Reading time:
3 min

IT Gone Bad: Not Taking IT O365 Insider Threats Seriously – and Suffering the Consequences


Stalking, extortion, theft, spying, even murder. These are just some of the things evil-minded IT professionals, including some of your own O365 admins, have been known to do.

In the case of Microsoft Office 365, this malfeasance is all too easy to pull off. That’s because O365 admins almost always have global credentials. If they want to spy on the CEO, it’s a piece of cake. Steal sales lead spreadsheets and sell them to your competitor? Child’s play. Harass or stalk co-workers? Simple.

A common but entirely misguided assumption many have is that IT, which controls the infrastructure, apps and data, is inherently trustworthy. But would you give your entire IT staff your ATM card number and PIN? Course not! The truth is, IT folks are just like everyone else  — the vast majority are good and some aren’t. When they go bad, the damage is immense.

Too often those in IT blindly trust others in IT, and give these workers higher level privileges than they need, which can be used to abuse access to corporate and personal information. According to a survey by Cyber-Ark, a third (35%) of IT pros spy on other company employees. Many times, it is simple human curiosity. Unfortunately, there are other times when critical and confidential data is lifted. The bottom line is that, just as IT controls end user privileges, IT privileges should be limited and controlled as well.

A Network World article, What to do When the Insider Threat is IT Itself, details the problem rogue IT presents. Here are the stats. A sizeable portion of insider breaches come from technical staff: 6% from developers and another 6% from admins, according to the Verizon Data Breach Investigations Report. Many insider incursions result from privilege abuse, though there are many other ways IT abuses its access.

“The first step in protecting your data is in knowing where it is and who has access to it,” the report reads. “From this, build controls to protect it and detect misuse.”

Great importance should be given to the moral character of your IT admins. After all, they hold a lot of power at their fingertips, especially when a sizeable chunk of the business goes through IT systems.

Giving admins too many privileges and then not tracking what they do opens the door to IT insider malfeasance.

The first defense is using RBAC to only grant privileges that are absolutely needed, and only for the time these privileges are absolutely needed for. At the same time, have a system for tracking admin activities and let admins know tracking is in place. This alone can ward off many dangers.

Even IT should fall under strict data access privilege policies, and all network activity, including activity from IT, should be tracked for security threats.

Meanwhile, CoreView maintains an immutable log of every administrative action, from the time the platform is put in place, for regular review by IT Security. By watching and reviewing, CoreView positively influences behavior. It is the same reason Wal-Mart and public schools have so many cameras. Not just to capture events, but to influence behavior through diligence.

Don’t Fall Victim to Evil IT

You can control bad IT actors by limiting their rights, and tracking their every action. Find out how with a personalized CoreView security demo.

See how CoreView can help you with this

Learn more about securing and optimizing your M365 and other SaaS applications.