Threat Management

Five ways to mitigate insider risks during layoffs

Insider risk

There have been more than 185,000 job losses from 633 companies in the tech sector alone so far in 2023, according to Layoffs are impacting all areas of business, including roles that are typically more immune to reduction such as IT, security, software engineers, and finance, all people who are often aware of and have access to sensitive inside information.

Cyber adversaries take advantage of every possible situation, making massive layoffs a huge opportunity. KPMG’s 2022 white paper, “Incentive Based Insider Threats,” said that over the past two years, attackers have shifted tactics and are offering incentives to insiders: payment in exchange for access.

Although the majority of laid-off employees may not pose a threat, there’s always a small possibility. One report on insider risk found that data exfiltration increases when employees leave and 69% of employees are more likely to take data right before they resign. It also found a 23% increase in unauthorized data transfers the day before employees were fired, and a 109% increase on the day their employment was terminated.

Organizations have spent most of their resources on protecting themselves from external cyber threats. But what happens when the adversary has a set of keys and can stroll right in?

The real risk of insider threats

As cybersecurity innovates, so do cybercriminals, and they are supplementing their normal ransomware extortion tactics with outright bribery through social media and the dark web. Adversaries always look for the easiest way in. If they can simply pay someone for access or data, they will.

They just need to find someone with insider knowledge who knows where the "bodies are buried," that vulnerability that was never patched, or that workaround remote access that was never removed.

Many years ago, as part of a red team engagement, we used social media to identify a disgruntled admin of the client we were hired to attempt to access data from. We ended up paying the admin $200 to get two hard drives with all the data we needed—so we’ve seen this work firsthand.

Maintaining security resilience during staff exits

Our own threat intel team has verified that during these recent months of layoffs, adversaries have actively used publicly-available employee data from websites such as and that host layoff lists to target and contact ex-employees in hopes of finding someone disgruntled or desperate enough to make a deal with.

It's crucial that organizations take necessary precautions to mitigate potential risks and safeguard the organization's sensitive information from insider threats—whether they’ve laid off employees or not. Organizations concerned with insider risk should consider the following:

Revoke user access. In single sign-on environments, make this process relatively straightforward. In other systems it’s often more challenging, especially when dealing with both on-premise and cloud-based systems. It’s easy to miss something and breaches are often caused by human error. Verify that all access gets actually turned off across all platforms.

Test for shadow IT systems and audit admin rights. Admins can create accounts and have ultimate privileges. Audit all systems to see if any non-approved accounts have been created and shut them down. Test to detect for shadow IT systems that may have been deployed outside of the corporate IT function and can potentially get used for unmonitored access.

Pen test for weak points. Technical personnel know security vulnerabilities and defense weaknesses that cannot get detected by common vulnerability management tools. Perform expert penetration testing to look for hidden security exposures, including assessment of the core business assets to determine if they are at risk.

Secure all software. Audit high-risk, in-house development software for potential rogue access or malicious code. Backdoors in code can take many forms, including:

Hardcoded credentials: Default login information in the code, such as a default username and password.

Remote access capabilities: Functionality in the code that allows remote access to the system, such as a remote shell or remote desktop.

Hidden functionality: Functionality not intended for end-users, such as a hidden admin interface.

Logic bombs: Malicious code triggered when certain actions or conditions are met.

Initiate a threat hunting program. A competent inside adversary will circumvent defenses and bypass security controls. Active defensive measures like threat hunting can monitor for malicious behavior, data theft, and suspicious and abnormal network activity to detect advanced attacks which have flown under the radar.

Given how easy organized crime groups can target disgruntled ex-insiders and considering the current economic climate, security teams need to assess the potential for this kind of malicious activity. Security teams should always make testing and validation along with active threat hunting part of the process when staff exit a business.

Mark Stamford, founder and CEO, OccamSec

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.