Given the chance and skills, would you hack your employer?

Matt Middleton-Leal

In the past, you may have been asked what mischief you would cause were you invisible? Or perhaps what you would do, could you travel back in time? The modern-day equivalent might be to think about what you would do if you had advanced cyber skills.

If you work in an office, you know that you can’t just access any data you want. Some files are locked away from the everyday employee: out of sight, out of mind.

Whether it’s your boss’ bonus, private emails between colleagues, company financials, performance reviews, or information about yet-to-be-launched products and services, access to information is limited.

But given the chance, what company systems or online accounts would you want to access? We recently discovered that even the happiest employees could be tempted to access sensitive company information if they knew they wouldn’t get caught. In fact, more than half of office workers would want to look at company data – from other colleagues’ salaries, to conversations about themselves, and HR information.

Browsing company data is one thing, but we now know that cyber criminals are increasingly altering information on servers and databases.

What’s also frightening is that, given the opportunity, everyday office workers would jump at the chance to change information on their employer’s system if they knew they wouldn’t get caught. The motives mainly centred around time and money, with nearly a third saying that they would treat themselves to a pay-rise and one in five rewarding themselves with extra holiday days.

Taking on the internet

But why stop at your own company? We found that nearly a quarter of people would take free holidays, and the same number would also add funds to their bank accounts. Others had more political motives, such as stopping immoral companies from operating, viewing secret government intelligence, or changing the law.

Far from being stopped by intrinsic morality, one in five employees say their technical ability holds them back. With cyber skills advancing all the time, companies must be more alert to monitor and stop unwanted insiders in their tracks, and to protect their most valuable information from whoever wants to get their hands on it.

The real cybercriminals

By thinking about what we personally would do with advanced cyber skills, we can start to imagine the havoc professional cybercriminals could cause if they made their way inside – undetected – to attack the heart of the enterprise.

While these findings highlight the potential mischief that employees can get up to without proper access controls, it’s also an important reminder that insiders – or cyber attackers posing as insiders – present one of the greatest security threats to organisations today. So what can organisations do to stay in control?

Here’s three tips:

Look closer at the business

Organisations often vastly underestimate the number of high value application and admin accounts on their network. Each one of these needs managing and securing to make sure that they don’t become a point of vulnerability.

Back to basics

Basic controls are still essential in protecting businesses from cyber threats. This includes creating one-time passwords, automatically changing them on a 30 or 60 day cycle, and – of course – making them as complex as possible


Collaboration has a huge role to play in keeping businesses safe. By talking to industry peers and colleagues about their experiences, everyone can learn about how risks are changing.

Matt Middleton-Leal is vice president, UKI and Northern Europe, at CyberArk.

Related articles