Insider Threat Awareness: Preventing Attacks from Disgruntled Ex-Employees

body copy

Many have had jobs they disliked, perhaps even fantasized quitting in dramatic fashion. But most would never go as far as taking down the organization’s systems on the way out the door. Unfortunately, there are exceptions. Organizations are often so focused on external attacks, they forget that sometimes a bigger danger can be within their own organization. It’s not just careless employees that make up insider threats. Dissatisfied employees or resentful ex-employees who have just been let go pose a unique risk given their knowledge of the organization and their vengeful motivations. Keep reading to learn about a recent example of the damage insider attacks can cause, and how your organization can prevent them.

Fixing a Security Hole

Wordpress Multilingual (WPML) discovered they’d been hacked last month when a mass message was sent to all of its users from someone claiming to be a security researcher, informing them of unpatched security holes that had been ignored by the WPML team. WPML sent a follow up email, ardently disputing the accusations, letting their customers know that they had been hacked by a former employee. The employee had created a backdoor prior to leaving the company, allowing him to easily get back into the system and access the customer database, as well as leaving a copy of the original email on the site as a blog post.

WPML is now burdened with the task of rebuilding its server to remove the backdoor and reset customer passwords. While this was certainly a blow to their reputation, the one advantage in this case is that the organization learned right away that they had been hacked. Many other companies aren’t so lucky. Punjab National Bank, for example, didn’t detect an employee using unauthorized access to provide fake guarantees to jewelers for over five years. This resulted in $2 billion worth of guarantees and fallout that continues to this day.

Preventing Attacks with Insider Threat Indicators

Though there aren’t many encouraging things to be said about these stories, one bright spot these attacks have had is increasing insider threat awareness. Learning about the damage through global headlines continues to spur organizations into taking action to ensure they are only in the news for positive reasons.

So how can you protect your organization from insider threats? First, ensure you’re following best practices. This includes having procedures in place for when an employee leaves, regardless of whether it’s on good or bad terms. Their access to every aspect of the organization should be immediately terminated, from user accounts to keys to the building.  

Second, pick security solutions with insider threats in mind. Below are three solutions that will bolster your security without sacrificing productivity:

  • Endpoint Security Auditing – A good security auditing solution is able to automatically detect and send an alert about any changes to critical system or website content files. It would have caught the changes that the ex-employee at WPML was making as he created the backdoor to access the customer database and as he further defaced the WPML website. These solutions provide protection from intrusive entities that target your servers and other assets on your network. Beyond detecting changes to file contents, these solutions can enforce proper auditing rules and separation of duties permissions, alerting the security team when even the slightest change is detected, automating security administration across all environments.


  • SIEM SIEM (security information and event management) is software that uses centralized analysis of security data pulled from a variety of systems, including antivirus applications and financial applications like the one exploited in the Punjab National Bank case. SIEM solutions provide helpful insights through data normalization and could very well have made the fraudulent behavior more visible sooner rather than later, through real-time updates, threat prioritization, and reducing the number of interfaces in need of monitoring. Combining automated system security auditing, as was described above, with a SIEM solution would have made the fraudulent behavior visible to the security team sooner rather than later.


  • Privileged Access Management Privileged Access Management (PAM) solutions are the ideal solution for reducing insider threats. The Punjab National Bank case shows just how catastrophic unauthorized access can be. PAM solutions enforce the principle of least privilege, which mandates that users only have the access necessary to their job functions. This is ideal for guarding against inside attacks, since employees require some access to complete their job, but not universal access, which can be all too tempting to exploit.


Many experts predicted at the start of 2019 that insider threats would wreak havoc throughout the year. If the WPML incident is any indication, this prediction may quickly come true. Prove the experts wrong by taking action to protect your organization from insider threats, be they in the form of a bitter ex-employee or the inadvertent click opening a malicious email.


Are you protected from insider threats?

See if your system has any exploitable vulnerabilities with our free security scan.