I worked for a Big Tech company that actually did this, and it made the transition a lot easier. You could still access corporate resources necessary for the transition (HR, benefits, internal job postings, training offerings, expense reporting, etc), check-in with colleagues 1:1 (who would be warned this person was no longer part of the org, attachments could be blocked to prevent exfil, etc), and still send/receive email internally (though external was blocked by default and required justification).
You can safeguard your corporate infrastructure without actually cutting everything off entirely and sending someone home to stew angrily about it. In fact, there might be (as yet undocumented) advantages to letting folks exist in that transition period on that segmented infrastructure, so as to identify potentially bad actors before they can do harm and see about mending bridges.
Of course all of that requires conscious investment in projects with no clear quarterly/yearly KPIs to measure cost or success against, so most employers will never remotely consider it.
You're proving my point—employers take the most extreme lesson and it's considered expected practice. They absolutely should have immediately terminated the credentials that granted unilateral access to sensitive databases. (Ideally those would never exist in the first place—there are two-person schemes. A pair of bad actors...well apparently happens according to this article...but is far more unusual.) But employers regularly (but shouldn't) terminate all access including credentials that allow last email to colleagues exchanging personal contact info or something.
This especially includes creds like root or admin level access to AWS/GCP/whatever-cloud-or-hosting-service, and other critical creds like user/password management, domain name registrations, AppleStore and GooglePlay accounts, source code repos, documentation and internal tooling, external services like observability/analytics/crash-trcking. It also keeps a current(ish) list of all clients/projects where I've had any access at all, listing things like API keys, ssh keys and bastion hosts, project or platform admin creds, as well as systems like databases (SQL and KV caches), firewall rule specific to me.
I also try to list anything else I could, if I were a malicious disgruntled ex employee, use to cause grief to the employer or their clients.
I point out in this email that if I were to be rouge, I'd most likely have intentionally left something out or left behind backdoors or timebombs, and while I am not that kind of person and I have not done those things, they owe it to themselves and their clients to have someone else senior and experienced enough to carefully audit everything to ensure I cannot access anything.
I send this from a personal email account, so I still have timestamped records of having sent it. If an ex employer ever gets hacked shortly after I leave, I want evidence I did everything I reasonably could to remind them to lock me out.
(Writing this down reminds me it's been a while since I updated this - I guess thats something I'll ned to get on to soon.)
Isn't this an unrealistically black-and-white mode of thinking? Humans are complicated and have many values and perceived responsibilities. It's not healthy for them to throw them all out and act as if they only have one responsibility that needs to be maximally upheld at all costs. They should balance their actions thoughtfully.
Meh? Sure, stuff that would help assemble a credible phishing attack, but not customer SPII or huge amounts of intellectual property or anything. If the assumption is that employees' inboxes are full of dangerous things, I would focus on fixing that.
Looking at it from Europe - it is such a weird inhumane practice.
Someone decided your position is redundant. Okay, shit happens, economic downturn, etc. Then you have extra 3-6 months of work to pass your knowledge, train replacement and document everything.
Pretty standard practice in many technology(not just IT) and finance companies in Europe as well.
>If you don't trust your people so much, why to hire them in a first place?
It's not about trust, it's about risk, and most companies operate on liability and risk mitigation. If society ran on trust alone, we wouldn't need contracts, door locks, passwords, IDs, judges, security cameras, jails, police, etc.
You can verify someone's performance at the job interview, you can't verify their trustworthiness, especially once they've learned they lost their job, even trustworthy people react irrational once emotions hit making snap decisions they'll later regret without thinking of the consequences on the spot, and you see innocent people suddenly turn vengeful or violent and break the law (just look at relationship breakups and domestic violence).
You can't predict such reactions, so best to prevent them instead of chasing damages from them later through the court system.
Put yourself in a business owner's position for a minute. Nobody wants to be the "this former employee set my building on fire after I gave his notice, by leaving him in the flammable material warehouse unsupervised, because I wanted to show him that despite the layoff I still trust him".
