Insider threats in cybersecurity: When employees sabotage
Employees are the bloodline of each organisation. They are the ones who run the company and provide results based on their role or designation. For each designation, they have access to company resources such as a pool or personal data to do their work, although their access has some sort of level depending on their job description.
Employees come and go. This is a normal scenario in the workplace. However, not all might have a simple exit in mind; some will most likely try to sabotage the company when it is least expected. This will now serve as an impending insider threat that no one will see coming, which is why it is important to acknowledge this before hiring the workforce.
We have seven ways to help you prevent employee sabotage in your company, but before we dwell on that, let’s first define insider threats and tackle some examples of how the disgruntled employee made employee sabotage.
Insider threats, defined.
Insider threats provide a complex and dynamic risk to all critical infrastructure sectors’ public and private domains. Insider threat refers to the possibility that an insider (usually the disgruntled terminated employee) will utilise their allowed access or understanding of an organisation to do harm to that company.
This harm can include purposeful, complacent, or inadvertent behaviors that jeopardise the organization’s integrity, confidentiality, and availability of its data, staff, or facilities. External stakeholders and DHS customers may find this generic definition more appropriate and adaptable for their organization’s purpose.
Also Read: Guarding Against Common Types of Data Breaches in Singapore
We have here an example of employee sabotage after being laid off from the company. Having access to the company’s credentials, the employee disrupted the usual operations of the organisation.
A fired administrator compromises his former employer’s network by utilising outdated credentials.
After being laid off, an I.T. system administrator disrupted the operations of his previous employer, a prominent financial firm in Hawaii, in the hopes of regaining his job. Casey K. Umetsu, 40, worked as a network administrator for the company between 2017 and 2019, when his contract was terminated.
According to a news release from the U.S. Department of Justice, the defendant pled guilty yesterday to accessing his former employer’s website and making configuration changes to reroute web and email traffic to external machines.
“After accessing the company’s configuration settings on that website using his former employer’s credentials, Umetsu made numerous changes, including purposefully misdirecting web and email traffic to computers unaffiliated with the company, thereby incapacitating the company’s web presence and email,” according to the U.S. Department of Justice.
Umetsu took additional moves that effectively locked off the firm’s I.T. personnel from the website administrative panel, extending the business disruption for several more days. Umetsu acknowledged that his motivation for generating such havoc was to persuade his former employee to rehire him at a higher salary.
“Umetsu criminally misused his employer’s privileged access credentials to disrupt its network operations for personal gain,” said U.S. Attorney Clare E. Connors. “Those who jeopardise the security of a computer network, whether government, company, or personal, will be investigated and penalised,” Connors added.
After reporting the cybersecurity incident to the FBI, the victimised organisation eventually learned who was responsible for the sabotage. While Umetsu’s acts are reprehensible, the company’s security measures must be scrutinised because Umetsu utilised credentials that should have been invalidated the moment he was fired.
Employees that are dissatisfied have a strong incentive to seek vengeance. They could sell access credentials on the dark web in addition to utilising them themselves.
We have a recently decided case from the PDPC that caused the organisation an SGD 12,000 penalty for a data breach due to an employee’s sabotage.
Singapore: The PDPC reaffirms Terra Systems’ SGD 12,000 penalties for data security failure.
On July 27, 2020, the Singapore Police Force informed the PDPC that a customer relationship management portal created by Terra Systems had been accessed and modified.
The discovery of this unauthorised access was alarming, because the portal contains the personal data of persons served with “Stay-Home Notices” or SHN. It was found that crude remarks were found to have been inserted in the remarks field of cases in the Portal.
It turns out that the perpetrator is an unhappy ex-employee of the company. This ex-employee is believed to have obtained the daily common password by attending the morning Zoom briefing.
The perpetrator is believed to have directly obtained the daily common password from another employee who was unaware that his employment had been terminated. With this incident, the personal data of 125 individuals were exposed to the risk of unauthorised access.
For breaching the Protection Obligation under the PDPA, the Commission ordered Audio House to pay a financial penalty of S$10,000.
Tips for preventing employee sabotage in your firm
1. Begin with your initial recruitment.
A thorough recruitment process can assist you in ensuring that you are hiring individuals that are a suitable fit for your company. Comprehensive reference checks, a dependable interview process, and personnel screening can all help to identify potential issues early on.
2. Responsibility for actions.
Each employee must be aware of their own responsibility. Breaking down corporate objectives and showing how they relate on a team or employee level can help get everyone on the same page and working toward the same goal.
3. On a need-to-know basis.
When it comes to information sharing, it’s important to assess who needs to know what and how much. Updating managers and employees are beneficial, but you must also protect yourself while dealing with sensitive material.
4. Policies for protection.
Policies are an excellent approach to communicate your expectations to staff and can assist you in managing challenging personnel. Policies on social media use, behavior, and data protection can all aid in the prevention of employee sabotage.
5. A feedback time and place.
Regular evaluations provide an opportunity to identify potential issues. You might utilise this time to solicit feedback and seek a resolution. If you need to refer back to past meetings, proper documentation is crucial.
6. Don’t cut corners on security.
Change passcodes and revoke access when staff leave, or sooner if necessary. You should also safeguard your internet brand reputation. Monitor social media for brand mentions and answer any online complaints.
7. Corporate culture.
An open and varied culture that encourages employee voice can keep you in touch with your workforce’s general well-being. If trouble is brewing, it may be time to get feedback or plan a team-building retreat.
Contact your local H.R. Department today for guidance if you suspect employee sabotage or want to know how to best safeguard your business in the future.
Conclusion
Disgruntled employees seeking revenge after being fired are bad for your business. They serve as an insider threat that can be hard to contain especially if there is no protocol in place that is followed, especially for those employees that have greater access to the personal data that is handled and managed by the company.
To help you minimise the possibility of such employee sabotage and protect your business, you can hire a Data Protection Officer if you still don’t have one. Aside from the fact that it is required under the PDPA to have DPOs, such officer helps organisations with their policies to ensure that they comply with data protection obligations. DPOs can also help set the standard operation procedures when it comes to leaving employees to prevent any possibilities of employee sabotage, like in the case of Terra Systems.
Also Read: Vulnerability assessment Singapore: The complete checklist
0 Comments