Let’s talk about layoffs for a moment. More specifically, let’s talk about the process by which a company fires its people. How does it work to terminate someone’s digital access? It is tricky.
I have been laid off a few times over my career. The one that I wanted to tell you about was when I worked for the IT department for a large insurance company. My office was in a downtown LA high rise, and coincidentally, my wife also worked in the same building, for a different subsidiary of the company. Indeed, she worked on the same floor. I had just given my two weeks’ notice that I was quitting to go work for PC Week (now called eWeek). As was the custom of the times (this was in the 1980s), I was immediately terminated. My access to the mainframe was turned off, and I was accompanied by a security guard to clean out my desk, hand in my badge, and take me down the elevator and escort me out the door to the street.
There was just one problem: I had to tell my wife that I was fired, and this being the era before cell phones, I had to come back up to our floor. Also, our building didn’t have controlled access, so there really was no way to keep me out of the place.
Now let’s talk about today. How do you announce a layoff to everyone, including the folks that are still gainfully employed? Well, via email and Slack of course. But the timing is critical: if you terminate an employee’s accounts, they won’t get the memo. Some businesses wait a day. This recent survey shows that only 51% of organizations said they typically remove a user’s access to corporate systems the day (35%) or the day after (16%) the employee leaves. A day after is too late: there is a lot of damage a vengeful now ex-employee can do in that day.
Of course, it matters how many people are laid off at once, and where in the corporate hierarchy they are. If it is just a few people, you might get the security escort as I did. But what if dozens are terminated? This is what happened at Coinbase recently. They took a somewhat different approach. First, they cut off the terminated staff’s access to emails and other corporate accounts. Then the CEO sent out this note to their personal emails:
“If you are affected, you will receive this notification in your personal email, because we made the decision to cut access to Coinbase systems for affected employees. I realize that removal of access will feel sudden and unexpected, and this is not the experience I wanted for you. Given the number of employees who have access to sensitive customer information, it was unfortunately the only practical choice, to ensure not even a single person made a rash decision that harmed the business or themselves.”
I think this was the right sequence for Coinbase, but as I said timing is everything. If you are faced with a group layoff, here are a few suggestions.
First, make sure your HR department has the most accurate information about your staff. This means having both personal and work contacts, including private emails and cell phone numbers. You should have done this for all sorts of reasons outside of potential layoffs, such as being able to reach someone’s family in case of emergencies for example. And part of this census is ensuring that you don’t have active accounts for long-ago terminated staff.
Second, you should create a policy on who and how you will communicate company-wide news, both good and bad. How will this information be shared with the news media, and do you have the right media contacts too?
Next, how do you track all your corporate digital resources, and who has what kind of access to these resources? Does someone on your dev team use a private GitHub account? Are people creating Google shared workspaces with their Gmail accounts? Given how easy it is to setup a private cloud repository, you need to be aware of this as best as you can. Having all this information and accounting for the various communications channels correctly will take some effort.
Finally, you need to pay special attention to staff that have elevated access rights to various resources. Can you track if one of these privileged users have made copies of business or personal data? (This is the role of data loss prevention products, by the way.) Do you have too many administrators? That is usually a common problem.
Terminating people safely is a process, both from the affected individuals’ and the company’s perspectives. While the process chosen by Coinbase may not work for everyone, it is a useful template that can provide some important guidance.
There is a lot more to be said about termination policies and practice, and I would urge you to read this blog by Erica Marom and Uri Ar on how to build an employer brand.At the end of that post, they talk about how to craft a positive message and how to communicate it.
![Tomorrow, and Tomorrow, and Tomorrow: A novel by [Gabrielle Zevin]](https://m.media-amazon.com/images/I/51jz2YXICBL.jpg)
Normally when I finish a book I have some strong opinions either pro or con. I am of two minds with 
What does the Greek king Ptolemy I, the way you type in your sentence endings, a WWII weather report, and the word “northeast” have in common? They are all clues to solving some of the grandest puzzles of all time, and what con men and magicians often call “tells” or personal habits that give away the game.
So here is one suggestion: Use red patch cords in the networking closet and other critical locations to indicate the actual cables needed to be yanked in case of cyber emergency. Better yet, document their locations in your incident playbooks and other places where you have your network documentation. (That assumes your 
Paul and I spoke to 