The significant wave of layoffs in 2024 has introduced a cybersecurity threat that many business owners are overlooking—offboarding employees. Even renowned brands, which you would expect to have top-notch cybersecurity systems, processes, and procedures, often fail to protect themselves adequately from insider threats. This August marks a year since two disgruntled Tesla employees, after being let go, went rogue and exposed the personal information—names, addresses, phone numbers, and Social Security numbers—of over 75,000 people, including employees.
The situation is only expected to worsen. According to NerdWallet, as of May 24, 2024, 298 US-based tech companies have laid off 84,600 workers, with numbers still rising. This includes major layoffs at large companies like Amazon, Google, and Microsoft, as well as smaller tech start-ups. In total, around 257,254 jobs were eliminated in the first quarter of 2024 alone.
Regardless of whether you need to downsize your team this year, having a proper offboarding process is crucial for every business, big or small. It's more than a routine administrative task—it's a critical security precaution. Failing to revoke access for former employees can lead to serious business and legal implications later.
Some of these issues include:
- Theft Of Intellectual Property: Employees can abscond with your company's files, client data, and confidential information stored on personal devices. They may also retain access to cloud-based applications like social media sites and file-sharing platforms (e.g., Dropbox or OneDrive) that your IT department might overlook or forget to change passwords to. A study by Osterman Research revealed that 69% of businesses experience data loss due to employee turnover, and 87% of departing employees take data with them. Often, this information is sold to competitors, used by them when hired by the competition, or utilized by the former employee to become a competitor. Any way you look at it, it harms your business.
- Compliance Violations: Failing to revoke access privileges and remove employees from authorized user lists can render you noncompliant in heavily regulated industries. This simple oversight can result in large fines, hefty penalties, and, in some cases, legal consequences.
- Data Deletion: If an employee feels unfairly laid off and retains access to their accounts, they could easily delete all their emails and any critical files they can access. If that data isn't backed up, you will lose it all.
For those thinking, "I'll sue them!"—while that might be a rightful course of action, the reality is that the legal costs, time wasted on the lawsuit and data recovery, plus the aggravation and distraction of dealing with it all, often outweigh the damages you might be awarded if you win the lawsuit.
- Data Breach: This could be the most terrifying of all. Unhappy employees who feel wronged can make you the subject of the next devastating data breach headline, accompanied by a costly lawsuit. It could be as simple as making one click to download, expose, or modify your clients' or employees' private information, financial records, or even trade secrets.
Do you have an airtight offboarding process to mitigate these risks? Chances are you don't. A 2024 study by Wing revealed that one out of five organizations has indications that some of their former users were not properly offboarded, and those are just the organizations astute enough to detect it.