Tom Olzak

“Layoff security” is simply baseline protection

In Business Continuity, Data Security, Employee Vetting, Insider risk, Risk Management on April 8, 2009 at 12:35

What to do to protect your organization during layoffs is a hot topic, with articles or posts in almost all technology related online publications or blogs.  Bullets organize lists of steps to take when informing employees their services are no longer needed.  This is all good information, but most of the recommended controls should already be in place.

For example, one recommendation which seems to find its way to the top of most lists is de-provisioning, the process of removing a departing employee’s access to information assets.  Yes, this is very important.  But this was important before layoffs began.  It will be important when the economy recovers.  It is not a ‘layoff’ issue.

Terminated employees, whether self-terminated or encouraged to leave by management, should never have access to your organization’s systems after they walk out the door for the last time.  Processes should be in place to daily identify terminated employee accounts, with supporting processes which result in disabling all resource access.  The best way to accomplish this is to use an employee status extract from your HR database as an authoritative source.  Accounts for employees marked as terminated are identified and disabled.  Regardless of whether the process is manual or automated, make sure it exists and is strictly followed.

Another recommendation is to ensure system administrators and other users with privileged access are prevented from returning to their desks after termination.  This is not a new idea.  Under no circumstances have we allowed someone with privileged access to walk back to their desks unattended after a layoff or other management-driven termination.  In fact, their accounts are disabled as they walk into their manager’s office to receive the news.  And there are always other staff members who can step up to manage systems upon the terminated employee’s departure.

These are just two items on lay-off protection lists, but you get the idea.  Most recommendations are things you should already be doing as part of an effective security program.  There are other recommendations, however, which rely on company good will to prevent data theft.

In a CSO article, Michael Fitzgerald provided a list of what he calls “Measures that can help departing employees and also lower the temptation to abscond with company property or data” (6 Steps to Reduce Corporate Risk After Layoffs, 2009).  They include,

  • Offer staff an hour a day to search for jobs while still employed.
  • Give them a used computer with Internet access that they can take with them to help in their job search.
  • Offer to print business cards for the employee that include their home phone number.
  • Pay for access to a job site.
  • Pay for Cobra insurance for three or four months.
  • Have your corporate recruiters, HR or an outplacement firm assist in looking for work for laid-off employees.

I don’t disagree that these actions might compel many employees to think twice before causing harm to their former employer.  However, employees who were problems before termination/layoff are not going to be swayed much. 

In addition to ensuring all baseline security controls are in place, it is a good idea to identify potential employee threats.  Again, this is a process which should be in place at all times, not just when layoffs are expected.  Understanding which employees represent a higher probability of misconduct helps management respond quickly, mitigating business impact.  (For more information on problem employee identification, see Prevent your employees from ”going rogue.”

Organizations prepared with basic security controls don’t have to worry about layoffs.  Those not prepared have a lot more to worry about than layoff frustration.

%d bloggers like this: