A recent federal case is a brutal reminder of a reality many organizations still underestimate:
The biggest cybersecurity threat is not always an external attacker.
Sometimes, it is someone who already has privileged access.
According to the U.S. Department of Justice, a former federal contractor was recently convicted after prosecutors said he and his co-defendant deleted approximately 96 government databases after being terminated from their employer. The systems reportedly supported more than 45 federal agencies and included Freedom of Information Act records and sensitive investigative files. (justice.gov)
The case alleges the individuals used their existing access, attempted to cover their tracks, deleted databases, and even searched for ways to clear logs after the attack. (justice.gov)
This is not just a federal contractor problem.
This is an MSP problem.
And it is exactly why Privileged Access Management (PAM) cannot be treated as optional anymore.
The Real Risk Wasn’t the Hack. It Was the Access.
Most organizations spend enormous amounts of time focusing on perimeter security:
- Firewalls
- Endpoint detection
- Email filtering
- Threat intelligence
- Vulnerability management
All of those matter.
But once someone already has administrative access, many traditional defenses become significantly less effective.
That is the uncomfortable reality exposed in this case.
The reported damage did not come from a sophisticated nation-state exploit chain. It came from privileged access being available at the exact moment it should have been restricted, revoked, segmented, monitored, or isolated.
For MSPs, this problem becomes exponentially larger.
A single technician account often has access across:
- Multiple customer environments
- Shared admin accounts
- RMM systems
- Microsoft 365 tenants
- Servers
- Network infrastructure
- Backup platforms
- Security tooling
When privileged access is centralized, persistent, shared, or poorly segmented, one insider event can become a multi-client disaster.
Shared Admin Accounts Create Massive Blind Spots
One of the biggest issues in MSP environments is the continued use of shared administrator accounts.
Organizations often justify this with convenience:
- Easier onboarding
- Easier scripting
- Easier management
- Legacy tooling dependencies
But shared accounts create three major problems:
1. No True Accountability
If five technicians use the same admin account, who actually performed an action?
You may have logs showing the account.
You may not have logs showing the person.
That becomes a major issue during:
- Security investigations
- Cyber insurance claims
- Compliance audits
- Legal disputes
- Insider threat incidents
2. Access Persists Longer Than It Should
When accounts are shared or passwords are reused, offboarding becomes dangerous.
Even after termination:
- Passwords may still be known
- Cached credentials may exist
- Scripts may still function
- Vault exports may remain accessible
- RMM access may persist temporarily
Minutes matter during termination events.
3. Least Privilege Usually Doesn’t Exist
Most shared admin environments unintentionally grant technicians far more access than they actually need.
That means a compromised or malicious insider can often move laterally far beyond their intended responsibilities.
The Critical Question: How Fast Can You Remove Access?
In the DOJ case, prosecutors allege activity began within minutes of termination. (justice.gov)
That timeline matters.
Because in real-world incidents, organizations often discover:
- Offboarding processes are manual
- Password rotations are delayed
- Shared credentials remain valid
- Documentation systems still expose credentials
- VPN sessions remain active
- Cached authentication tokens persist
The speed of revocation becomes the difference between a contained event and a catastrophic one.
This is where modern PAM changes the equation. TechIDManager could have revoked one technician’s access, everywhere within minutes through one click of a button. (TechIDManager.com)
What Proper PAM Should Actually Do
Privileged Access Management is often misunderstood as simply being a password vault.
That is not enough.
Modern PAM should:
Eliminate Shared Admin Accounts
Every technician should have their own unique administrative identity.
Not just for Microsoft 365.
For:
- Windows domains
- Local administrator access
- Entra ID
- macOS systems
- Servers
- Workstations
Enforce Least Privilege
Technicians should only receive the rights required for their role.
Not global admin “just in case.”
Rotate Passwords Automatically
Passwords should rotate automatically and frequently.
Not every 6 months.
Not every 90 days.
Ideally daily or immediately after sensitive events.
Support Immediate Revocation
If a technician leaves the company, access removal should happen quickly and consistently across all managed environments.
Not through a manual checklist spread across dozens of systems.
Maintain Full Auditability
Organizations need the ability to answer:
- Who accessed what?
- When?
- From where?
- What credential was used?
- Was it approved?
- Was it temporary?
That visibility matters for security, compliance, and liability.
Why MSPs Are Uniquely Vulnerable
MSPs sit in one of the most dangerous positions in cybersecurity.
Because MSPs are force multipliers.
A single technician account can potentially touch:
- Hundreds of endpoints
- Multiple customer tenants
- Backup systems
- Security platforms
- Identity providers
- Documentation systems
- Remote access tooling
Attackers know this.
Malicious insiders know this.
Cyber insurers know this.
Regulators know this.
That is why more frameworks and insurers are increasingly focusing on:
- Unique technician accounts
- MFA enforcement
- Privileged access controls
- Least privilege
- Audit logging
- Just-In-Time access
- Password rotation
The days of “everyone uses the same domain admin account” are ending.
Security Cannot Depend on Trust Alone
Most insider incidents are uncomfortable because they involve someone the organization trusted.
But security architecture cannot rely solely on trust.
It has to assume:
- Accounts may become compromised
- Employees may become disgruntled
- Contractors may retain knowledge
- Access may be abused
- Human behavior changes
That does not mean treating employees like criminals.
It means designing systems where a single individual cannot easily create catastrophic damage.
Good security limits blast radius.
The Bigger Lesson From This Case
The DOJ case is extreme.
But the underlying problem is common.
Too many organizations still operate with:
- Shared credentials
- Persistent admin rights
- Incomplete offboarding
- Manual password management
- Weak audit trails
- Excessive technician access
Those conditions create risk long before an insider event occurs.
And when something finally happens, organizations often realize their controls were built around convenience instead of containment.
The MSP Industry Needs to Mature Beyond Shared Access
MSPs are increasingly becoming security providers, compliance advisors, and infrastructure custodians.
That responsibility requires stronger operational security standards.
Not eventually.
Now.
The organizations that continue relying on shared admin accounts and loosely controlled privileged access are carrying significant operational, legal, compliance, and cybersecurity risk.
Modern PAM is no longer about checking a compliance box.
It is about ensuring that:
- One employee cannot impact every client
- Terminations do not become emergencies
- Privileged access is controlled and auditable
- Administrative rights are temporary and scoped
- Security scales with the MSP
Because when privileged access is unmanaged, the real question is not whether risk exists.
It is how much damage one account can do before someone notices.
The speed of access revocation can determine whether an incident is contained or catastrophic.
Schedule a demo to see how TechIDManager helps MSPs automate privileged account management with unique credentials, centralized auditing, and immediate access control across customer environments.

