IT Security & High Risk Users Management Blog | WALLIX

4 signs your IT worker may have gone rogue

Written by WALLIX | Mar 30, 2015 11:24:00 AM


The technology being used in today’s businesses is more powerful than ever. These tools and systems are helping to increase productivity and drive digital transformation. But this increased visibility of IT and its key part in business now sees it under greater scrutiny, especially when it comes to trusting those with access to this now critical infrastructure.

4 signs to detect malicious IT workers


If you’re hiring IT pros you’ll pride yourself on finding the best people to do a great job. But the law of averages will mean there’s a possibility you could miss early warnings signs that an otherwise talented and hardworking employee was prepared to abuse their privileges for their own gain. They could end up embezzling from the company, illegally accessing private emails or using company data to sell on for profit.

This issue focuses on human beings, so there are no hard and fast rules for spotting a rogue. But these few examples will give you some potential warning signs to consider investigating an employee further.

1. They know information before everyone else

If you’ve noticed an employee somehow seems to know what is going on before it is generally announced they should probably be viewed with some suspicion. Imagine a situation where your business is about to announce restructuring, a major new hire or new strategy. If you have a particular person who always has his finger on the pulse of whatever is coming there is a possibility he’s getting that information from somewhere that others aren’t. Look for repeat instances of this sort of behaviour and you may uncover a rogue.

2. They talk about hacking company systems or colleagues

If a disgruntled employee tells others what they could do if they wanted to it’s definitely a warning. In most cases, no one tells leadership about the threat, they think nothing of it.

It’s worth educating your employees about why they should report these passive-aggressive threats. When they are reported, take them seriously. Have management talk to the employee with an HR representative present.

If employees are caught with unauthorized hacking tools (if hacking tools are not part of their job) or for those found with collections of other users passwords (if having those passwords are not part of their job).

3. They are actively hiding what’s on their screen

This seems obvious, but let’s consider one particular scenario. As you walk over to a team member’s desk you notice they’re working on a company system as you get arrive to talk to them they switch that screen. What possible reason could they have for not wanting you to see that? It should definitely be considered a red flag.

4. They leave the company angry

A layoff can come as a complete surprise to an employee, and it can hit at a difficult time in that person’s life. While you might expect a little venting, it can cross a line. Add to that mix a dedicated employee who has had lots of superadmin privileges for years with remote access, and you could be sitting on a ticking time bomb.

Of course, every separation of employment should involve the disabling of the ex-employee’s log-on accounts. Many times this is the mistake made by victim companies. But often that long-term superadmin employee is also aware of shared admin account passwords (a practice that should never be implemented) and may know other employees’ log-on names and passwords. This can become especially complicated in certain circumstances. While the average employee may have 10 to 15 different systems with different log-on credentials, that number goes through the roof for IT admin employees.

Any system located on the Internet or a partner network should be closely examined. Any log-on credentials the employee might have known or might have used must be changed. Elevated service accounts, whose passwords are often not changed for years and widely known, should be changed as well. And be sure to investigate for any evidence of other accounts and passwords the ex-employee might have known about. Those, too, should be changed.

As you’re now in a place where you may need to more closely examine the activity of your IT team members you may be thinking about investing in tools that don’t just help to identify those who are abusing their access, but also help to give peace of mind to your leadership team.