Why Disgruntled Employees Are CyberSecurity’s Worst Nightmare

It’s easy to think that cybersecurity is all about keeping the data in and keeping the bad guys out. But what about your staff? That body of people already inside your firewall, and allowed to connect to your network. What if one of them turns rogue?

The Disgruntled Employee

The idea of an employee mounting a cyberattack against their own employer is a real concern. It needs to be considered, planned for, and strategies put in place in case it becomes a reality. Insider cyberattacks are such a clear and present danger that there is a generic name for the employee who turns against the company. They’re known as the disgruntled employee.

The triggers that drive employees to commit insider attacks are as varied as people. It might be a single significant event or it might be a long string of smaller issues. Personal perspective comes into play here. Something one person might shrug off and forget within a day or so can be a huge deal for someone else.

Of course, circumstances outside of work can lower a person’s ability to cope with issues in the workplace. If an individual is burdened with pressures and problems in their home life they are going to cope less well with additional workplace strife, whether the root cause is real or imagined. The character and mental toughness of an individual inevitably play their part.

A recurring theme with disgruntled employees is they say they were driven to do what they did because of resentment about an event or action that they feel is unfair. The term unfair crops up frequently in transcripts of these cases.

These are common threads that appear and reappear in disgruntled employee scenarios:

• They have been passed over for promotion too many times.
• They don’t get raises they feel are justified.
• They don’t feel valued by their employer—or even visible and noticed.
• They feel they’re being taken advantage of.
• They object to the career progress of a colleague they deem unworthy to receive rewards and new positions.
• Their immediate manager or team leader takes the credit for their hard work.
• They are facing redundancy when—in their view—poorly performing employees are being retained.
• A grievance they raise doesn’t produce the desired outcome.

Employees who are moving to another job can be a risk, too. They may try to impress their new employer by arriving with some of your company’s confidential data. Are they leaving because of the attraction of the new job, or are they leaving because of disillusionment with their current role or company? If it’s the latter, they may plan a damaging parting shot of some form.

In some rare cases, a disgruntled employee is identified and approached by a  third party such as a cybercriminal gang, a competitor, or even a hostile nation-state sponsored hacking team. They turn the employee into their man on the inside. The employee may receive financial rewards from the third party or they may be content just to have a chance for vengeance.

No Cyber Skills Required

The damage delivered by an insider attack can be devastating. The insider has at least some knowledge of the systems, applications, and infrastructure of your organization. And system administrators become disgruntled, too, and they have intimate knowledge of your systems. Disgruntled employees usually have plenty of time to work out a plan of attack. Even if redundancy is on the horizon, the employee will have plenty of notice.

City of San Francisco

In 2008, Terry Childs was one of the network administrators for the infrastructure supporting the fiber-optic backbone that carried most of the traffic for the City of San Francisco. The City payroll, e-mail, law enforcement, and jail documentation depended on this fiber connection.

Childs changed all the administrator passwords effectively locking every other administrator out of the system. In his skewed judgement, he thought the other administrators would make administrative errors with the new network.

He refused repeatedly to reveal the passwords—even after he was arrested. Because of his behavior, the fiber network was left operational but without administrative support for 12 days during the Summer of 2008. Childs eventually handed over the passwords when Mayor Gavin Newsom visited Childs in the jailhouse. He was sentenced to four years.

RANLife Home Loans

Alcohol can certainly skew your judgement. It skewed 23-year-old Joshua Lee Campbell’s judgement sufficiently that after an evening drinking with a colleague he returned to the office of RANLife Home Loans, a Salt Lake City mortgage company, and shot a USD 100,000 server seven times with his .45 pistol.

He was charged with criminal mischief (a second-degree felony), carrying a dangerous weapon while under the influence of alcohol, and providing false information to the police (both Class B misdemeanors), and public intoxication (a Class C misdemeanor).

Morrisons Supermarket

Andrew Skelton, a senior auditor at Morrisons supermarket, was dragged over the coals in a disciplinary hearing in 2014. He was dispatching private mail—eBay sales—using the company’s mailroom and letting the company foot the shipping charges. Somehow, he retained his job.

One month later, he was given the task of collating 100,000 sets of employee’s personal data and sending it to Morrisons’ external auditor. He kept a copy for himself, uploaded it to a file-sharing site and then tipped off the press. This is a huge data privacy issue and, because Morrisons is a U.K.-based supermarket, a breach of the Data Protection Act 1998, which was the legislation at the time of the offense.

It has taken Morrisons seven years and a long battle in the U.K. Courts, the Court of Appeal, and finally the Supreme Court to prove that they were not vicariously liable for the unauthorized actions of a rogue employee. They needed that decision to forestall a class action that was brought against them by 9,000 of the affected data subjects.

Even so, the data breach has cost Morrisons over GBP 2 million in legal fees, PR, damage limitation, and providing information and assistance to affected employees. Andrew Skelton was sentenced to eight years of imprisonment.

Note that none of these cases involved hacking. All that was required was an employee with a grudge.