For some businesses and jobs the trust alone is enough, for other jobs that involve access to sensitive data or money, it's straight to paid garden leave because nobody wants to risk it.
>Then you have extra 3-6 months of work to pass your knowledge, train replacement and document everything.
Yeah, that happens sometimes like for CxO's, managers, execs who get generous golden parachutes/severance packages, but for rank and file workers in the trenches, having to show up to a workplace you know you'll soon loose, for several more months of work till it's finally over, feels like torture unless you're getting a crazy severance package. That's like your wife telling you "honey, I'm divorcing you, but I still want you to live with me for 3-6 more months, and perform your regular duties".
You can be dismissed when you have done something wrong, in which case there's no notice period but the employer has to be able to show they've followed certain rules.
You can be dismissed when you haven't done anything wrong, in which case you either get several months notice or several months pay ('in lieu of notice') or a 'voluntary settlement agreement' (more pay, negotiable terms) all subject to slightly different rules.
So a US employer can cut a UK employee's computer system access the same day, it just costs a bit.
It's just one of these rules that unfortunately in Europe allow people to view life purely as the time between jobs. I'd never tell that to someone's face but it's simply a fact that the world stops of people don't work and no matter what the ideal world looks like in your dreams, working is the only real way forward for anything. It's part of the reason why Europe is falling behind on everything.
The increased growth in USA the last decade have largely been created by means that one day will be quite costly for you (debt).
The USA under MAGA is falling apart. EU and others are actively minimizing risk by selecting non-US IT providers. EU and others are actively selecting non-US defence aystems.
I say that it is very positive to protect your citizens. Russia (sending their citizens en masse to a certain death on the front lines) and USA have more in common politically than USA and EU.
But there's nothing like AWS, Google Cloud, facebook, Azure, ChatGPT, Tesla, etc etc the list goes on and is very long, in Europe. They're switching way too late. Why did it not happen before? Why do we have very limited IT providers, for example? Due to the culture and regulation that doesn't incentivize it sufficiently.
I'm European too btw and live in the EU and I'm happy about a lot of things we have that the US doesn't, I'm just personally worried that we're setting priorities wrong. Having a chill life in the park is good in the ideal it's just detached from what's needed to make a state run; and it will end in the EU having even less power that is has now, resulting in fewer moral values being carried into the world.
I read a news article that Orange Telecom in France was being sued by a woman they had on payroll for the last 20 years doing nothing, because due to a medical condition she suffered, she became unable to do her job, and since they couldn't fire her due to France unions and labor laws, nor did they have any available job that could fit her current condition, they just kept paying her for 20 years to do nothing at work, and now she's suing them for the depression she got to get paid for no work.
It felt like reading a Monty Python skit.
But Europe is failing due to a myriad of compounding issues and structural deficits, not just because firing workers can be a Kafkaesque nightmare in some countries. European workers' unions and labor protections were even stronger 20-25 years ago and in 2004 the Euro stock market was worth more than the US stock market, while now it's worth half the US one. But that's whole different discussion where pages have to be written to encompass the whole context and cover all aspects of European economic decline. Boiling it down to crazy labor protections would be reductionist and incorrect.
They couldn't find anything for her to do? Hard to believe, but if there's a reason not to fire her then then pay her the money she's owed and stop demanding she show up. Making someone come in with no tasks assigned is fun for a week and quickly turns into punishment detail. Putting someone on punishment detail because you're not allowed to fire them is Bad.
Unless she was allowed to stay home, in which case I take most of that back and it falls on her to go outside and find something to do. I can't find any articles with enough detail. But I'm still skeptical they actually couldn't find a job for her to do. It was 'just' paralysis on one side.
If a person's now disabled, what can a company give them to do profitably, that isn't already optimized, automated or offshored?
There's plenty of civil servants whose jobs are just moving one paper from one room to the next, just to keep more useless people employed that nobody would hire in the private sector. But this doesn't really exist as much in the private sector.
If I found the right article, the disability is epilepsy and paralysis on one side.
