Every company runs into a disgruntled ex-employee at some time or another. If you’re doing security well, you have a well-documented set of policies and procedures for locking accounts and freezing access after an employee is terminated. That’s if you’re doing security well, and most companies struggle even in this seemingly basic area. So before you read on, please consider a thought exercise in what systems a potential ex-employee would have access to, how to quickly lock those systems out upon termination, and how to monitor for suspicious activity.

Even with the best identity and access management plans in full effect, ex-employees can still cause quite a bit of headache. Please welcome John Kelsey Gammel, a 46-year-old from New Mexico to the scene. He was fired from Washburn Computer Group, a point-of-sale system repair company in 2015. On November 2017, he was charged with hiring cybercriminals to perform a series of sustained DDoS attacks against his ex-company’s infrastructure over a two-year period.

As if this wasn’t enough, Gammel was charged with paying criminals to launch cyber-attacks on a local Minnesota Judicial Branch. And the idiot (if we may use artistic liberty) didn’t stop there… According to this 2018 press release from the Department of Justice, Gammel directed computer attacks toward dozens of websites.

In this age of ever-increasing cybercrime, companies need to be extra vigilant. This starts with a cybersecurity maturity assessment which will highlight gaps in security best practices. These assessments often lead to recommendations around better detective and protective mechanisms. To protect against a DDoS attack, companies can actually subscribe to web-based services such as CloudFlare. To protect against guys like John Gammel, employee screenings and background checks can and should be performed upon hire and throughout employment.