The greatest threat to your company and network is not the hackers and crackers on the outside trying to get in but your own employees who want to cause mischief or who inadvertently cause damage from within.
A determined “rogue employee” can severely harm an employer and inflict substantial damage by:
• Vandalising company property
• Destroying computer files
• Embezzling money
• Starting a social media campaign to defame the company
• Ruining your reputation
• Shredding important records and documents
• Reporting you to the authorities/regulators
• Calling emergency services to report suspicious package to disrupt business.
• Stealing trade secrets (i.e. client information, codes etc.) and sharing with rivals
• Causing the company to incur expenses or liability
A rogue employee is someone who has stopped complying with the company policies and is behaving in an unscrupulous manner. This often happens when an employee is faced with professional or personal struggles. The employee might start abandoning their tasks and responsibilities and commit fraudulent activities for monetary gains or to wreak revenge on their employer.
There are five basic types of “rogue employees”
1. Ambitious, resourceful and independent individuals
These rogue employees stay up all night to find a way around the rules and procedures. They are intelligent, cunning, driven and motivated and are especially dangerous to an organisation because they are so capable and resourceful.
2. Disgruntled employees/revenge-seekers
They hold a grudge and wish to harm the organisation. When they quit or are fired they may steal proprietary information and leak it or cause damage to the organisation by contacting suppliers, shareholders, authorities, regulators etc.
Often exemplary employees can very quickly turn into hostile disgruntled employees as a result of a change in manager, passing over for a promotion or changes to working conditions.
3. Negligent employees
These employees disobey rules and protocols because they are incapable of understanding and following them or are lazy or reckless. These are the employees who leave their login IDs and passwords on sticky notes posted to their computer monitor, share sensitive information in emails, leave client lists or confidential presentations on whiteboards in meeting rooms or forget company laptops, phones or documents on public transport without thinking or realising they are doing it. They are not trying to maliciously harm the business they just have no idea how dangerous their behaviour can be.
Not all “rogue” activities have malicious intents. In fact the unintentional rogue activities are a greater risk to an organisation and represent an even more common problem than the intentional ones. Unintentional rogue behaviour is random and therefore very difficult to plan for. Steven in accounting who does not have the necessary training can cause much more damage than his neighbour Stephanie who has been scheming against the company for years. Lack of training can lead to inadvertent rogue behaviour because users feel overwhelmed.
An insurance industry report suggests that as much as 80% of cyber liability claims come from employee negligence, including acts by rogue employees.
According to the US Bureau of Labor Statistics, on average 900,000 people in “Professional and Business Services” separate from their job each month. From a sample of these people Osterman Research concluded that 89% retained access (login and password) to at least one corporate software application from a former employer. The apps included:
• File sharing tools (DropBox and Google Drive)
• Finance (such as Paypal)
• Customer Relationship Management (i.e. Salesforce)
• Website and IT Services (Google apps, MS office)
Particularly alarming was the fact that 45% of these past employees could access “confidential” or “highly confidential” data. Almost half had accessed ex-employer accounts after leaving the company. 68 % admitted to storing work-related materials in their personal cloud storage services and 60% were not asked for their cloud credentials when they left the company.
Some companies have instituted “bring your own device” and “bring your own software” policies before fully appreciating the growing risk. Many small and medium sized business in particular also lack stringent IT policies.
4. Employees with secret political affiliations and loyalties
This is the realm of espionage which is well documented, especially in the domains of military projects and industrial/IT developments. Male rogue employees are stereotypically high-flying men (Kim Philby) or so-called grey mice (Rudolf Abel). Female rogue employees are stereotypically glamorous women (Mata Hari, Anna Chapman). However, in reality anybody can be a rogue employee, ranging from a sophisticated art expert employed by the British royal family (Anthony Blunt) to the nice 87-year old lady next door (Melitta Norwood – inspiration for the new film “Red Joan”).
5. Employees with mental health issues
These employees can cause harm to themselves, their colleagues and the organisation.
Let’s look at some examples of rogue employees at work and how they can impact your business…
Papering over the cracks …
A sacked system administrator in the US was jailed in 2017 for hacking the control systems of his ex-employer and causing over US$1 million in damage.
Brian Johnson of Baton Rouge Louisiana had worked for years at Georgia-Pacific paper mill, a company with 200 facilities across the US and 35,000 employees. On Valentine’s Day in 2014 he was let go and spent the next two weeks riffling through the company’s systems and causing havoc from his home. He still had access to the company’s servers via VPN and was able to install his own software. In two weeks’ he caused an estimated US$1.1 million in lost or spoiled production. The timing of the attack aroused suspicion. Thirteen days after he was fired the FBI raided his home and found a VPN connection into the company’s servers on his laptop. A subsequent forensic investigation of his hard drive and broadband router revealed sufficient evidence for a conviction. The Louisiana District Court sentenced him to 34 months in prison and ordered him to repay the damage caused.
