Threads, a rival social media platform to Elon Musk’s Twitter launched last week prompting millions of downloads and widespread praise across its userbase.

The arrival of Threads hasn’t gone unchallenged by Musk, who has issued a letter to Mark Zuckerberg Co-founder of Meta, the organisation that developed the Threads platform.

In the letter, Elon Musk’s team claims that ‘employees had and continue to have access to Twitter’s trade secrets and other highly confidential information; that these employees owe ongoing obligations to Twitter; and that many of these employees have improperly retained Twitter documents and electronic devices.’

Figure 1 - Extract from letter Re Threads

There’s a lot to unpick in the above extract, for the purposes of this blog I want to explore the following issues.

1. Why mass layoffs pose an issue for effective employee offboarding?

2. Why ex Twitter employees may have easily retained access to electronic devices and documents?

3. What steps should an organisation take to reduce information leakage through offboarding?

4. Do employees need to flag that they are in possession of company assets and information once they’ve left employment?

Why mass layoffs pose an issue for effective employee offboarding?

Elon Musk famously disposed of 80% of his staff since the beginning of his Twitter premiership. Mass layoffs happen and I’m not going to get into the rights and wrongs of Elon’s decisions, however when you layoff a significant number of staff, infosec challenges present themselves.

Asset recovery

Recovering laptops, phones, equipment, and other information storing devices can be difficult, even in routine employee exits. When an organisation conducts mass layoffs, often with individuals exiting the organisation immediately (or at a rapidly expedited timescale) recovering assets becomes a race against time and even left to the goodwill of an employee who has just lost their job!

If the organisation hasn’t got sufficient processes, contractual and technological mechanisms in place to facilitate a mass redundancy, assets will fall through the cracks and recovering these important devices once an employee has left the organisation is incredibly challenging.

Organisational disarray

Mass layoffs can impact multiple departments, including departments such as Infosec and IT who are critical to ensuring correct offboarding procedures are followed. If layoffs are not executed correctly and impact the operational effectiveness of these departments, errors in the offboarding process are likely to occur. It could also take the organisation time to recover from a mass layoff event which may mean issues with assets and access of offboarded employees are not detected.

Employee apathy

Employees that feel their jobs are under threat during a mass layoff situation are often distracted identifying new opportunities with other organisations or reassuring remaining staff. The result of this activity is that processes and diligence is often neglected or shortcutted, which can result in information leakage as employees exit.

Figure 2 - Twitter hit the news for mass layoffs

Why ex Twitter employees may have easily retained access to electronic devices and documents?

Shadow IT

Shadow IT is any IT equipment used by employees without the oversight of the firm’s IT department. Twitter employees may be empowered to use their personal devices for work, perhaps because their personal devices offered an advantage over their company issued equipment or as a necessity due to the COVID19 pandemic. Due to the nature of shadow IT, it is possible that ex twitter employees retained access to some company information saved locally on the device.

Local Access

As explored above, if IT assets haven’t been collected it may be possible for ex-employees to access files that they have saved locally. Storing files locally (directly onto the device’s hard drive) or on a removeable memory device may allow ex-employees access to files even after their employee accounts have been deactivated centrally.

Physical files

Believe it or not, people still print out emails and documents. People do this for various reasons, but mainly for convenience and arse covering…

Unless employees that practice the art of holding physical files in their own home are good enough to destroy these files it is entirely possible that IP and other information held in this manner could be used inappropriately.

Twitter Offboarding

There’s a lot of things to consider when executing a successful employee offboarding, If the process is rushed or compromised for any reason (in Twitter case due to mass layoffs) it’s likely some ex-employees will still have access to company information when they shouldn’t.

What steps should an organisation take to reduce information leakage through offboarding?

A few things you need to conduct a successful offboarding.

1. A full record of the assets issued to the employee, this needs to be up to date!

2. A clear offboarding process that is documented and identifies the roles responsible for offboarding the employee.

3. An offboarding process that details how issued assets will be recovered and when.

4. An offboarding process that details how accounts are locked and then deactivated with other technical controls to control information detailed.

5. Issuing data protection obligations to the employee and obtaining employee signature (sometimes this is covered off in employment contracts.)

6. Ensuring the employee is aware of their infosec obligations once they depart the company.

Figure 3 - Credit SelectHub

Do employees need to flag that they are in possession of company assets and information once they’ve left employment?

This isn’t straightforward and depends on the agreements signed during the employee’s time in the organisation but also during the offboarding process.

Information security professionals shouldn’t rely on the diligence or integrity of ex-employees to self-report or simply destroy or return IT assets or information. In all cases, prevention is better than cure, a comprehensive offboarding process that ensures all asset recovery and account / system lockouts is critical to stop information leakage.

If organisations want to protect against information leakage, employee offboarding is a key area to invest effort, an area that Twitter seemingly neglected leaving the organisation vulnerable when a mass offboarding event necessitated by Elon’s layoffs occurred. Twitter clearly identify that employees have improperly retained Twitter documents and electronic devices, but attempting to hold ex-employees to account may prove fruitless. Instead, Twitter should have focused on ensuring this scenario did not occur in the first place.