It’s a bumpy ride in the technology sector these days.
Tech firms of all kinds are aggressively resizing, responding to the realities of high interest rates, slowing overall economic growth, and smaller ad budgets. The cuts to workers’ ranks are deep: Layoffs. FYI, a website that tracks tech-sector terminations, estimates that in 2022 nearly 800 technology companies have sent home more than 120,000 workers.
The human toll of these layoffs is devastating, even if the cuts are necessary. Real families are suffering. The trauma of a layoff can lead a terminated worker to despair.
But these mass tech sector terminations seriously increase another risk that needs our urgent attention: corporate chaos brought on by this downsizing opens the door to major cybersecurity attacks that can wreak havoc on the target companies, their remaining employees, their clients, their supply chains, and our society and economy as a whole.
And when the companies in chaos hold the highly sensitive personal information of billions of users, the risks are that much more serious.
As anyone who has lived through a corporate downsizing can tell you, layoffs of a significant number of workers cause negative impacts that go far beyond the employees who are actually terminated. Remaining employees are often left to abruptly navigate new lines of reporting to unfamiliar managers, changed operational processes, including financial approvals, and disruptions to job mandates and responsibilities. Rattled survivors of corporate layoffs are often demoralized and distracted. Productivity drops as workers wonder who will be next.
Cyber criminals thrive in these conditions. It is an established fact in cybersecurity that disruptions to established corporate processes increase cyber risk. Changes in lines of personnel reporting, or financial approvals, for example, open opportunities for hackers to use socially-engineered phishing attacks to penetrate company defenses and steal data or money or both.
Distracted employees quickly forget what they learned in their corporate cyber awareness training, and click on links that they shouldn’t. New lines of reporting mean that employees are less likely to check in with managers to ensure that the funds transfer request that they just received is legitimate.
The link between corporate disruption and cyber attacks is well-established–and we saw it happen most recently in the COVID-19 pandemic. The pandemic brought disruptions to corporate processes and practices that directly increased cyber vulnerabilities. Phishing attacks spiked as workers adjusted to working from home, away from easy check-ins with colleagues and managers. Cyber criminals exploited the general fear and anxiety created by COVID-19 to steal money from vulnerable segments of the population. Hackers found new vulnerabilities when workers started using insecure home technologies for work.
Where a virus once caused upheaval and created cyber risk, now an economic shake up is at fault. But the outcome is the same: opportunities for cyber criminals are up, and defenses are down.
With the COVID-19 pandemic, however, at least privacy and security personnel were still in their roles. Not so with the current tech-sector resizing. Given the levels of cutting at many technology firms, it is difficult to imagine that privacy and information security groups are not being cut along with everything else. This is a serious problem: corporate investment in cyber security is already lower than it should be, and many cybersecurity roles remain unfilled due to a global labour market shortage in the sector. To further diminish the resources available to defend firms from cyberattacks is to court disaster.
An effective cybersecurity culture requires aware and diligent personnel who are trained to recognize risks, established processes to ensure that breaches are effectively managed when they happen, and up-to-date and well-implemented technology solutions. All of that is threatened when a company downsizes.
So how can we mitigate this challenging risk environment?
First, senior corporate leaders need to pay attention to the cybersecurity and privacy impacts of their resizing efforts. Boards of directors need to ensure that CEOs and CTOs are watching impacts carefully and working hard to ensure minimal disruptions to processes, especially within groups that work with money and sensitive data.
Second, no company should cut resources to privacy and security groups without a serious second thought. This is especially true for companies that handle sensitive user data. The current international threat environment is very serious, and attacks are growing. It is not the time to curtail resources for these essential functions.
Finally, regulators and government leaders need to articulate clearly that security and privacy expectations for technology companies remain high. The current economic climate, as tough as it is, cannot be used by firms as an excuse for irresponsible corporate cuts that expose user data to risk of disclosure, and our economy and society to potentially devastating cyberattacks.
The technology sector is being tested right now. But when it comes to cybersecurity, failure is not an option.
This op-ed first appeared in Newsweek.