• United States




7 warning signs an employee has gone rogue

Mar 02, 201512 mins
IT JobsIT Leadership

Trust and IT go hand in hand. Here are the red flags to watch for before you get burned

For all the emphasis on tools and gizmos, IT is still very much about the people who develop and use said tools and gizmos. Collaboration, mutual respect, passion for the work — all this and more are essential to a beneficial outcome, whether your IT group is shipping code, swatting bugs, working with business users, or securing company systems.

But as technology becomes more powerful and computer systems become increasingly rife with sensitive data, one facet of the people side of IT finds itself under increased scrutiny: Trust.

Over the past three decades, I’ve made wonderful hires, people that my gut told me were the right candidates for the job, then went on to prove themselves beyond my wildest expectations. But every once in a while, I’ve missed early warnings signs that an otherwise great candidate or talented, hardworking employee lacked, let’s call it, a strong moral compass.

When someone you admired, trusted, and invested yourself in ends up embezzling from the company, illegally accessing private emails, or using customer credit card data to buy computer equipment for their home, your incorrectly placed trust in that person will haunt you.

The truth is you can’t always tell who has the potential to go rogue. But over the course of my career, I have found a few red flags to watch out for. None is surefire, and it’s always good to give folks the benefit of the doubt. Consider the following to be less a litmus test than a set of hard-earned lessons in dealing with employees who’ve gone rogue.

Red flag No. 1: Unexpectedly fails background check

One of the best hires I’ve made over the past three decades was a woman who told me she made a horrible mistake when she was a teenager. She had been part of a group of employees on a U.S. Federal Navy base commissary who had been caught claiming customer refunds that were not real. She was prosecuted in federal court, and unlike the common throwaway line, this fraudulent act ended up on her permanent record.

During my interview with her, she was very candid about the incident and seemed very contrite. She assured me it would not happen again. The background check revealed it was the only trouble she had ever gotten in — not even a speeding ticket to her name.

I hired her and she remains a top performer 10 years later. She’s a manager now. Her employees love her, and she’s never let us down. Perhaps not surprising, she was also one of my best colleagues when it came to spotting rogue employees. This is an invaluable skill. It’s also testament to the fact that no company or employer should automatically discount hiring someone who is able to demonstrate they have left prior bad decisions behind.

Contrast that with the few other job candidates who didn’t tell me of their criminal records and instead waited for the required background check to reveal their unlawful histories. This lie by omission has become a deal-breaker for me. Usually by the time the background check comes in, I will have already hired the person and they will have started work in a provisional role. It’s quite a shock to find that someone you’ve put time and trust in hasn’t been upfront with you. Yes, many people are hesitant to reveal past criminal transgressions, but trust is either won or lost right at the beginning.

This was a hard-learned lesson. The one employee I kept on after they committed this transgression ended up stealing thousands of dollars in computer equipment from the company. I found out when he asked me to drop by his house to help diagnose possible malware on his home computer. When I entered his abode, I saw that he had a multi-thousand-dollar computer rack, computers, and networking equipment identical to what we had at work. When he realized I recognized the equipment, his expression was clear. It had been a mistake to invite me to his house, at least without first hiding the stolen equipment.

He tried to convince me it was depreciated equipment that accounting had already written off and he had verbal permission from the previous boss to take the equipment home for “training” purposes. A quick phone call and a check of the visible company serial numbers confirmed this was active equipment. Luckily most criminals aren’t exactly masterminds.

Red flag No. 2: Says past employers didn’t trust them

A saying has borne me well in life: “If you’re always the victim, you’re probably the problem.” Many employees, if not most, have had bad experiences with one or a few previous employers. Often it’s why they left. But if an employee complains about all his or her past employers, you’re guaranteed to join the list over the slightest provocation.

Here, the red flags are complaints that past employers didn’t trust them — especially if they then relate stories where common sense takes a backseat or is absent altogether. I remember one employee who complained that his old employer didn’t like him looking at executive payroll files. I did a little monitoring and found he was accessing all sorts of data he didn’t have a good reason to. I’m sure I was added to his list.

Red flag No. 3: Knows information they shouldn’t

An employee who always seems to know what is going on before it is generally announced should probably be viewed with suspicion. This may be tricky to assess at first, but here pattern recognition is your friend.

I had one employee who was always in the know. It had even become a joke around the office — this employee seemed to always have his finger on the pulse of whatever was coming. He knew when reorgs were going to happen, when someone big was hired or fired, even the littlest details.

Once, I was on the board of an employee evaluation committee for selecting the employee of the month. This employee was among the newly submitted nominations, and after some quick voting, he was elected next month’s employee of the month. The meeting adjourned right after the vote, and because the committee was aware of how quickly he found out about news, we made a point to immediately walk across the hall to where he worked and announce his award and congratulate him. Finally we would be able to surprise him.

As I went to shake his hand he passed me a note in the handshake and smiled. It read, “EOM-I know, Congratulations to myself!” Mind you this was before cellphones, and I was in the room with all the voters, and no one left early. Everyone chalked it up as yet another story that backed up his uncanny ability to sense the future.

