Listen to the Article
When cybersecurity is discussed, people often picture nation-state attackers, malicious insiders, or zero-day vulnerabilities. But sometimes, the biggest risk walks right out the front door.
Amid economic uncertainty and waves of corporate restructuring, layoffs have become a recurring headline across industries. Yet what’s rarely examined is the security risk embedded in these workforce transitions—unreturned devices, retained access credentials, cloud-stored data, and, at times, even unresolved resentment.
And while cybersecurity teams tend to be laser-focused on external threats, the real exposure often lies in how companies handle their goodbyes.
According to the 2025 Verizon Data Breach Investigations Report (DBIR), 60% of data breaches involved a human element, where credential misuse and orphaned access were actors.
So, where do you begin? With a blind spot that’s become too risky to ignore: deprovisioning.
The forgotten layer of identity management
Much of the enterprise focus on identity and access management revolves around provisioning: getting the right people the right access at the right time. But access removal—the other half of the equation—is often treated as an afterthought.
Too often, when layoffs occur at scale, IT and security teams are looped in late, or not at all. HR might process severance, legal might review NDAs, but identity revocation becomes a checklist item rather than a real-time security action.
Research reveals that over 30% of organizations can take more than three days to revoke all system access after departure. In that time, former employees may still have access to email, cloud apps, VPNs, or customer data.
In hybrid environments, the risk is amplified. Devices aren’t always returned promptly, remote employees may retain sensitive local files, and SaaS tools—often outside the view of IT—can stay live for months. Each of these is an open door.
Not only is the risk technical, it is also personal. Because when layoffs happen, emotions follow. And that’s where the next layer of exposure begins.
Data, devices, and digital resentment
Not all departures are amicable. Especially in layoff scenarios, the emotional fallout can include feelings of betrayal, injustice, or disempowerment—conditions that make post-employment data misuse more likely.
Consider this: in a 2025 Cyberhaven study, laid-off employees admitted to taking company data before leaving, with the majority citing it as “assets they helped create” or “resources they might need in future roles.”
Stolen assets include client lists, source code, pricing models, and sales scripts. These materials often end up in the hands of competitors, sometimes through the employee’s next job.
But even without malicious intent, data exposure can occur. Many employees back up work to personal drives “just in case,” especially when worried about abrupt terminations. Without robust data loss prevention controls, these copies go unnoticed and uncontained.
And this is exactly where good intentions falter—because of broken processes.
Why security often misses the exit moment
The breakdown is rarely about intention. Most organizations care about secure offboarding. But the process is fragmented:
HR owns the employee file;
Legal owns the compliance layer;
IT owns device collection and system access;
Security owns risk and monitoring.
Without tight coordination, gaps appear. A departure email might go out before permissions are revoked. A laptop might be mailed in days after the employee’s last login. A shared folder might stay active because it’s unclear who else uses it.
The lack of a unified playbook—especially during mass layoffs—means that even mature security teams can be caught off-guard.
So what’s the fix? Your organization needs orchestration, and that starts with automation.
The role of automation and identity lifecycle management
Modern identity and access management platforms can dramatically reduce these risks, but only if they’re configured and connected well.
Systems like Okta, JumpCloud, or Azure AD can automate deprovisioning workflows: removing access across integrated apps, revoking tokens, triggering alerts, and syncing logs to security information and event management platforms. But automation is only as good as its orchestration.
The most resilient organizations build dynamic workflows that:
Trigger immediate revocation of high-risk access (e.g., admin accounts, financial tools) once an HR status changes;
Notify security teams in real time for further review;
Initiate device wipe protocols on laptops or mobile phones if not returned within a threshold window;
Log all exit actions in audit trails for compliance and investigation.
But workflows alone won’t close the gap. Because at the heart of offboarding is something even automation can’t replicate: the human experience.
Bridging the human layer: Communication and empathy in offboarding
Security doesn’t exist in a vacuum. How layoffs are communicated and executed matters deeply to post-exit behavior.
Transparent communication, dignified processes, and emotional support can reduce the likelihood of retaliatory behavior. Some companies now offer exit interviews and offboarding briefings from the IT or security team: clear instructions on device returns, NDA reminders, and guidance on how data handling policies extend post-employment.
This isn’t just kindness—it’s also control. Employees who feel respected are less likely to act out.
Still, not every organization learns this lesson in time. And the cost of getting it wrong? Sometimes, it is painfully public.
A costly oversight
In one public case, a former Cisco engineer, whose departure had not been fully offboarded in AWS, leveraged lingering credentials to delete 456 EC2 instances related to the WebEx Teams application. This disruption led Cisco to publicly report that the incident cost the company approximately $2.4 million.
The breach stemmed from poor coordination. IT believed HR had already processed the revocation. HR assumed it was automatic. Legal discovered the gap weeks later during a client audit.
This begs the question: What are you actually tracking when someone leaves your organization, and is it enough?
What to track in secure offboarding
To treat offboarding as a security function, leaders must measure its execution with the following:
Mean time to revoke: Time between HR termination entry and full system access revocation.
Unreturned asset rate: Percentage of devices not received within 7 days of exit.
Post-exit activity flags: Instances of access or data movement after departure.
Shadow IT retention: Number of SaaS tools where accounts remain active 30 days post-exit.
Tracking these metrics enables accountability and continuous improvement. In periods of mass restructuring, security teams must scale their offboarding protocols.
That means using exit playbooks with pre-defined workflows by role, region, and risk level, and flagging high-risk departments (finance, DevOps, sales ops) for manual review, because security must start at departure.
Security starts at goodbye
Most cybersecurity narratives begin with a breach. But in reality, many threats begin with a goodbye.
Layoffs, transitions, and terminations are predictable moments of vulnerability. Yet many companies still treat offboarding as a logistical chore.
Secure offboarding is both a cultural and technical necessity. The tools exist—from identity and access management automation to respectful communication and cross-departmental playbooks. But the will—and the coordination—must follow.
Because the moment an employee walks out with a laptop and lingering access, the perimeter isn’t just digital anymore. It’s human.
And in security, forgetting the human layer is costly.
