Addressing the PEBCAK scenario: protecting systems against rogue employees (PART 2)

In the PART 1, we discussed how non-malicious employees can disrupt business continuity. This post will focus on the malicious or rogue employee and outline what you can do to obstruct an inside job.

First off, many wonder just how big of a problem is posed by rogue employees? Take a look at these recent findings:

  • Kroll reported that almost three in four data breaches are caused by insiders. 40% of these involved rogue employees.
  • While 65% of employees said they would not sell information at any price, 25% would sell company data, risking both their jobs and criminal convictions, for less than $8000, reported Clearswift.
  • IBM Security Services, who monitor billions of events each year, revealed that 31.5% of attacks were due to malicious insiders.

Now let’s be honest here. Publicly admitting that a breach is the result of the malicious actions from an employee has got to be…unpleasant.

Of course that’s assuming the company is even aware that they have a malicious employee among them. If systems are not disrupted, rogue employees might still be operating silently within the perimeter. In short, our gut feel here is that the problem might be bigger than what is reported.

What’s the recommended protection strategy?

For the record, we absolutely do not condone that bosses suspect of all employees all the time. But there are a few technological and operational steps you can take to make the job of a would-be malicious employee much much more difficult.

As with securing against non-malicious employees, your secret weapon here is a layered defense strategy. Layering your protection can protect a business’s critical assets, even from non-malicious employees.

Operational policies

There are a number of policies you can enforce within your organization to help protect your systems from being compromised by malicious – and indeed non-malicious – employees:

  • Encourage job rotation. Not only will employees be able to improve and broaden their skill sets, but it force IT to review and redistribute access controls. If a particular employee is planning an attack based on his/her current system access, nefarious plans could be totally scuppered by a departmental reorganization.
  • Establish security protocols, policies, and procedures for handling sensitive information and ensure that everyone is trained and follows the rules. To limit the problem of shared login details for example, enforce a policy to change passwords on a regular schedule.
  • Consider having mandatory vacations where employees are effectively cut off from the organisation without any network access. Not only will this approach test your operational redundancy, but it can be a great detective control: if something significant changes during his/her absence, it gives you a chance to uncover it without alerting the rogue employee.

The main take-away is to ensure that you make it as difficult as possible for any one person to steal sensitive information or breach business-enabling systems.


Complementing your operational policies with appropriate security software and network configurations is a key approach to protecting the systems from an attack from a rogue employee:

  • By default, ensure that the rights and activities you provide employees are set to the minimum requirements. In other words, set role-based access controls (RBAC) to set privileges that meet, but don’t exceed, job requirements. For example, why give an employee the right to install applications when the role does not require it?
  • Consider Data Loss Protection software, which controls whether sensitive or critical information can be sent outside the corporate network. When blocking information from leaving the system, you can configure the software to alert you to the problem, as well as to the specific employee involved.
  • Perform unannounced, periodic tests of the security framework to ensure there are no vulnerabilities that you were unaware of.
  • Set up your systems to detect anomalous activity. Establishing that ‘normal’ baseline takes time (you might need to sift through many false positives), but once complete you can set threshold values to indicate suspicious activity that needs investigation.

The point here is you want to discourage malicious behavior. But if the malicious employee is set on this path, you want to catch them before he/she causes any damage your network’s integrity and data confidentiality.

Getting help

Ultimately, what routes you take when it comes to security entirely depends on what you are trying to protect.

Some of these steps might seem daunting to IT departments with fewer internal resources or specialist security gurus, but that does not mean you should ignore the problem. There are many reputable security consultants, like TBG Security, out there who can help you prioritise your security implementations.

About TBG Security Inc.

TBG Security is a leading provider of information security and risk management solutions for Fortune 100 and Fortune 500 companies. TBG designs and delivers cyber security solutions to work in harmony with existing operations. Companies depend on TBG services in areas including risk management, penetration testingsecurity policy development, security strategies for compliance, business continuitynetwork security, managed servicessoftware and service integration and incident response.

For more information on how TBG Security can help your organization with your information security initiatives please visit

Previous ArticleThe PEBCAK scenario: securing systems against non-malicious employees Next ArticleTBG Security secures top placement in the Palmetto Cyber Defense Competition