Research by Security firm AlgoSec, SANS Institute and Krall all confirm that the biggest threat to your company and network comes not from the hackers on the outside trying to get in but from your own employees who want to cause mischief or who inadvertently cause damage from within. This has been highlighted several recent cases.
At Morrison Supermarkets in the UK a disgruntled employee who was a senior internal IT auditor posted the personal data of almost 100,000 employees online as well as sending the information to three newspapers exposing the company to substantial penalties and claims from the employees for data breach. In June 2019 Canadian group Desjardins announced that an ill intentioned employee – a long-time, trusted manager in the IT department shared the information of 2.7 million individuals and 173,000 businesses. The leaked information included the names, addresses, birth dates, social insurance numbers, email addresses and information about transaction habits. It took several months for Desjardins to learn the scope of the data-gathering scheme, after it referred suspicious transactions to Laval police as part of routine monitoring in December 2018. In May police informed the company that the personal information of some of its members had been leaked. An internal investigation was conducted with the help of police, the employee was identified, suspended and his access to information systems frozen and the transfer of information ceased.
In late July 2019 Capital one the US’s third largest credit-card lender announced it had been hacked. The hacker began tapping into the large amount of information from Amazon.com Inc. servers which the bank was using. Authorities arrested and charged Paige A. Thompson a 33- year old former Amazon Web Service employee, with computer fraud and abuse. In a complaint filed in Seattle, prosecutors said that Thompson exploited an improperly configured firewall and accessed the data at various times between March 12 and July 17, 2019. The Bank said it immediately fixed the problem when it was discovered. Capital One estimates the cost of the incident to be $100 – 150 Million, mostly expenses related to providing credit monitoring and legal support.
A determined “rogue employee” can severely harm an employer and inflict substantial damage by:
Vandalising company property
Destroying computer files
Starting a social media campaign to defame the company
Ruining your reputation
Shredding important records and documents
Reporting you to the authorities/regulators
Calling emergency services to report suspicious package to disrupt business.
Stealing trade secrets (i.e. client information, codes etc.) and sharing with rivals
Causing the company to incur expenses, liability or fines
There are five basic types of “rogue employees”:
- Ambitious, resourceful and independent individuals
These rogue employees stay up all night to find ways around the rules and procedures. They are intelligent, cunning and motivated and are especially dangerous to an organisation because they are so capable and resourceful.
2. Disgruntled employees / Revenge seekers
They hold a grudge and wish to harm the organisation. When they quit or are fired they may steal proprietary information and leak it or cause damage to the organisation by contacting suppliers, shareholders, authorities, regulators etc.
- Negligent Employees
These employees disobey rules and protocols. They leave their login ID’s and passwords on sticky notes posted to their computer monitor, share sensitive information in emails, leave client lists or confidential presentations on whiteboards in meeting rooms or forget company laptops, phones or documents on public transport.
Unintentional rogue activities are random, difficult to plan for and therefore a greater risk and more common than intentional ones. Particularly alarming is the fact that many ex-employees often still have access to “confidential” or “highly confidential” data at their previous employer.
- Employees with secret political affiliations and loyalties
Any employee can have a rogue political affiliation, ranging from a sophisticated art expert employed by the British royal family (Anthony Blunt) to the nice 87-year old lady next door (Melitta Norwood – inspiration for the new film “Red Joan”) or women used as honeytraps (Anna Chapman).
- Employees with mental health issues
These employees can cause harm to themselves, their colleagues and the organisation.
Research by Business in the Community (UK) found that 66% of employees in the financial service industry experienced a mental health condition as a result of work in the past year. One in four of us will be affected by mental health issues of some kind during our lifetime.
What Can Employers Do to Prevent or Mitigate Potential Damage from Rogue Employees?
- Establish clear written expectations relating to employee departures. Draft policies and incorporate specific terms into employment contracts about the obligations
of departing employees (confidentiality, fidelity, mutual trust and return
of company property (office keys, hardware, passwords etc.)) and non-solicitation
- Have a clear exit strategy which reflects the employee’s role in the business,
the information/systems they have access to and whether that access has been permanently severed. It may be appropriate to restrict or change the employee’s duties when they are leaving i.e. allocate them more administrative tasks with limited access to useful confidential information which they might use at their next employer. It may be appropriate to place the employee on paid “garden leave” especially where the disgruntled employee could be disruptive in the workplace or jeopardise customer relationships. If the business has any concerns about the potential actions of a departing employee during their notice period invoking Payment in Lieu of Notice clause (PILON) would be the preferred option to terminate the relationship immediately and protect the business. Prevention is better than cure – it is easier and more cost effective for employers to prevent damage or loss by ensuring their employment contracts contain the provisions they can rely on to manage the exit effectively.
The appropriate steps to take will vary depending on each employee and the scenario.
- Examine company computers, mobile phones and e-mail accounts to find evidence of improper conduct where the employee has departed under dubious circumstances and work with IT providers to secure data and prevent data theft or sabotage. Employers should ensure they have policies in place giving them the right to monitor and examine the use of the company’s electronic equipment.
- Lawsuits involving employees gone rogue frequently lack evidence. Prior to engaging in expensive and protracted lawsuits, employers should gather evidence proving the unlawful conduct and the harm caused to the business.
- Time is of the essence – employers should act swiftly when they discover
a departed employee has retained confidential information or company property to ensure they do not waive their legal rights and to limit the potential damage.