HAS YOUR MSP ever employed a technical person who had conflicts with or bullied fellow workers? Complained to competitors about work-related issues but refused to confront supervisors due to “”shyness””? Had serious personality conflicts, difficulties controlling anger, or exhibited other unprofessional behavior? Had trouble conforming to rules (for example: a history of arrests, security violations, or misuse of travel, time, and/or expenses)?
If so, your MSP has experienced the predisposition characteristics of an employee who would commit IT sabotage, according to the traits outlined in the Carnegie Mellon SEI CERT Guide to Insider Threats.
IT sabotage is one type of insider threat, a security domain of growing importance and attention. In an informal poll on LinkedIn, 20% of respondent MSPs claimed they had active employees who committed IT sabotage.
The first step to mitigation is knowing what to look for. In the MSP world, these predispositions often take on additional subtle or anonymous behaviors:
- Bad anonymous reviews about the company, the CEO, or the service department manager show up on Glassdoor, Yelp, Indeed, or other well-known sites.
- Your clients mention that your technician is saying negative things about your MSP or soliciting direct work.
- You hear of gossip or insubordinate behavior in front of other staff members, but they won’t admit it when you speak to them.
When any of these behaviors are identified, it’s important to determine who is disgruntled and why. Often this is from unmet expectations on the part of the employee. Did they get passed over for a promotion? Are they working unreasonable hours? Do they feel blamed unfairly for a breach or error? Were they expecting a pay increase? Do they lack autonomy? Is the role too structured for their personality? Are they reporting to someone they don’t respect?
Don’t guess what the precursor or cause of disappointment is; it is important to know specifically. If the conversation has not yet taken place, then asking a lot of questions in a safe, private environment will help that employee feel heard. Having an open conversation with HR or management, without fear of reprisal or negative consequences, can help avoid an out-of-control escalation.
Be sure to have a clear, consistent message of what the organizational policies and controls are so that there is no misperception by the employee that injustice is occurring. In reviews of historical IT sabotage cases, many disgruntled workers felt that star employees were given special treatment.
Train your supervisors what to watch for and encourage private, confidential reporting with your employees. This will help to build trust and keep the staff aligned on how to handle it when a co-worker starts showing signs of distress. When someone reports bad behavior from another employee, take it seriously and employ a consistent response.
If the employee’s unhappiness is due to pending termination or disciplinary action, note that most IT sabotage occurs after termination. Therefore, IT, HR, and physical security must work together and follow best practices to help mitigate damage from a departing employee:
- IT should disable system access immediately, after double checking the backups, log protection, and known access paths are closed off for access by that user account.
- HR should review the NDA and company property or acceptable use policies with the employee at the time of termination, setting an expectation that the policies will be upheld, and notify the employee that access to the system is being removed, so there are no surprises.
- HR should retrieve keys, key cards, and any other building or system access devices.
- Physical security should escort the employee out of the building after accompanying them to their desk to retrieve their belongings.
- After termination, HR, IT, and physical security should review the offboarding checklist for completeness and improvement.
While IT sabotage can be scary to manage and mitigate, preparing for this type of insider threat can have a large ROI.
JOY BELINDA BELAND, CISM, SSAPs, CMMC PI PA, specializes in innovative and engaging cybersecurity training and education.