Skip to main content

How to Navigate Security Through Organizational Change

In our modern business world, organizational change is inevitable. Such change can happen in many forms, with a few of the most common listed:

  • Merger or acquisition
  • Divestiture
  • Consolidation of two or more divisions or departments
  • Cost-cutting initiatives including layoffs
  • Transition to a new CEO or other top executives
  • Shifts in territories and markets

Regardless of the reason for it, organizational change can create significant cyber security challenges. Enterprises need to take steps to ensure they are protecting valuable data before, during and after any organizational change.


Organizational change risks

Challenges often arise out of organizational change. Mergers and acquisitions, as well as layoffs, create security risks. The overall number of M&A deals in the 12 months ending at September 30th, 2019 was 12,713, according to Statista, a provider of market and consumer data.


Here are examples of employees who might be high risks for taking valuable information with them, or even damaging IT resources:


  • Double Duty: People who lose their jobs because of a merger that results in duplicate job roles. Since 2000, more than 790,000 transactions have been announced worldwide with a known value of more than $57 trillion, according to the Institute of Mergers, Acquisitions, and Alliances (IMAA).
  • Overworked Survivors: Employees who are kept on after a layoff and become overworked, leading them to seek employment with another company.
  • Cost Cuts: Workers who are laid off because of cost-cutting efforts by their companies. Employers announced plans to cut 592,556 jobs from their payrolls in 2019, 10% higher than the 538,695 cuts announced in 2018 and the highest annual total since 2015, according to global outplacement and business and executive coaching firm Challenger, Gray & Christmas.
  • Promotion Passes: Individuals who are passed over for promotions they feel they deserve to get. This could lead them to take data owned by the company, and 57% of database breaches involved insider threats within an organization, according to Verizon’s 2019 Insider Threat Report.


The security solutions

What can companies do to address the security challenges of organizational change, particularly when employees leave the company? Here are some best practices:


  • Early Start: Plan ahead with data security strategies as early as possible, prior to an organizational change such as a merger. Employees often take data weeks before the “compelling event” such as a job ending.
  • Set Alerts: When monitoring employee activity, it’s generally wise to focus efforts across the board in the event of an incident. With mergers and acquisitions, set alerts for users who are involved in a layoff, have access to confidential files related to the deal, or who you know are at a higher risk of turnover following the merger.
  • Retain Files: When employees leave the company, retain or restore their files by using an application installed on the employee’s device to download files. Once the restoration is complete, deactivate the users in all applications they had access to and sign them out of all devices and online sessions.
  • New Passwords: In addition, change passwords on any accounts shared by departing employees, and update their email and phone accounts.
  • Gather Devices: Collect all company-issued devices such as desktop and laptop computers, smartphones, tablets, and external hard drives, USB sticks, and access badges.
  • Minimize Damage: If any data loss or other security incidents occur, be prepared to immediately take the appropriate steps to minimize damage.
  • Emphasize Collaboration: Encourage strong collaboration among security/IT, human resources and legal representatives to address which actions need to be taken.


A key point to remember is that organizational change also provokes a people issue; it puts employees in an uneasy position. Any time someone is placed in this position, whether they leave the company or not, they are at risk to take data in an unauthorized manner. Make sure your organization has evaluated this security risk before the next big organizational change.


About the Author

Tommy is the Security Product Evangelist at Code42. With over 20 years working in cybersecurity, Tommy is CISSP certified, a data privacy rights public speaker and a thought leader in the encryption space. Before joining Code42, Tommy spent 8 years with Symantec focused on data protection and data privacy customer strategies.

Profile Photo of Tommy Todd