There are many reasons why employees may become disgruntled in the workplace. Typically, it begins with an employee feeling overworked, underpaid, unappreciated, or passed up for a promotion. According to a job satisfaction survey conducted by The Conference Board Consumer Confidence Survey®, the five components that US workers are least satisfied with include: 1.) promotion policies (25.4 percent), 2.) bonus plans (25.5 percent), 3.) educational/job training programs (30.8 percent), 4.) the performance review process (31.2 percent) and 5.) recognition/acknowledgement (34.3 percent).

Disgruntled Employees Pose a Risk to Your Company

A disgruntled employee possess two components needed to cause damage; access and motivation. Depending on their job function/title that access may include confidential/proprietary information, financial information and or high-level administrative privileges to corporate applications. When issues arise in the workplace, it can become an emotionally charged environment. The five components mentioned earlier in the job satisfaction survey may now become the motivation that turns a productive employee into a disgruntled employee. The subsequent risk to the company may be varied and significant such as; spreading negative comments on social media platforms such as LinkedIn or Facebook, theft of physical and or intellectual property, deliberately leaking sensitive and or confidential/proprietary information resulting in financial loss, loss of company credibility and potential lawsuits. In addition to disgruntled employees, it’s important to consider the other insider threat; the ex-employee who maintains access to corporate applications.

The Ex-Employee
According to a survey conducted by OneLogin an alarming 50 percent of ex-employees retain access to corporate applications after their employment has ended. This continued access can become the Achilles heel for the company. If the ex-employee leaves acrimoniously the motivation exists to use that access to orchestrate a crippling attack. Even if the employment is terminated to the satisfaction of both parties, the ex-employee could be recruited at a later date by malicious actors offering money in exchange for their access. According to the OneLogin survey, 20 percent of the companies represented experienced a data breach due to failure to deprovision an employee.

Examples

Disgruntled Employee
Just days before Apples’ huge reveal, a disgruntled employee is believed to be the leak that compromised the anticipated event centered around the iOS 11 GM. According to a September 9, 2017 AppleInsider report, it is suspected that a disgruntled employee revealed proprietary/confidential information regarding new features and hardware of the iOS 11 GM.  Included in the leak was information on the new LTE Apple Watch, new AirPods revision, “Face ID” facial recognition details and setup process, a new “animoji” feature for Messages, and the apparent marketing names of Apple’s forthcoming iPhone lineup; iPhone8, iPhone 8Plus and iPhone X.

In 2014, Andrew Skelton, a senior IT auditor employed by Morrisons Supermarket PLC, deliberately leaked the payroll information of approximately 100,000 current and former Morrisons employees to a file sharing website and to three English newspapers. The motivation? The IT auditor held a grudge against Morrisons due to an earlier internal disciplinary matter.  Morrisons continues to experience the damaging consequences caused by this disgruntled employee. Over 5,000 current and former Morrisons employees filed a class action suit against the company for damages incurred from the information leak. In December, 2017, England’s High Court of Justice Queens Bench Division ruled that Morrisons was vicariously liable for the actions of the disgruntled employee. Morrisons is appealing the court’s decision.

Ex-Employee
IT specialist and systems administrator, Brian P. Johnson, will be spending the next 34 months in federal prison and will have to pay $1,134,828 in damages for hacking his former employer, Georgia Pacific. Mr. Johnson was terminated from his employment on February 14, 2014 and escorted off the George-Pacific’s Hudson Mill premises. Despite his termination, his access to corporate applications remained in place. Mr. Johnson was found to have an open virtual private network connection to the Georgia-Pacific Mill’s network. With this connection, Mr. Johnson intentionally transmitted harmful code and commands to the system, in some instances bringing the mills production to a stand-still. FBI agents assigned to the case concluded that Mr. Johnson intentionally sabotaged his former employer as payback. In February 2016, Mr. Johnson admitted his crimes and was sentenced.

What Can You Do?

You’ve probably heard the saying that ‘knowledge is power’. All employees require a certain amount of knowledge to empower them to do their work, however, here are a few questions to think about: How much ‘power’ do your employees have based on the access or ‘knowledge’ of corporate applications they possess? Do they need the access they possess to do the job they’ve been hired to do? Are policies and guidelines in place to recognize the signs of a disgruntled employee and how to manage the situation? When a termination becomes inevitable, whether it is friendly or acrimonious, has access to corporate applications been terminated as well? This article by the CERT Division of the Software Engineering Institute (SEI) provides a list of 19 best practices that can help mitigate the risk of IP theft, IT sabotage, and fraud that may exist due to a disgruntled or ex-employee.

CERT Insider Threat Best Practices