December 3, 2021

Insider Activity – Employee Sabotage and Pre-Emptive Disaster Recovery

Ask the owner of any company about security and they will reel off a check list ranging from firewalls and anti-virus software to the locks and burglar alarms for their buildings. Yet it does not occur to them that their most trusted asset – their employees - could be more deadly than the most dangerous virus. It is often said that a company is only as strong as its weakest link and in the majority of cases, this weakest link will be their employees. When threatened, employees can be prone to irrational actions, and consequently the most reliable and hard working, dedicated employee has the potential to turn into an ‘insider’, intent on revenge and sabotage.

In 1996 Timothy Lloyd planted a logic bomb in Omega Engineering's network after discovering that he was going to be fired. The results were overwhelming, causing an estimated $12 million in damages to Omega's systems and networks. The company was forced to make 80 employees redundant and it cost a leading electronics firm its position in a competitive marketplace. This may sound like an extract from a Hollywood film, but it was not a one off occurrence. Many businesses are victims of their own employees deliberately acting against the best interests of the company.

The behaviour of these ‘insider’ saboteurs can range from a member of the IT team using their intimate knowledge of the systems to bring the company to its knees by ‘crashing’ servers, destroying back-up tapes, or like Timothy Lloyd, planting logic bombs. On the other hand, non-IT employees could steal a colleague’s laptop or hard drive containing essential sales data, delete mission-critical information or documents either to further their own career or reap revenge on their management team.

The stigma attached to employee sabotage means that many businesses will never admit to this happening within their walls. William Malik, Vice President and Research Director for the Gartner Group, said, “Most firms would rather go public with the news that their Chief Executive Officer was an active alcoholic, than the news that there was an insider security problem.” As a result, regardless of industry or size of the company, employees the world over are holding their bosses to ransom and threatening to destroy their businesses.

Why Does This Happen?

Working practices over the past fifteen years have changed dramatically, a job for life no longer exists no matter how dedicated the employee is to the company. This shift in mindset is exacerbated by an economic climate where companies have to dramatically cut costs and make staff redundancies in order to stay afloat. Consequently these measures, combined with decreasing job security, the use of outside consultants and general outsourcing, all result in a destabilisation of an employees’ working environment. These factors can be intensified by a lack of internal communication and an apparent disregard for those involved, creating the impression that those running the businesses are hostile to the needs of their employees. This all-too-familiar chain of events can sometimes lead to irrational actions against those in positions of authority and increases aggressive internal competitiveness within the company, leading to an isolationist atmosphere of “them and us.”

Despite previous behaviour and background, any employee has the potential for ‘insider’ behaviour. Their triggers can range from desperation to succeed (at whatever the cost) to revenge at being made redundant or being given little recognition (whether career led or financial).

‘Explorers’ are the most innocent ‘insiders’ and apply to both technical and non-technical employees. These people, as a result of sheer curiosity, unknowingly commit violations or delete items while exploring the system.

‘Samaritans’ tend to be technical and believe that despite illegally hacking into systems and fixing errors, they are doing this for the benefit of the company. This naivety can be turned against the management, if their position within the company is threatened.

‘Hackers’ are those who continue to hack into internal systems once hired by a company. A sub-group of this category is known as ‘Golden Parachuters’. Like Timothy Lloyd this type of ‘insider’ installs logic bombs in systems to act as ‘job insurance.’ When their activities are discovered, these will then be diffused in exchange for severance options or will be detonated once the employee has left the company.

Avengers’ are the typical disgruntled employees who have suffered from career setbacks, such as failing to receive a raise or promotion or have been made redundant. As a result of this, they decide to take matters into their own hands with their actions ranging from the odd document being deleted to rendering a server useless and deleting back-up files. In extreme cases, confidential information is either leaked to the public or taken to competitors.

‘Machiavellian’ ‘insiders’ use malicious activities to further their career, whether it is planting logic bombs as bribery or stealing a colleague’s hard drive. Such actions tend to be triggered by colleagues or competitors within the company rather than the company or management itself. For example, this is prevalent in the cut throat life of the sales team, where jobs and positions depend upon their targets and figures.

‘Exceptions’ tend to be affected when a series of events make them feel that they are not being appreciated for the work that they have been doing. These tend to be long serving employees with a background of dedication to the company. The actions of an exception ‘insider’ range from being deliberately difficult when with working with others, not providing essential information, deleting documents and taking advantage of email and web access and using them “in lieu of a decent wage.”

What Can Be Done?

There are two problems where employee sabotage is concerned. In the current economic climate, it is impossible to avoid antagonising employees with decisions that are essential to secure the stability and future of a business. There is also the stigmatism that is associated with ‘insider’ sabotage. Admitting that a trusted employee has been working against the company can damage both internal and external reputations and trust. In addition, the internal reaction towards this phenomenon can also be detrimental for morale – no-one likes to think that the person they are working with is actually working against them.

Employee sabotage cannot be prevented, but a well-placed disaster recovery programme can pre-empt the disruptive effects of such attacks. The main aim of any ‘insiders’ is to disrupt the company enough to cause permanent damage. This usually involves cutting off access to, or destroying data. An insufficient back-up plan, relying on solutions such as tape that could either be destroyed or tampered with, could prove to be the deciding factor in whether a business can bounce back from an attack or be irreparably damaged. By ensuring that a comprehensive off-site data back-up plan is in place, where information is automatically saved away from the business via the Internet, with minimal human intervention, company property will be safe from attacks by the likes of ‘exception’ and ‘avenger’ ‘insiders’. Consequently, if an attack does occur, the data can be restored within minutes even if the on-site systems are in jeopardy.

In conclusion, it is impossible for a company to have a ‘trust no one’ strategy towards its employees. The possibility of an internal attack is always going to be an issue. However being aware of the potential problem is for many companies, the hardest part of the battle. At the same time adopting a more philanthropic attitude towards employees, especially during a restructuring period, might diffuse the possible threats of employee sabotage. Taking this strategy and combining it with an all-encompassing off-site data back-up plan will ensure that the IT assets that saboteur intends to destroy, and the business itself, is kept safe.


DataFort provides dependable secure off-site computer information storage with a focus on functionality and convenience for the end user. The company was founded in 2000 and is headquartered in Guildford, UK and New York, USA. It’s software and services are used by thousands of businesses worldwide - ranging from small SMEs and schools through to quoted companies and local government. Every hour of every day someone, somewhere backs up with DataFort.


Marcie Terman
T: +44 (0) 1483 872 052