The Great Resignation. The Great Reshuffle. Increased use of contractors. Layoffs. Lack of confidence in job security. Let’s call it what it is: workforce volatility. And there are no signs of it slowing down.
So, what does that mean for the protection and security of your valuable data? Honestly? It’s probably not great!
First – the Great Resignation and the Great Reshuffle
Roll the calendar back two years to our 2020 Data Exposure Report release in February of that year. Even then – pre-pandemic, pre-massive cloud tech adoption and pre-Great Resignation – we knew then that 2 out of 3 people admitted to taking data with them when they left their jobs. (We suspect that figure was actually much higher.) That’s before collaboration tools became the de-facto sharing mechanism for legitimate work.
It’s also before job market confidence took a nosedive (more to come on that later).
In April 2021, a record 4 million people quit their jobs, starting what is called the “Great Resignation” period. Based on our 2021 Data Exposure Report, security professionals report the following as top concerns related to this mass job departure:
- Lack of visibility over what sensitive data departing employees take to other companies (48%)
- Sensitive data saved on local machines or personal hard drives (47%) (where security teams may struggle to have visibility)
- Lack of visibility over how much sensitive data departing employees take to other companies (45%)
Then – the layoffs
Of course, we hit a record scratch moment. In 2022, more than 32,000 people in tech were laid off in the US, according to Crunchbase data. And unfortunately, the ripple effect of these recent layoffs is far and wide – in fact, it seems that just 9% of tech workers are confident in their job security.
Based on research from Harvard Business Review, during the last recession, companies experienced a 31% increase in turnover following a layoff. Meaning not only do security teams need to protect their organizations from data theft as a result of a layoff, they also need to take into account the nearly one-in-three chance that others within their organizations might be headed for the doors, too.
And with that, it’s likely your remaining team is taking action to protect themselves – aka make themselves valuable to someone else by gaining a competitive edge. The edge? Your IP, customer lists, sales strategy and roadmap. In fact, employees are 85% more likely to take data now than they were pre-pandemic. And 37% of organizations lose their valuable IP when employees leave and take those trade secrets with them.
For everyone else out there – the companies not yet unlucky enough to face a layoff – the impact is the same. A lack of general confidence in job security, so significant it accounts for 91% of the tech workforce and means your employees are likely taking copies of anything they think will be beneficial in the future.
5 steps to get ahead of workforce volatility in your organization
There are some straightforward ways to reduce risk from insiders right now. Here are five ways to get started:
- Make sure your employees know what data belongs to the business and what’s theirs. When departing employees take data, it’s often because they feel ownership over the ideas and are proud of what they’ve created. As of late 2020, more than three-quarters (80%) of business decision makers believed they were entitled to or should own their work product. And that trend has been on the rise: in 2019, that figure was 71%, up slightly over 2018 when it was 65%.
- Let them know you’re monitoring where data is being sent. If you want employees to treat data cautiously, then remind them that there are acceptable – and unacceptable – ways to use that data. And be transparent with how you’re watching that data and what you do with it. Most people behave better when they know the store is being watched. Take a look at our template for an acceptable use policy and banner notifications for some ideas on how to flag this to your users.
- Start building a culture of empathy and trust between your employees and the security team. Moving data to untrusted locations is often unintentional or misguided–the goal with these employees shouldn’t be to “catch” them doing bad things; but instead, to get them to do the right things more often. You can’t persuade a hacker or a piece of malware to change behavior. But when it comes to your colleagues, simple education, delivered at the right time, can go a long way toward steering behaviors and building a security-aware culture — to getting end users working with you to mitigate harmful insider behaviors.
- Make sure your data protection technology can tell the difference between trusted and untrusted cloud domains. As we drive toward efficiency and empower our workforces, security and IT teams are increasingly provisioning corporate versions of consumer cloud applications for their employees to use for creating and sharing data. Clearly seeing the difference between an approved corporate OneDrive or Google account and a consumer account is critical to determining risk and filtering out noise.
- Establish a clear baseline for what behavior in your environment is truly risky and what’s just noise. Only a sliver of data movement is actually a serious risk, but employees can create hundreds of thousands of events in a day. Without relying on outdated policies that define what “bad” looks like, security teams can cut through the noise by looking at all data for indicators of true risk and use that to automatically mitigate and control potential loss or theft.
Want to learn more about how Code42 can help protect your business from data loss? Watch a demo here.