Our age of seemingly limitless technological advancements are rapidly transforming every aspect of our lives, particularly what it means to go to work in the 21st century. But this has also led to the likelihood that employees are using tools outside the scope of what their employers allow (think: cloud-based computing, storage and file-sharing tools), unintentionally jeopardizing the security of their organization.
Companies often overlook these rogue employees, despite the fact that they pose just as serious a threat as employees with malicious intent -- and even more for many organizations. There are three types of rogue employees: The Innovative, The Bad and The Lazy. Here’s how you can identify and stop them in their tracks:
They are creative, curious, ambitious, resourceful and efficient. They have a relentless drive to get the job done and even a healthy dose of rebelliousness. Unfortunately, their effectiveness and independence can prove to be seriously deleterious to organizational security.
These ambitious employees will seek out workarounds to improve their performance, even if that means bending the rules. Curious workers and early-adopter types might be fascinated by the latest and greatest technology advancements and enjoy trying them out. Others might feel constrained by onerous rules -- rules that they resent for slowing them down, and rules they view as intended for those less capable and less trustworthy than themselves.
The rise of BYOD working environments, mobile apps and cloud-storage solutions further enables such behavior, adding convenience with each advance in capability.
The reason The Innovative rogues can present such a danger is precisely because they are great at their jobs. But the danger their ruthless efficiency presents to the security of an organization should not be underestimated.
It’s easy to picture this variety of rogue employee: hackers, thieves and spies. But it’s not always so Hollywood. Disgruntled employees with access to highly secure information and enough of a grudge to exploit it, slighted workers who dramatically quit and steal proprietary information and terminated employees determined to exact revenge are The Bad employees to look out for.
The most prevalent example of The Bad might be the Access Hoarder, who demands to be involved in as many processes and systems as possible, even ones far removed from his or her role. But as they accrue access to more and more systems, the risks they pose also add up.
It’s not only about them having the ability to see, share and potentially alter or steal sensitive information. It’s also about the long lists of log-ins and passwords they leave in their wake, which increases the likelihood of some accounts being underused or forgotten.
Rarely will you see a scary headline explicitly mention how an Access Hoarder almost brought down a company. The reality, though, is that even in high-profile breaches, when the bad guys do break through an organization’s perimeter security controls (e.g., firewalls), their first priority is often commandeering an account — and it’s exactly these types of over-privileged accounts that serve as prime targets.
For any organization, the leading cause of risk is laziness. These employees may not be concerned with following drafted protocols -- that is, if they even understand them or know they exist at all.
Perhaps they store their usernames and passwords on post-it notes, or use Dropbox instead of a sanctioned storage and file-sharing service, because it’s all they know and they don’t want to learn something new. All the while they have no idea that their insistence on circumventing corporate policies opens up their organization to serious risk.
Even scarier might be a systems administrator who turns out to be part of The Lazy rogues. Maybe they grant access to people in the organization they’re friends with and trust, rather than taking the time to go through proper channels, documentation and authorization.
Education, training, constant monitoring, severe access restrictions -- these might help alleviate the problem, but they are in no way fool-proof solutions to the threat posed by rogue employees of any type.
The surest course of action to protect the data, privacy, and stature of your organization is to use identity and access management software to automatically grant access to resources only when an employee needs it. This eliminates the ability of employees to access information they shouldn’t be able to see, stopping them from going rogue even by accident.