Why Angry Employees are Everyone’s Problem

December 3, 2014

What is the worst thing a person can do to hurt their previous employer? This may never be more than a passing thought for most people, but whenever there’s a layoff, at least a few of the freshly terminated employees are seriously pondering it. And it wouldn’t take too long – a quick Google search would do it – to figure out that a cybersecurity incident would be just the thing: It can cause expensive havoc or put the organization out of business.

640 (6)

It’s a scary thought. In the past, a business only had to worry about a disgruntled few who might have sophisticated hacking skills. However, these days anyone can place an order for a Denial of Service attack by paying as little as $10 an hour.

Lest you think this is a headache limited to IT and management, it’s worth taking a look at some of the scenarios below. Typically, the assets most attractive to cybercriminals are: Personally Identifiable Information (which belongs to employees or customers) and Intellectual Property (company secrets). Since the loss of these can hurt other employees, customers, and stockholders, an upset ex-employee becomes everyone’s problem. Here are three of the easiest scenarios angry former employees can enact:

Scenario #1: Pay someone else to disrupt the business

As referenced above, the employee goes online to an underground forum and essentially hires cybercriminals to launch an attack upon the former company’s webservers. These attacks can be paid for anonymously via Bitcoin.         

Scenario #2: Sell passwords to the highest bidder

If the employee is in possession of passwords that are still in effect (or knows how to get them), they can offer these up for auction to cybercriminals on the darknet (instructions on how to get there can be found on YouTube). Or the passwords can be offered for free – in cases where a corporate employer has hacktivist enemies.

Scenario #3: Sell detailed insider information

An employee armed with information about specific cybersecurity tools the company is using can offer cybercriminals something even more valuable: reconnaissance. Knowing an organization’s software, hardware, and basic policies can make data breaches a relative breeze: hackers can then aggressively put pressure upon an identical configuration until it breaks, revealing the attack tools which are required to get in. Whether they do this themselves or purchase the necessary vulnerability information, an attack that starts this way could easily bankrupt a company.

One convenience to aggressors: It is easier than ever to evade law enforcement by using the right tools – those that obfuscate our treks around the Internet. Bitcoin has made it possible to both provide and receive payment anonymously. TOR, aka The Onion Router (it essentially hides the identity of the sender) allows people to take steps that cannot be seen or easily reconstructed. (As a warning to those thinking about engaging in nefarious acts, law enforcement is finding ways around net anonymity. Consider the couple in Northern California who were recently busted for operating a narcotics business they set up on Silk Road 2.0.)

wide (5)

Regardless of the ease in which attacks can now be organized, there are some proactive steps a company can take towards protection. Here are three of them:

Rule #1: To the extent companies can be discrete about the security tools they are using, even from their own employees, they will be better off. Sometimes executive management agrees to publish success stories about network security tools they are using, not realizing these can be pieced together to create a useful attack diagram of their network.

Rule #2: Suspect everyone. Any time an employee is fired or laid off, all passwords to all systems they had access to should be changed. We can’t know how angry an ex-employee is or might become. Changing passwords should be mandatory and completed as a matter of course immediately preceding every exit interview. (Go here for a list of eleven questions developed by the Security Executive Council which should be answered by CFO/CIOs/CSOs to help address all types of insider threats.)

Rule #3: Consider offering severance packages, and ensure the employee understands the stakes. The ROI for a severance package is very often the mollification of an employee who might otherwise inflict harm. Final documents should include notification that the company will aggressively pursue any ex-employee who attempts to harm the company.

Finally, anyone working for an organization they truly value should consider reporting any co-worker who threatens to harm the company. Good security definitely “takes a village”.