It turns out that his uncanny ability was in remotely monitoring PC microphones and even hidden video cameras. He was eventually caught taking video of people in bathrooms — a serious felony.

Red flag No. 4: Says they can hack a coworker or company systems

Most employees who hack coworkers often tell other coworkers that they can easily hack coworkers or company systems. It’s strange but often true. If a disgruntled employee verbalizes what they could do if they wanted to, consider yourself warned. In most cases, no one tells leadership about the threat, thinking nothing of it, or if they do, leadership blows it off.

Lesson learned. Verbalizing such a sentiment should be enough to take action. First, educate your employees to report these passive-aggressive threats. When they are reported, take them seriously. Have management talk to the employee with an HR representative present, and search the employee’s hard drives for hacking tools and evidence of unauthorized access.

This also applies to employees caught with unauthorized hacking tools (if hacking tools are not part of their job). Ditto for employees found with collections of other users’ passwords (if having those passwords are not part of their job).

If an investigation reveals the employee has not been actively hacking in an unauthorized manner, they should be warned that such behavior is not condoned and can result in their immediate dismissal, and their actions should be heavily monitored for a set period.

You may think I’m being too tough, but decades of experience have taught me to nip these threats in the bud. I’ve found a few employees with data they should not have, and I believe treating the event seriously can help remind innocent employees to toe the line and stay out of trouble.

Red flag No. 5: Switches screens away from company assets as you walk up

The scenario plays out often: Stop by a cubicle, and watch the coworker quickly flip to a new screen. More than likely they are trying to hide the fact that they are goofing off and not doing company-related work.

But if you see them switching screens when they are obviously working on company assets, that is a huge red flag. Any company website or database they are working in should be able to be seen by a team leader. If this happens more than a few times, make sure you investigate properly.

Red flag No. 6: Never takes vacation

An old accounting canard says to be wary of employees who never take vacations. Because they have to constantly cover up their tracks so they don’t get caught, they simply can’t take a day off. This is why many companies force employees to take vacation.

I once worked with a woman who had been at the company for more than four decades. She was a hard worker, loved by everyone, although a bit cranky at times. She also never took a vacation, even when threatened. I was her boss for five years. At every annual review I would note that she didn’t take a vacation and I would cajole her to take one. She would say something nice or funny in response and say she would soon. But the next year would roll around and still no vacation.

The third year I threatened to fire her if she wouldn’t take a vacation. I even marked down her review score and reduced her bonus. Still she did not take a vacation, but I couldn’t follow through with the threat. She had been with the company so long, and I had a soft spot for her, as everyone did.

In the fifth year we forced her to take a week’s vacation. Lo and behold she continued to show up during the week to “see how things were going” in her absence. I physically had to escort her off the premises. I was truly worried about her health given how much she worked.

Then the checks started to arrive — it turned out she was getting kickback checks from all sorts of telco-related companies for more than 20 years. She had also given her son a job doing telco in the company, one for which he never showed up, and the company was paying for both their cars. In total, she had stolen more than half a million dollars over the course of 20 years.

This sweet older woman who everyone treated like the company grandmother had fleeced the organization. Don’t let sentiment get the best of you.

Red flag No. 7: Leaves the company angry

Involuntary separation of employment is never easy on an employee, even in the best of circumstances, when not the result of the employee’s actions. A layoff can come as a complete surprise to an employee, and it can hit at a difficult time in that employee’s life. While a little venting might be expected, it can cross a line. Add to that mix a dedicated employee who has had lots of superadmin privileges for years with remote access, and you could have an impending disaster on your hands.

Of course, every separation of employment should involve the disabling of the ex-employee’s log-on accounts. Many times this is the mistake made by victim companies. But often that long-term superadmin employee is also aware of shared admin account passwords (a practice that should never be implemented) and may know other employees’ log-on names and passwords. This can become especially complicated in certain circumstances. While the average employee may have 10 to 15 different systems with different log-on credentials, that number skyrockets for admin employees.

Any system located on the Internet or a partner network should be scrutinized in depth. Any log-on credentials the employee might have known or might have used must be changed. Elevated service accounts, whose passwords are often not changed for years and widely known, should be changed as well. And be sure to investigate for any evidence of other accounts and passwords the ex-employee might have known about. Those, too, should be changed.

Postscript: Not everyone is a rogue in the making

For many of you, the above warning signs may be familiar. You may have encountered one or two of them even in the past week. In fact, some of you may remember times when you exhibited one of these warning signs (but certainly never hacked your employer). That’s the hard part about spotting rogue employees. People don’t always make the best decisions.

While it’s good to keep an eye out for folks who may be engaged in illegal activities at work, be sure to take a measured approach. Give additional responsibilities as earned trust allows. Sometimes your paranoid suspicions will be only that.

Related articles


Roger A. Grimes is a contributing editor. Roger holds more than 40 computer certifications and has authored ten books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. He specializes in protecting host computers from hackers and malware, and consults to companies from the Fortune 100 to small businesses. A frequent industry speaker and educator, Roger currently works for KnowBe4 as the Data-Driven Defense Evangelist and is the author of Cryptography Apocalypse.

More from this author