How rogue employees endanger your data

Imagine user error that isn’t accidental; that’s the threat of a rogue employee. While some disgruntled users make headlines for violent acts against their co-workers, the vast majority of revenge-seeking employees act out by stealing office supplies, cursing their managers, or by sabotaging company computer systems.

Typically, rogue employees damage Office 365 environments in cases where administrators can’t or don’t know to lock the departing employee out of Office 365 before the worker is notified of her termination. When the departing employee returns to clean out his desk, he can also clean out his Exchange inbox (full of vital client emails), personal folders (home to several shared, irreplaceable sales spreadsheets), contacts (filled with vital supplier email addresses) and calendar (where delivery schedules are maintained).

Photo by Sergiu Nista on Unsplash

Photo by Sergiu Nista on Unsplash

It may not require a firing; employees can “burn” a domain before leaving for another job, or simply because they feel slighted by your organization. Regardless, imagine all the damage random user error can inflict, but magnified by an angry employee who knows exactly what data your company can least afford to lose.

Why Office 365 can’t stop rogue employees

We’ve said it before and we’ll say it again: Microsoft can’t distinguish between “good” employees and “bad” any more than it can distinguish between intentional or accidental commands. If someone with legitimate access to your Office 365 data wants to do it harm, there’s nothing Microsoft can do to stop it.

What a rogue employee can cost you

Much like a security breach, a rogue employee can delete all the data in a single Office 365 account. Damages might range from a minor inconvenience (contact information is lost) to a major impact (customer account details could be deleted or compromised), which is why organizations need to be vigilant

How to defend against rogue employees

The most effective defense against rogue employees is also the easiest: Change an employee’s password or suspend an employee’s Office 365 account before firing him. It should be policy that the first person to find out an employee has been terminated should be the HR department, followed by the Office 365 administrator, then followed by the employee. Any other order gives the employee time to do damage to your data before his or her access is suspended. In addition, if the employee used Office 365 via a mobile device, you can remove or remotely wipe their device from the Admin console.

Organizations should also be more proactive in monitoring user behavior on the platform. If an employee is suddenly downloading sensitive information from multiple project sites, outside of normal site usage or historical patterns, that may be a sign of rogue behavior. Regular audits of usage patterns can often identify these kinds of irregularities before they get out of hand.

Christian Buckley

Christian is a Microsoft Regional Director and M365 Apps & Services MVP, and an award-winning product marketer and technology evangelist, based in Silicon Slopes (Lehi), Utah. He is the Director of North American Partner Management for leading ISV Rencore (, leads content strategy for TekkiGurus, and is an advisor for both revealit.TV and WellnessWits. He hosts the monthly #CollabTalk TweetJam, the weekly #CollabTalk Podcast, and the Microsoft 365 Ask-Me-Anything (#M365AMA) series.