Different Types of Risk Exposure and Best Practices for Protecting Your Data
By Adam Gavish, CEO & Cofounder, DoControl
There has been a spike in layoffs over the last few months at numerous technology organizations, including Twitch, Unity, Dataminr, and more. Emotions aside, these redundancies and layoffs pose several data security concerns for organizations having to navigate through this process. When employees are offboarded, they often still retain access to a company’s digital assets, such as email accounts and communication apps (i.e. Google Drive and Slack), cloud storage, proprietary software, and more. If access entitlements and permissions are not dealt with accordingly and in accordance with employment status change (i.e. terminations or layoffs), the risk of sensitive data theft or misuse runs high. During this time of increased layoffs, business leaders would be wise to ensure they are in the safest position possible when employees are laid off.
Different Types of Risk Exposure
There is an undeniable lack of oversight and control over who has access to sensitive data within the IT estate during the layoff process. Bad actors are increasingly targeting SaaS applications because they store precious data. Because of this, there are many different types of risk exposure that organizations face when employees are laid off.
The widespread enterprise adoption of cloud-first business strategies has significantly increased the amount of SaaS applications created and used by organizations. Businesses frequently use multiple cloud-based applications such as Google Drive or Slack to collaborate, store data, and share files with colleagues or clients. Although these applications are beneficial in some ways, the collaborative nature can pose serious security risks to organizations because sensitive data is frequently stored within these applications. File owners can easily share access with their personal emails or external parties with just one click. In a recent report by DoControl, it was revealed that 61% of employees have previously shared company-owned assets with their own email. Once this file is shared publicly, there’s no telling who else might gain access to the data within.
Complications also arise as business users continue to use messaging SaaS applications such as Slack or Microsoft Teams to communicate and exchange information. Private data such as PII, passwords, and financial information are often shared between coworkers on these platforms. This leaves sensitive data exposed for internal and external parties to take advantage of. Moreover, once employees are laid off, they become prime targets for cybercriminals to target for social engineering attacks. Bad actors or competitors might offer former employees money to share private, company-owned data. If business leaders conduct layoffs abruptly without offering a reason or severance, laid off employees might also be frustrated and have incentive to leak data for their own personal gain.
Best Practices for Protecting Your Data
Especially during this season of mass layoffs, businesses must take a proactive approach to protect confidential or proprietary information and avoid leakage of sensitive company data. As more organizations adopt cloud-first SaaS operations, IT leaders will need to reevaluate their security posture and implement strict access permissions. Security teams should frequently monitor for suspicious activity and file sharing, and ensure that only necessary personnel have access to sensitive data. It is also imperative for businesses to revoke access to shared files as soon as employment status is changed.
Most threats can be prevented with modern SaaS security tools for specific use cases, such as Data Loss Prevention (DLP), Cloud Access Security Broker (CASB), and Insider Risk Management (IRM) solutions. Additionally, training employees on best practices for data security will go a long way. IT security teams should emphasize company policies during layoffs and remind employees that data security is a shared responsibility. The cybersecurity threat of data leakage will likely continue to rise in line with layoffs. Organizations should look to navigate this process with better empathy, and be more proactive in their approach.
About the Author
Adam Gavish is the Co-Founder and Chief Executive Officer of DoControl. Adam brings 15 years of experience in product management, software engineering, and network security. Prior to founding DoControl, Adam was a Product Manager at Google Cloud, where he led ideation, execution, and strategy of Security & Privacy products serving Fortune 500 customers. Before Google, Adam was a Senior Technical Product Manager at Amazon, where he launched customer-obsessed products improving the payment experience for 300M customers globally. Before Amazon, Adam was a Software Engineer in two successfully acquired startups, eXelate for $200M and Skyfence for $60M. For more information on DoContorl, visit https://www.docontrol.io/