Employee tries to de-rail his company
Christian Grupe worked as an IT administrator at the Canadian Pacific Railway (CPR). In December 2015 he was suspended for 12 days of insubordination and not making the grade as a systems admin. When he returned to the office he was told he was being let go. Rather than being fired he persuaded his employer to let him resign and he left after signing a resignation letter. He agreed to return his laptop, remote access authentication and access badges. However, two days later he decided to use his company notebook to log into CPR’s computer network and remove administrator level accounts, delete certain key files and change the password for other accounts on the networking hardware. He then wiped the laptop, destroyed all logs to cover his tracks and handed back the computer.
In January 2016, IT staff tried to log into the switches but found they were locked out. According to court documents, part of the system went down, staff were forced to re-boot and factory reset all the switches to regain access to the equipment. Forensic experts found evidence of Grupe’s meddling in the switches’ memory storage. Grupe was charged with intentional damage to a protected computer and the Court found him guilty and in 2018 he was sentenced to a year in prison.
Sticking the boot in
A former IT administrator working at a cowboy boot manufacturer in Texas pleaded guilty to hacking the servers and cloud accounts of his employer after being fired and removed from the building. Joe Venzor was let go in September 2016. He became “volatile” and it took staff an hour to remove him from the building after his meeting with the IT Director.
As a precaution, Venzor’s access rights were revoked as he left the building. However, an hour later an “elphaser” administrator account logged into the company’s network and shut down the corporate email server, followed by its application server, which ran, the main production line. The attacker deleted files on the server to block any attempts of a reboot and then shut down or changed the passwords to the company’s cloud accounts. Very soon the entire company’s IT infrastructure was under attack. The IT director investigated Venzor’s work email account and discovered he had sent a document containing a list of network access codes and passwords for various IT subsystems, listed in the same order as the company’s accounts were hacked to his private email address.
Using the list the director got ahead of the hacker and began changing passwords himself to mitigate some of the damage. This was only partially successful and after 3 hours of trying to get the servers back online, manufacturing and administrative staff were told to go home.
The attack was so effective that the company had to purchase a new server and reinstall all the software on it. Outside IT staff needed to be brought in to sort out the mess and the company claimed it lost $100,000 in new orders in addition to the extra IT costs.
During the cleanup, investigators discovered that Venzor has set up the elphaser account from his work computer, which no-one else had access to. The account was designed to look like an innocuous service account but had full admin privileges where none were needed. He was arrested by the FBI shortly after the attack and was charged with unauthorised intrusion upon protected computers. He faces up to 10 years in prison and a US$250,000 fine plus reimbursing the costs of his previous employer.
Tick tock
In 2009 a computer engineer who worked for US mortgage giant Fanny Mae planted a logic bomb – a malicious code set to damage the company’s network on a certain date – after he was fired. The logic bomb which would have shut down the company for a week was discovered before it could go off. The engineer, Rajendrasinh Babubha Makwana was sentenced to three years in prison.
Intellectual property
According to SANS Institute, a non-profit cybersecurity research organisation disgruntled employees or ex-employees are responsible for two-thirds of all intellectual property theft. This problem is especially pronounced during economic downturns when companies fire employees but fail to cut off their access to corporate networks. Rogue employees can be more dangerous than hackers because they have more time to wreak havoc. Research by Carnegie Mellon University suggests that it takes companies on average nearly three years to notice an employee is stealing secrets – can you imagine how much damage has been caused in this time? Malicious insiders are already able to access sensitive information as part of their jobs, so no alarm bells go off. In many cases the very person who is responsible for monitoring the company’s computer network for suspicious activity is the rogue employee himself. According to a survey of IT Professionals by Security firm AlgoSec although hackers and other external threats receive a great deal of attention it is the internal threat which is the greatest risk. A report by Krall confirms that “moles, opportunists, contractors, disgruntled employees and ex-IT personnel all currently pose a greater risk to corporate intellectual property than state-sponsored hacking.”
Outfoxing fox
The famous case of Mathew Keys, the disgruntled editor, who was behind the hacking of the Los Angeles Times website highlights the fact that the disgruntled employee is not necessarily the hacker himself. Often he facilitates others. Keys used his access as a former employee of the company to help a hacker deface the website in 2010. Keys who was in charge of social media for Fox 40 in Sacramento wrote on his personal blog after he was fired that Tribune Co was a “bankrupt news organization that didn’t value its employees on the assembly line.” Keys later entered an online chatroom with members of Anonymous and specifically asked if anyone was interested in defacing Fox or the LA Times and then passed on the username and password.
Data protection
Vicarious liability for rogue employees
The recent UK case of WM Morrison Supermarkets Plc v Various Claimants highlights how companies may be held vicariously liable for the actions of their rogue employees.
The action brought by a large number of data subjects against their employer, Morrison Supermarkets (Morrisons), as a result of the criminal actions of a former disgruntled employee, Andrew Skelton.
