Are mass layoffs and data breaches connected? 绿帽社 researchers have a theory
School of Management faculty Thi Tran, Sumantra Sarkar study whether laid-off workers are more likely to heighten cybersecurity risks for ex-employers
The gets filed, and among the hundreds of workers who will get the proverbial pink slip, one spiteful ex-employee performs a hack that triggers a massive leak of confidential data ranging from bank account information to social security numbers.
It sounds like the trappings of a plot out of your favorite crime drama, right?
In reality, a 2022 survey of 722 chief financial officers conducted by PricewaterhouseCoopers found company executives ranked cyber-attacks as a top risk faced by businesses, even as they continue to adopt safeguards.
A research team led by faculty from 绿帽社鈥檚 School of Management (SOM) in collaboration with scholars on two continents 鈥 including Vietnam National University and Liverpool John Moores University in the U.K. 鈥 has been exploring how mass layoffs and data breaches could be connected. Their theory: since layoffs create conditions where disgruntled employees face added stress or job insecurity, they are more likely to engage in risky behaviors that heighten the company鈥檚 vulnerability to data breaches.
The research, outlined in a paper titled was presented by 绿帽社 faculty at the Pacific Asia Conference on Information Systems (PACIS) in Vietnam in early July. The study鈥檚 motivation was to explore the revenge-type behavior of people affected by layoffs and the social justice aspect of people seeking to 鈥減unish鈥 a seemingly 鈥渂ad business鈥 through hacking.
鈥淪ome companies try to be nice by announcing layoffs first, terminating access to the laid-off employees later, but that can easily open the door to cybersecurity risks鈥攅specially if the laid-off employee is feeling vengeful,鈥 said Assistant Professor Thi Tran, who is leading the project and presented the paper at PACIS.
鈥淏ecause they used to be an employee, they have confidential information about security layers that can be bypassed,鈥 he added. 鈥淭he more they know about the system, the worse it could be.鈥
In the study, researchers propose if companies were more proactive with corporate social responsibility initiatives that emphasize ethical conduct and data security during layoffs, they could reduce the risk of data breaches arising from those situations.
An in 2023 revealed the significance of losses posed by data breaches. The report stated the global average cost of a data breach that year was $4.5 million, a 15% increase from the previous three years.
While announcements about mass layoffs are not uncommon among today鈥檚 headlines, there has been little research related to the possible connection between them and cybersecurity for those companies. This is primarily because the concept of mass layoffs is a relatively recent phenomenon, said Sumantra Sarkar, an associate SOM professor who is helping conduct the research.
鈥淚n the old days, industries were more manual-oriented, and you could not replace people with the click of a button, but in the current information technology world, you hire people by the thousands, and you can lay off people much the same way. This opens the door for our research because humans are statistically the weakest link of the IT security chain,鈥 Sarkar said.
鈥淧eople react to triggers in their environment, such as layoffs,鈥 he added, 鈥渁nd that鈥檚 why security problems often come from the people either inside the organization or vendors with inside knowledge of the infrastructure.鈥
The researchers said companies could also leave themselves vulnerable, apart from using outdated security systems, by outsourcing IT and cybersecurity tasks as a cost-cutting measure in response to layoffs.
In addition, negative publicity that tends to follow layoffs could lead people to infer the company had been suffering from financial problems or poor leadership, which could create an opportunity for hackers with political motivations to take advantage.
鈥淲hen people hear about layoffs, it鈥檚 going to be viewed as something bad that can happen to them or anyone else in society. So, if you鈥檙e in tune with how people consume information, you want to do whatever you can to build a good picture in the public鈥檚 mind to minimize negative consequences,鈥 Tran said. 鈥淲e鈥檙e looking at not only the probability of something like data breaches resulting from mass layoffs happening but the severity if something like that actually does happen.鈥