Mass layoffs and data breaches could be connected, according to researchers

A research team led by faculty from Binghamton University, State University of New York has been exploring how mass layoffs and data breaches could be connected. Their theory: since layoffs create conditions where disgruntled employees face added stress or job insecurity, they are more likely to engage in risky behaviors that heighten the company's vulnerability to data breaches.

The research, outlined in a paper titled "The Impacts of Layoffs Announcement on Cybersecurity Breaches," was presented by Binghamton faculty at the Pacific Asia Conference on Information Systems (PACIS) in Vietnam in early July.

The study's motivation was to explore the revenge-type behavior of people affected by layoffs and the social justice aspect of people seeking to "punish" a seemingly "bad business" through hacking. The research was done in collaboration with scholars on two continents—including Vietnam National University and Liverpool John Moores University in the U.K.

"Some companies try to be nice by announcing layoffs first, terminating access to the laid-off employees later, but that can easily open the door to cybersecurity risks—especially if the laid-off employee is feeling vengeful," said Assistant Professor Thi Tran, who is leading the project and presented the paper at PACIS.

"Because they used to be an employee, they have confidential information about security layers that can be bypassed," he added. "The more they know about the system, the worse it could be."

In the study, researchers propose if companies were more proactive with corporate social responsibility initiatives that emphasize ethical conduct and data security during layoffs, they could reduce the risk of data breaches arising from those situations.

An IBM Cost of Data Breach report in 2023 revealed the significance of losses posed by data breaches. The report stated the global average cost of a data breach that year was $4.5 million, a 15% increase from the previous three years.

While announcements about mass layoffs are not uncommon among today's headlines, there has been little research related to the possible connection between them and cybersecurity for those companies. This is primarily because the concept of mass layoffs is a relatively recent phenomenon, said Sumantra Sarkar, an associate SOM professor who is helping conduct the research.

"In the old days, industries were more manual-oriented, and you could not replace people with the click of a button, but in the current information technology world, you hire people by the thousands, and you can lay off people much the same way. This opens the door for our research because humans are statistically the weakest link of the IT security chain," Sarkar said.

"People react to triggers in their environment, such as layoffs," he added, "and that's why security problems often come from the people either inside the organization or vendors with inside knowledge of the infrastructure."

The researchers said companies could also leave themselves vulnerable, apart from using outdated security systems, by outsourcing IT and cybersecurity tasks as a cost-cutting measure in response to layoffs.

In addition, negative publicity that tends to follow layoffs could lead people to infer the company had been suffering from financial problems or poor leadership, which could create an opportunity for hackers with political motivations to take advantage.

"When people hear about layoffs, it's going to be viewed as something bad that can happen to them or anyone else in society. So, if you're in tune with how people consume information, you want to do whatever you can to build a good picture in the public's mind to minimize negative consequences," Tran said.

"We're looking at not only the probability of something like data breaches resulting from mass layoffs happening but the severity if something like that actually does happen."