IT teams handle layoffs with a structured approach to ensure security and compliance while minimizing disruptions. Here’s a general overview of the process after HR communicates the list of impacted employees and the timeline:

1. Access Revocation – IT teams immediately disable the impacted employee’s accounts across all systems, networks, email, cloud services, and internal applications.
2. Device Management – Company-owned devices are retrieved, and remote access is disabled. For personal devices used for work, IT may revoke access to corporate apps and data through mobile device management (MDM) tools.
3. Data Protection – transferring ownership of files and resources to other team members or managers. Emails and documents maybe archived for governance or compliance purposes.
4. Audit and Monitoring – Logs and access records are reviewed to ensure no unauthorized after the layoff.
5. Legal and Compliance Considerations – IT teams work with legal departments to ensure compliance with data protection laws and company policies.

IT places a priority on access revocation and device management as these must be planned and executed on short notice. The remaining steps are often deemed optional and delayed until a later time when resources are available. Deleting users from Active Directory is often the quick fix for controlling access/ownership. This results in files with orphan system identifiers (SIDS), which are permissions in Windows environments. This creates a security audit nightmare as IT no longer, without substantial manual effort prove who owns the data. Storage administrators set access and ownership inheritance policies when the storage/share was deployed and these may require an arduous effort to transfer ownership. Secondarily, bad actors can hijack Orphan SIDs and escalate ownership to advance their attack. Contact us to learn more about automating the process of identifying and fixing orphan SIDs.