(© Oleksii – Stock.adobe.com)
Mass layoffs and data breaches have seemed to dominate the news headlines in recent months. Now, a surprising new study suggests that these two trends may be more closely linked than we ever imagined. Researchers at Binghamton University, working with international partners, have uncovered a potential cybersecurity time bomb lurking in companies’ decisions to downsize. Their findings paint a grim reality: companies that announce layoffs may be unwittingly increasing their risk of falling victim to a devastating cyberattack.
The study, presented at the Asia-Pacific Conference on Information Systems in Vietnam, comes at a critical time: in the first quarter of 2023 alone, more than 136,000 employees were let go in a wave of layoffs in the United States. Tech giants such as Amazon, Google and IBM were no exception, with thousands of skilled workers suddenly out of work. But as companies cut costs, they may be loosening the locks on their digital safes.
Why layoffs are linked to weak cybersecurity
So how exactly do layoffs make companies more vulnerable to cyber threats? Researchers identify several key factors.
First, there’s the human element: Layoffs create a torrent of negative emotions for both departing and remaining employees. Anxiety, stress, and resentment can cloud judgment, making people more likely to neglect cybersecurity protocols or fall victim to phishing scams. In extreme cases, disgruntled ex-employees may try to fight back by exploiting insider information about company systems.
“Some companies try to be nice by first announcing layoffs and then cutting off access to laid-off employees, but that can easily open the door to cybersecurity risks, especially if the laid-off employees are vindictive,” lead researcher Thi Tran, assistant professor of management information systems at Binghamton University, said in a statement. “Because they were once employees, they have sensitive information about security layers that they can bypass. The more they know about the system, the worse the situation can become.”
Then there’s the brain drain effect: when companies downsize, they often lose valuable cybersecurity expertise, which leaves them less prepared to defend against increasingly sophisticated attacks. Imagine a fortress suddenly without its most experienced guards. The walls may still be up, but they’ll be much easier to breach.
Budget cuts due to layoffs can also lead to cybersecurity shortfalls. Companies may delay critical software updates or drop plans for new security measures. It’s like deciding not to fix a leak to save money: You might be OK for a while, but when the big storm hits, you’ll wish you had made the investment.
Finally, negative publicity surrounding layoffs can make a company an attractive target for hackers. Driven by a warped sense of justice, some cybercriminals believe that a company that is downsizing deserves to be attacked. This is like kicking someone who is down: morally wrong, but unfortunately common in the digital underworld.
How businesses can prevent data breaches
The study not only sounds the alarm, but also offers a potential defense. Researchers found that companies with strong corporate social responsibility (CSR) practices may be better protected from cyber vulnerabilities caused by these layoffs. CSR involves a company’s efforts to operate ethically and sustainably, contributing to society rather than just making a profit. Think of companies that prioritize environmental protection, fair labor practices, or community involvement.
But how can being a “good corporate citizen” help prevent cyberattacks? Researchers suggest several possibilities. First, companies that focus on CSR tend to have better relationships with their employees, which may reduce the risk of insider threats. They may also be more likely to provide support and resources to laid-off employees, which may reduce feelings of resentment. Additionally, the positive public image cultivated through CSR efforts may make companies a less attractive target for hacktivists and other politically motivated attackers.
“The weakest link in the IT security chain is the human”
The study serves as a wake-up call for business leaders trying to navigate tough economic times. While layoffs may seem like a quick fix to financial difficulties, they could open the door to a more costly cyber disaster. According to IBM’s 2023 Cost of Data Breach Report, the average data breach costs companies a staggering $4.5 million, a 15% increase from the previous three years. This cost can easily wipe out any short-term savings from reducing staffing.
Associate Professor Sumantra Sarkar, who is helping to conduct the research, explains it this way: “Earlier, industries were more manual in nature and you couldn’t replace people with the click of a button. But in today’s world of information technology, you can hire thousands of people and fire them the same way. Statistically, humans are the weakest link in the IT security chain, and this opens the door for our research.”
The message is clear: cybersecurity cannot be put on the back burner, even (and especially) during times of corporate austerity. Companies considering layoffs should consider potential cybersecurity risks and take proactive steps to mitigate them. This could include strengthening security protocols, providing additional support and training to remaining employees, and maintaining robust CSR initiatives even in the face of budget pressures.
As the world becomes increasingly digital, the line between HR decisions and cybersecurity is blurring. This research reveals how our actions in the real world often have complex and unanticipated effects that ripple out into cyberspace. It’s a reminder for business leaders, policymakers and ordinary citizens that in our interconnected modern age, compassion and cybersecurity may be more closely intertwined than we’ve ever realized.
Paper Summary
methodology
The researchers took a multi-pronged approach to collecting data for the study. They combed through various databases, including the Privacy Rights Clearinghouse website and the SEC EDGAR database, to gather information on cybersecurity breaches. To track layoff announcements, they used Nexis Uni to manually search news sources, focusing on S&P 500 companies from 2021 onward. They also obtained data on corporate social responsibility levels from the MSCI ESG database and used statistical models to analyze how layoff announcements correlated with subsequent cybersecurity breaches, while also considering the potential moderating effect of CSR practices.
result
While full results are not yet available, the researchers develop a model to test several key hypotheses. They expect that companies that announce layoffs are indeed more likely to suffer a cybersecurity breach. Furthermore, they expect that the severity of the layoffs (i.e., the number of employees fired) will be correlated with the severity of subsequent breaches. Taking a more positive view, they hypothesize that companies with strong CSR practices may be somewhat protected from this effect, resulting in less frequent or less severe breaches following layoff announcements.
Limitations
It is important to note that while this study is groundbreaking, it has several limitations. The study focused primarily on large, publicly traded companies in the United States, so the findings may not be equally applicable to smaller companies or companies in other countries. Additionally, there are many causes of cybersecurity breaches, and layoffs are only one potential contributing factor. While this study can show correlations, it is difficult to definitively prove causation. Finally, the effectiveness of CSR in mitigating cyber risks may vary depending on how it is implemented and the perceptions of stakeholders.
Discussion and Summary
This study opens new avenues for understanding the complex interplay between corporate decision-making, employee well-being, and cybersecurity. The study encourages companies to think more holistically about the ripple effects of employee decisions. The potential protective effect of CSR activities is particularly interesting, suggesting that ethical business activities may have tangible benefits for cybersecurity. For business leaders, the key is the need for integrated thinking, i.e. considering cybersecurity implications in all major decisions, not just those directly related to IT. Policymakers could use these findings to develop more comprehensive guidelines for companies that are restructuring. For cybersecurity professionals, the study highlights the importance of the human factor in security planning.
Funding and Disclosure
The study was conducted by researchers from multiple institutions, including Binghamton University, the State University of New York, Vietnam National University, and Liverpool John Moores University in the UK. The information provided did not state specific funding sources, but this type of research is typically supported by university grants and sometimes industry partnerships. The authors declare that they have no conflicts of interest, indicating that the results of the study were not influenced by financial connections, which would not bias the results.