More Mundane Examples

Less extreme examples involve job leavers stealing sales prospect lists, or deleting their email, files, or other data before they leave. They may post malicious lies and rumors on social media about the company, their boss, or a colleague. They may send a “warts-and-all ‘this is why I’m leaving’” email to all the contacts in their email address book.

Programmers often take chunks of code they’ve written for your company to use as supporting evidence in job interviews. Disgruntled employees may intentionally introduce a virus. They may create an account they can use to remotely access your systems when they have left.

The Warning Signs

Managers and team leaders need to look for changes in productivity, attitude, and interactions with others in the staff they are responsible for. Special attention should be paid to staff members who have undergone a significant event at work or at home. Has someone in your department been through a disciplinary, made a failed bid for promotion, or received a poor appraisal?

You won’t know everything about a colleagues’ private life, but you ought to know if someone has suffered a bereavement or other major life change like divorce or losing a custody battle.

In a caring way, not a whistle-blowing way, your staff ought to feel they can bring concerns about their colleagues to their management. It’s too late after the event for staff to comment that they had a feeling something wasn’t right with a colleague. They need to speak up when they start to have concerns. That won’t happen unless they are comfortable in doing so, and secure in the knowledge that they’re operating according to company policy.

As a point in case, the COVID-19 pandemic has brought about a sudden and widespread switch to working from home. The isolation of home working doesn’t suit anyone. With the current focus on safeguarding your own mental health, looking out for your colleagues is just a natural extension of that. The attention being paid to remote colleagues’ welfare needs to be promoted and continued in normal operational conditions.

Behavioral changes that might indicate a colleague is drifting towards disgruntlement include:

Disengagement

A disinterested remoteness and disconnectedness from work tasks, responsibilities, and colleagues is a warning sign that the affected individual could be in a downward spiral. Efforts should be made to try to identify the causes and the severity of the situation.

Lifelessness

Extended periods of emotional, mental, and physical exhaustion can quickly become serious. The affected individual may seem distant and one step removed. They may appear forgetful, lacking in focus, and completely drained from the moment they arrive at work. This can be accompanied by constant muscle aches, perpetual headaches, and shortness of breath. Their complexion may suffer, and there may be a sudden weight change. They may neglect their appearance.

Frequent Sick Days

Employees who are on the brink of burnout or are suffering from stress tend to use a lot of sick days, and make frequent mistakes or have accidents at work. When an employee is becoming disgruntled, they tend to be focussed on their issues or their adversary, real or imagined. This leaves little concentration for their actual work.

They’re In the Wrong Role

If someone’s role has changed or they’ve been promoted into a position with more responsibility and they never seem to find their feet, perhaps the role is too much for them. New recruits may be overwhelmed, too. This can lead to impostor syndrome and feelings of uselessness and a sense of constant, draining, struggle.

They Become Withdrawn

This is easier to notice in a friendly gregarious employee because their new behavior is markedly different. With an introvert, it can be harder to notice this type of change. If someone is constantly radiating a desire to be left alone, there’s something wrong.

They’re Unusually Sensitive

If someone who usually handles constructive criticism productively begins to bristle and argue back, they may be feeling too frazzled to cope with even the gentlest guidance. Everyone can have an off day, but if they seem always to be in a heightened state of alert and looking for a fight, you need to investigate.

Steps You Can Take

Depending on your circumstances, some or all these steps might help you minimize risks of disgruntled employees attacking your networks and data.

• Make compliance a part of everyday working practices. Require staff to sign a non-disclosure agreement (NDA) and introduce data protection and compliance as part of new recruits’ induction processes.
• Policies and procedures that facilitate the resolution of employee grievances need to be created, implemented, and introduced carefully to the workforce.
• Implement a policy so staff members can raise concerns about the welfare of a colleague.
• Employees who exhibit any of the warning signs should be considered high risk. Employees who have had a negative experience at work, such as a refusal of leave, poor appraisal, disciplinary procedure, or unsuccessful bid for promotion, should also be considered a risk. Where possible assistance to identify and deal with the underlying issues should be offered.
• in some circumstances, tasks that involve sensitive data may justify a shadowed execution where two people effectively live audit one another as the task is performed. Perhaps shadowing is only warranted for high-risk employees.
• A staff monitoring system will allow you to track, log, and record user activity, and to create alerts to when suspicious activity is detected. Alerts are raised for such things as large data movements, copying data to external devices, emailing sensitive material, and trying to access restricted network resources.
• Use the principle of least privilege to limit each employee’s access to only the information that they need to perform their job, and that they are cleared for according to their risk status. Review who has what privileges regularly.
• Perform regular inventories and audits for computers, mobile devices, and removable media, such as external drives and USB memory sticks.
• Have a job leaver and role change procedure that adjusts access and privileges as required. For job leavers—and especially for high-risk individuals—consider making a forensic disk image of the hard drive in their computer before it is wiped and reissued to other staff. If you later suspect they have performed a malicious action, the hard drive image can be used to determine if it was done using their computer, from their account. The disk image might be admissible as legal evidence.