Skelton, stole personal data (including name, address, gender, date of birth, phone number, national insurance number, bank details and salary information) of almost 100,000 Morrisons employees and deliberately downloaded the information on to a file-sharing website. Skelton had obtained the data through his position as a senior internal IT auditor at Morrisons. He had become aggrieved with the company following disciplinary proceedings relating to his misuse of the company's postal service, and sought to damage the company's reputation through the data breach and by alleging that Morrisons had failed to comply with their obligations under the Data Protection Act (DPA) 1998.
As well as illegally posting the information online, he sent copies of the data to three newspapers, one of which alerted Morrisons, who in turn contacted the police. Skelton was later arrested and sentenced to eight years' imprisonment.
The affected data subject claimants argued that Morrisons should be held vicariously liable for Skelton's misuse of personal information, breach of confidence and breach of its statutory duties under the DPA. At first instance, the High Court held that Morrisons had not breached its primary duties under the DPA, but found it vicariously liable for Skelton's actions. The Court of Appeal agreed with the High Court, and held that:
• The legislative regime imposed by the DPA did not exclude claims for vicarious liability.
• Although Skelton had the intention of harming his employer, there was both an unbroken thread that connected his employment to the unlawful disclosure, and a seamless and continuous sequence of events that lead to the data being leaked. Skelton's actions were, therefore, carried out during the course of his employment by Morrisons, which was deemed vicariously liable.
Implications of Morrison Supermarkets
Morrisons is appealing to the Supreme Court, which will have the final say on its potential liability. For now, the decision will be of concern to employers whose staff handle personal data. Despite the fact that the data breach arose solely from the acts of a rogue employee, Morrisons was still held to be vicariously liable. The courts considered only liability and did not determine the quantum of loss. There were around 100,000 Morrisons employees who could potentially have a claim for damages for the distress of having their personal data released (there was no suggestion that any of employees suffered financial losses). Even with a nominal damages award of £100 for each claimant, this results in an aggregate exposure to Morrisons of around £10 million. But a more realistic award is likely to be in region of £1,000+ per claimant, which results in a potential of exposure for Morrisons of more than £100 million.
In addition to the liability exposure to third parties, the potential penalties under the EU General Data Protection Regulation (GDPR) for data breaches (€20 million or 4% of global turnover, whichever is the higher) are significantly higher (previously the maximum fine was £500,000).
The decision highlights the growing importance of cyber insurance to reduce exposure from third parties as a result of a data breach. The availability of insurance was raised by the Court of Appeal in Morrison Supermarkets, where the employer argued that it was unjust for it to be held liable for excessive sums when the breach was not its fault. The Court of Appeal's response to that submission was that "the solution is to insure against such catastrophes; and employers can likewise insure against losses caused by dishonest and malicious employees." Insureds should, therefore, consider whether they are adequately protected by their existing insurance programmes for risks arising from data breaches, including those that arise from employees
What can employers do to prevent or mitigate potential damage from rogue employees?
1. Establish clear written expectations relating to employee departures. Draft policies and incorporate specific terms into employment contracts about the obligations of departing employees, such as confidentiality, fidelity, mutual trust and return of company property (office keys, hardware, passwords etc.) and non-solicitation of employees/customers.
2. Have a clear exit strategy which reflects the employee’s role in the business, the information/systems they have access to and whether that access has been permanently severed. It may be appropriate to restrict or change the employee’s duties when they are leaving i.e. allocate them more administrative tasks with limited access to useful confidential information which they might use at their next employer. In some situations it may be appropriate to place the employee on paid “garden leave” so they do not have to work their notice period. This may be appropriate where the disgruntled employee could be disruptive in the workplace or jeopardise customer relationships. If the business has any concerns about the potential actions of a departing employee during their notice period invoking Payment in Lieu of Notice clause (PILON) would be the preferred option to terminate the relationship immediately and protect the business. Prevention is better than cure – it is easier and more cost effective for employers to prevent damage or loss by ensuring their employment contracts contain the provisions they can rely on to manage the exit effectively.
When employee exits are not managed carefully and professionally employers can encounter many operational difficulties when departing staff decide to behave spitefully. Holding exit interviews can be one way to manage risks and minimise damage pre or post termination. The appropriate steps to take will vary depending on each employee and the scenario. Heavy handling a dedicated departing employee can quickly turn him into an angry, spiteful one.
3. Examining company computers, mobile phones and e-mail accounts to find evidence of improper conduct where the employee has departed under dubious circumstances and working with IT providers to secure data and prevent data theft or sabotage. Employers should ensure they have policies in place giving them the right to monitor and examine the use of the company’s electronic equipment.
4. Lawsuits involving employees gone rogue frequently lack evidence. Prior to engaging in expensive and protracted lawsuits, employers should gather evidence proving the unlawful conduct and the harm caused to the business.
5. Time is of the essence – employers should act swiftly when they discover a departed employee has retained confidential information or company property to ensure they do not waive their legal rights and to limit the potential damage.
Dr. Dexter Morse LL.M, M.Sc is director, Industry Risk Management & Insurance International Air Transport Association (IATA)
