In our current unpredictable economic environment, announcements of workforce reductions have become a frequent occurrence. Not only in the private sector but also across federal agencies such as the Department of Health and Human Services, the Department of the Treasury, and the Cybersecurity and Infrastructure Security Agency. While much attention rightly focuses on the human and operational impacts of layoffs, an important risk often remains unaddressed: security.

Organizations often devote considerable effort and coordination to onboarding new employees, provisioning appropriate access, delivering training on acceptable use, and implementing identity verification protocols. Yet, when those same employees depart, particularly during layoffs involving numerous people and tight timeframes, offboarding procedures are often inconsistent and haphazard. Processes may be manual and fragmented, communication between departments can falter, and overwhelmed IT teams are left scrambling to keep up.

This gap in process and priority creates a significant insider threat that is often overlooked but deserves much more scrutiny in the era of frequent workforce transitions.

Addressing the Insider Threat

Insider threats account for a notable portion of security incidents, whether those threats are the result of malicious intent or simple negligence. Nearly 90% of former employees maintain access to sensitive corporate systems and data after their departure. These lapses, such as former employees retaining access to sensitive systems put organizations at significant risk. The failure to promptly revoke access across any system or platform can lead to data breaches, regulatory non-compliance, and significant financial losses. This is usually not due to ill will, rather because identity and access management systems have not adapted to meet the urgency and complexity that modern offboarding demands.

In situations of mass layoffs, IT teams may receive lists of hundreds of employees to offboard with very limited notice. They are often required to deactivate accounts and revoke credentials within hours or even minutes. Without automated workflows and robust coordination across HR, IT, and security teams, the process of disabling access across all relevant platforms is a race against time. Human error in such circumstances is almost unavoidable, heightening the risk of insider threats.

Today’s hybrid work environment and cloud-based collaboration tools mean access is no longer confined to physical offices or corporate devices. It encompasses cloud applications, shared drives, software-as-a-service platforms, remote servers, and even third-party integrations. This broad attack surface demands timely and thorough access revocation to prevent insider threat vulnerabilities.

Why Offboarding Remains a Persistent Challenge

The complexity of offboarding lies in the accumulation of employee privileges over time. Staff members often acquire access to a wide range of resources, including financial data, customer records, proprietary code repositories, and executive communications. These privileges tend to be distributed across multiple systems and organizational silos. Without a centralized and current identity and access management framework, it is a daunting task to ensure access is comprehensively revoked in a timely manner.

This challenge has grown more complicated in recent years due to the rise of remote work and Bring Your Own Device (BYOD) policies. Simply reclaiming physical assets such as badges or laptops no longer guarantees the removal of all sensitive data access. Former employees may retain synchronized files on personal devices, stored passwords in browsers, or access to unmanaged applications.

Adding further complexity to this offboarding challenge is the issue of shadow IT. The use of unauthorized software, applications, and cloud services by employees without formal approval or oversight is constantly growing. Shadow IT proliferates outside the control of IT departments and often bypasses established security protocols and monitoring. When employees leave, their access to these unmonitored tools can persist, posing serious risks to data security and compliance. You can’t remove access if you didn’t know it existed. 

Effective Strategies to Address Offboarding Risks

To mitigate the risk of insider threats, especially in times of or in preparation for mass offboarding, organizations must elevate offboarding to the same level of priority and rigor as onboarding. The following strategic practices are critical to securing the offboarding process:

1. Automation of Offboarding Procedures: Utilize identity and access management tools that integrate with your IT ecosystem to automatically revoke access and deactivate accounts as soon as an employee departs. Manual processes cannot keep pace with the velocity of modern workforce changes.
2. Regular Access Reviews and Audits: Establish periodic reviews of user access privileges, with a particular focus on privileged accounts. This practice helps identify and remove outdated permissions for former employees and prevents unnecessary privilege accumulation among current staff.
3. Cross-Department Collaboration: Ensure that human resources, IT, and security teams maintain clear and timely communication. A formalized offboarding workflow triggered immediately by employment status changes can reduce delays and avoid confusion during the deprovisioning process.

Leadership’s Role in Securing Workforce Transitions

Workforce changes are an unavoidable part of doing business, but organizations cannot afford to allow their security controls to lag behind these transitions. Incomplete or delayed offboarding is not merely a technical failure; it reflects broader leadership and governance shortcomings. Executive teams must promote a security-first culture that treats employee departures with the same level of discipline and care applied to onboarding.

As cyber threat actors become increasingly opportunistic and regulatory requirements surrounding data protection intensify, organizations must recognize that effective offboarding is foundational to a resilient security posture. It demonstrates an organization’s commitment to protecting its data, reputation, and long-term viability.