Which mean she can do pretty much any office job fine. She already was doing office work, so the disability should not have changed things all that much. I'm sure she typed slower, but that can be worked around and mitigated.
Honestly, I doubt it. If you show up to an interview of "any office job" with "epilepsy and paralysis on one side" nobody will hire you simply because you won't be as productive as those without such disabilities.
Also, "epilepsy and paralysis on one side" is the legal medical diagnosis, but in practice the impact can be much greater, especially with age, which is why ageism is a thing even among people who are legally in full health because in practice your body isn't the same like when you were 19-25.
She doesn't need the equivalent of "moving paper from one room to the next". She lost some number of dollars per hour worth of productivity, but it sounds like she was still capable of being reasonably productive.
It's called "mise au placard" and it's illegal. It's a technique to get people to quit by themselves, so companies don't have deal with the hassle of firing them. The lawsuit is 100% justified.
It's also very common in Japan.
If she had been hired after, it would have taken time but she would have been found unfit for work (she had epilepsy and hemiplegia), her contract terminated, and she would have most likely received a handicap pension instead.
Like there's so many other attack vectors besides an upset ex-employee.. Like all those articles about NK employees who presumably are trying very hard not to be fired. Or employees using company provided insecure email software leaving them vulnerable to ransomware et al.
It makes sense to terminate someone's high-risk credentials immediately when they're fired. But it's extremely worrying if every credential held by every employee is considered high-risk. It suggests a bigger failure. "Unilateral access to a database filled with plain-text passwords" shouldn't ever exist. "Email account filled with dangerous stuff" should at least be unusual.
Someone with an interest in scuttling your company could just as easily maintain a low profile and do it at any time. Termination forces execution into a more-predictable timeframe. Once notified, the malevolent only have opportunity to exfiltrate or sabotage whatever they can reach in the time it takes to walk them out the door.
European laws require us to give people something like two months' notice. Even then we don't trust them; we pay them their salary and tell them to stay home.
This seems like a self inflicted problem where the solution to the problem also made the problem worse when it happens.
If you know that you have X months of pay if you behave, then why misbehave? You'll lose out on money and get a criminal record. Meanwhile if the employer wants you gone it's free money. Everyone is happy.
You've been given enough time to find a new job. It's enough time to sit back and relax at work since you're getting paid either way.
The primary reason why people want to get revenge is because of how inhumane the entire process is.
The mass layoffs are random and impersonal, so you inherently think it is unfair and you will never agree with the reason of the layoff.
The immediate access block and security escort is a reaction and extension of the inhuame treatment.
Sibling comment correctly points out that misbehavior would follow a different termination path, but I don't actually know what it is since I've never seen a European employee successfully fired. We normally just lay off problem employees and follow the same offboarding procedure for everyone. This does present its own retroactive abuses of the PIP process.
> If you know that you have X months of pay if you behave, then why misbehave?
Ageism is real. For those expecting to retire from a company in Y years, seeing expected future income reduced to X months is catastrophic since there's no guarantee they will ever continue their career in any capacity yet expect to live beyond X months. The inhumanity comes from realizing how insignificant you were to the grand scheme of things, and how easily you are discarded and forgotten.
Only the younger crowd thinks the way you do, where there's always more time to find another job. They can afford to be rational. For the rest this will be the last job they ever have; it is an indignified and humiliating end to a career they spent decades building. Revenge is easily rationalized.
Employment is modern slavery. Few earn enough to have meaningful agency over their lives.
Escorting them to the door, and revoking access for the remainder of contract yet paying wages for that period seems very descent. Off course, you don't do that when the termination was triggered by employee's misbehaviour.
But, yeah - the point I was trying to make is that there is only so much you can do as an employer to protect the company while there's an infinite number of reasons for anyone to be traumatized or otherwise act erratic. Admins are always entrusted with huge power and while wariness is probably warranted, distrustfulness is IMO counterproductive and often harmful.
Eventually I tried to log into one of my old cloud accounts, to find it was only disabled since 9 days after my layoff. Pretty sloppy.
Sadly, behaviors and expectations converge toward one another.