When Employees Go Rogue: Guarding Against Malicious Insider Attacks

Posted by Craig McDonald on 14 November 2018 10:49:04 AEDT

Shady and shifty or just another regular Jo? Much like Ted Bundy was considered a charismatic guy, you can never be too sure of the biggest personnel threats to your organisation. Don’t we always see in the news that it’s Susan the lovely office manager who seems to be the one channeling company funds into her own accounts? 

Malicious insiders pose a serious threat to business.

I often write about the human factor, as a vulnerability to your organisation when cybersecurity threats are coming from the outside, but consider the damage that can be done from someone on the inside. Maybe it’s someone who is already embedded in your workplace and systems, hell bent on settling some unseen grudge, stealing your data for personal gain, or simply trying to buy their way out of a sea of gambling debt...

Malicious and insidious

Yes, we often talk of employees accidentally making workplaces vulnerable to outsider attacks due to clicking on links in phishing emails, or accidentally sending confidential information to the wrong client. But the malicious insider attack is far more insidious: they have intent.

A malicious insider is:

“An individual who exploits a system to commit computer sabotage, extortion, fraud or to steal confidential information.” - Preventing and Profiling Malicious Insider Attacks, DST

At MailGuard, we know that there are more outsider attacks than insider attacks against organisations; that’s a fact. But it’s not hard to see that insider attacks have the potential to be more impactful and are harder to detect.

What is the cost of organisational fraud?

Key facts from the Report To The Nations 2018 Global Study On Occupational Fraud And Abuse by the Association of Certified Fraud Examiners:

  • $130,000 median losses per organisational fraud case
  • 40% of cases are uncovered via tips
  • Small businesses reported median losses twice those of the size of bigger businesses
  • 85% of those behind fraud displayed behavioural red flags
  • 18 types of anti-fraud controls all correlated with lower losses and faster detection

You might find these figures a little overwhelming. I do, too - especially for smaller businesses. Businesses with <100 employees have the most to lose; and yet they are the ones losing the most.

How can we guard against rogue employees with the keys to the kingdom?

While the Report to the Nations uncovers some fundamental anti-fraud organisational initiatives to put in place, we need to get a little more specific here. I’m talking about active technological measures that organisations can put in place to help stop malicious insider attacks. A multi-layered approach is essential.

Wait for a tip to come in from a do-good employee or implement systems that stop this behaviour in its tracks?

Striving for a happy workplace and a “family” culture can go a long way to preventing malicious insider attacks. Doubling down on security measures can decrease the likelihood and severity even further.

Reducing employee access

I highly recommend following Defence’s lead in providing access on a “need to know” basis. In information security, this is sometimes referred to as the principle of least privilege (PoLP). The wider the digital access given to any one employee, the more at risk you become.

Instead, compartmentalising access to specific systems, files and apps (aka separation of duties) gives employees less power and less oversight into all facets of the business. It means only giving a user the privileges which are essential to perform their intended function. 

Defining which systems, devices, etc. pose the greatest risk can help with this activity.

Careful monitoring of administrative privileges

Systems administrators are those within the organisation who have access to your systems and configurations, but more importantly still, the technical knowledge to be able to do damage with this power.

As regular employees should have separation of duties, this is even more important in administrative roles. Be aware of who has which administrative privileges and reassess roles and needs regularly. As you keep an eye on their privileges, keep an eye on systems administrators personally, too. Are they happy at work? Did we learn nothing from Dennis in Jurassic Park?

Network logging and monitoring

It’s not unreasonable to log and monitor access to business assets across your organisation at the employee level. This isn’t creepy spying; it’s your business.

Intelligent systems could, for example, detect an abnormally high (or low) number of accesses to a particular client database one week, or a large transfer of data from that database to a machine. Further investigation might be needed to determine the cause of unusual activity, or initiate closer monitoring of a situation.

Putting in roadblocks to prevent data theft

Even if you’ve managed to disable disk access across your company machines, or specific file transfer protocols across a sandboxed environment, there is still the option for a malicious insider to ferry data out of the company via email - whether to themselves or somebody else.

As a Data Loss Prevention (DLP) measure, you can implement advanced outbound email filtering with MailGuard to govern attachments, message sizes, or recipients. This comes standard with our outbound email filtering.

Keeping your reputation safe from exiting employees

Consider the damage that a disgruntled employee can do just by spamming your customer base or key partners before departing. As a business leader and owner, it’s always a fear when you’re not sure about the motivations of someone who’s on their way out.

Outbound email controls can protect your organisations reputation, allowing you to keep an eye out for any mass emails attempting to tarnish your reputation, or to share trade secrets or simply dishing the dirt on your good name.

Unwinding the damage with backups

Finally, think about what happens if an angry employee decides to delete important email correspondence with a valuable client, or tries to delete other valuable data and IP from your network. How do you know that it’s happened, what those messages were?

An archiving solution gives you the power to restore forensically intact data, which can help with your legal and regulatory compliance, but it also helps your organisation to simply recover valuable information. There are a number of solutions in the market. At MailGuard, we offer SafeGuard for email archiving.

Get the facts

Companies are spending more on cybersecurity now than ever before, but those funds aren't always targeting the most significant dangers. There seems to be a bit of a disconnect amongst many CEOs about the sources of cyber-threats.

Studies consistently show that more than 90% of cyber-attacks are perpetrated via email, yet email security is rarely the biggest item in cybersecurity budgets.  If we’re going to win the battle against cybercrime we have to get real about the nature of the threat.

I’m on a mission to help business people understand cybercrime and protect their businesses from costly attacks. If you would like to learn more about the complex cybersecurity challenges facing business today, please download my e-book Surviving the Rise of Cybercrime. It’s a plain English, non-technical guide, explaining the most common threats and providing essential advice on managing risk.


You can download my e-book for free, here.

I have repeatedly advocated the adoption of a multi-layered security approach to handling cybercrime today.

I founded MailGuard in 2001 – a cloud email security company that stops advanced email threats 2-48hrs ahead of the market. Despite the enormous scale of a some of the attacks mentioned earlier, 9 out of ten begin with a simple email, targeting vulnerable employees.

MailGuard detects and prevents large numbers of cyberattacks every day. If you would like to discuss the preparedness of your organisation, my team are here to help.

... ... ...

Hi, I’m Craig McDonald; MailGuard CEO and cybersecurity author.
Follow me on social media to keep up with the latest developments in cybersecurity and Blockchain; I'm active on LinkedIn and Twitter. 
I’d really value your input and comments so please join the conversation.


Topics: email fraud BEC leadership Craig McDonald Business security risk management cybersecurity advice cybersecurity culture

Back to Blog


Something Powerful

Tell The Reader More

The headline and subheader tells us what you're offering, and the form header closes the deal. Over here you can explain why your offer is so great it's worth filling out a form for.


  • Bullets are great
  • For spelling out benefits and
  • Turning visitors into leads.

Recent Posts

Posts by Topic

see all