems, whether they’re accessing those systems through a single sign-on or even outside that single sign-on function. This documentation is a particularly important when layoffs involve technologists or senior team members who often have access to IT infrastructure and the most sensitive organizational information, respectively, as well as for employees in departments that have their own budget to buy and run software. CISOs want to make sure a dismissed employee can still access a rouge system holding company data.

At the same time, CISOs should revisit their data loss prevention (DLP) program as well as their DLP software and the rules that govern it along with other controls to be sure that they’re able to monitor and prevent unauthorized access, use, disclosure or leakage of data.

Monitor and detect

The next step is to make those security technologies work overtime, by using the tools to monitor activity to detect unusual attempts to view, copy or move data as well as to flag any attempts to access or modify systems. CISOs should be monitoring for such signs of inappropriate access in the time leading up to layoffs as workers often learn about job cuts in advance.

As workers may be accessing information as part of their regular job duties, CISOs and their teams may have to tease out fine distinctions in access that could alert them to potential data loss. Workers, for example, might access data to complete a task in the office but try to download or email that information thinking it could help them in their next place of employment.

Organizations need the capacity both to observe normal actions and to identify abnormal ones as well as the capability to complete a forensics investigation in the event that officials discover a data loss after the fact.

Coordinate the timing

Timing is critical when it comes to employee departures, as the security team needs to be ready and able to terminate someone’s access to every and all systems and devices as soon as the layoff happens.That means shutting off log-in access as well as disabling key cards and the like in a move that’s well-orchestrated with the human resources team, supervisors and business leaders. “You want to synchronize the cutting of access all at the same time.That includes the obvious things around network log-ins or access to various enterprise services, but [security teams] often forget about cloud services or service accounts.”

Plan for off-site devices and workers as well as today’s unique circumstances

The pandemic has complicated the already difficult job of executing layoffs for all involved in the process, experts say. That means CISOs have some extra items to consider. For example, many CISOs today have to consider how the rapid shift to remote work opened up risks that must be sealed off if and when those employees are terminated. That may include having to physically retrieve company devices that went off site in an unprecedented volume as the pandemic quickly forced employees to work from home.

CISOs should work with functional managers and HR to develop a strategy to ensure any off-site devices come back to the organization; they might, for instance, decide to withhold severance pay until those devices are returned.

CISOs may also want to consider whether they should pause, rather than completely cut, access to systems if workers are just furloughed – something that could smooth their return to work when times get better.

The circumstances of today significantly complicate the job for CISOs, which again points to the need for the CISO to be in on all these major management decisions.

Leverage legal resources

In advance of layoffs, experts say CISOs and their legal department counterparts must work together to reinforce messaging that can be shared with departing workers. Such messages may include, if applicable, a reminder about the rules that the workers agreed to follow when they first joined the company and also could include new information about workers’ expected roles in safeguarding the company’s security even as they part ways.

Workers should be reminded that there are legal implications to some actions. It might do no good, but you have to cover all the basis.

Readjust your team and your security agenda

Another challenging and particularly painful part of layoffs during these times is the likelihood that people on the CISO's own team will be let go. Experts emphasize the need for CISOs to treat their own team as they would others, terminating access to all data and systems immediately. Moreover, they have to be particularly mindful to shut down any backdoors that their security people may have created as part of their duties.

Additionally, CISOs, like their business-side counterparts, need to have a plan ready to run their security operations with fewer people. CISOs might invest, if possible, in more automation to help the department do more with fewer people, but he says many CISOs will need to be realistic about the probability that less work will get done with a reduced staff. In that case, CISOs need to re-evaluate business priorities and then re-align their security resources to those priorities, working with the business so all are clear on the new risk levels that exist as a result of layoffs.

Be mindful of those still left at work

Technical considerations are only part of the task at hand for CISOs. They need to consider the personal impact that layoffs take on people, including the remaining staff who will likely be stressed and possibly angered by the situation.

Having been through this in the past I can tell you it takes its toll on everyone, so don’t forget to think about what it’s doing to the people that are spending hour after hour turning off the access for friends and colleagues, It’s important to have empathy and think of the human impact on those left behind. Monitoring is critical after such an event as it inevitably changes the perception of some of the people that were not let go. This is the time when insider retaliation can be at its peak.

Still, keep the company’s safety front and center

Even as experts advise CISOs to acknowledge the stress and anxiety that comes with layoffs, security rules are sacrosanct.

At no point after an involuntary termination should the employee be allowed to touch any system owned by the company. This is for everyone’s protection. If they are emotionally distraught it is not a far leap to hitting the ‘delete’ key on something and ending up in a world of hurt. People do strange things under pressure and removing the possibilities ensures the safety of both sides.