Businesses put a lot of effort into stopping attacks from external hackers and other criminals. But often it’s those with insider access to the company’s IT systems who can cause the most damage.
A 2011 study conducted by security firm Kroll found that among incidents of fraud in which the perpetrator was known, 60% involved an employee of the company or one of its business partners. That was up from 55% in the previous year’s study.
That’s a distressing figure, but it shouldn’t be surprising. Many security attacks are crimes of an opportunity, and often that means an employee or other insider notices a way to steal data without being caught.
According to Carnegie Melon University’s CERT program, the two most common types of insider attack are:
- IT sabotage, in which disgruntled current or former employees use their access to disrupt the company’s computer system, and
- intellectual property theft, in which exiting employees take proprietary information.
One thing those kinds of incidents have in common: They’re most often carried out by people who are no longer with the company. In the case of sabotage, those attacks are often performed by disgruntled people after they leave their jobs. And departing workers often commit intellectual property theft to bring that information to new employers.
In one recent example of an attack, a former employee of Quebec-based IT security firm Concepta, Inc., was caught after hiring a company to conduct attacks against his former employer. While he was eventually caught, the attacks continued for nine months while the company investigate.
One of the most notable incidents of ex-employee sabotage occurred in 2008 when Terry Childs, then a network administrator for the city of San Fransisco, was arrested after refusing to give the passwords for the network he designed to city officials. After 12 days in jail, he gave the passwords to the city’s mayor. In the meantime, employees were unable to access police records, payroll data and other information.
Childs claimed he was simply doing his job and refusing to give passwords to people who weren’t authorized to know them. But city officials claimed Childs was trying to make himself indispensable because he knew was about to be let go.
A court agreed with the city’s version of events and ordered Childs to pay a $1.5 million fine.
Information is often stolen by departing employees to help them land new jobs.
One court case from last year involved an employee who left a company to work for a competitor and used documents stolen from the former employer in order to poach customers on behalf of his new organization.
The lawsuit highlights the fact that stopping this kind of insider threat can be difficult. The judge wouldn’t hold the ex-employee accountable for taking the data because he was authorized to access the data when he took it. While bringing to another organization may have violated the company’s policy it didn’t violate the law.
One tool experts recommend to keep ex-employees from sharing data with competitors: a confidentiality agreement. That could give the company some power if it has to take legal action against an ex-employee.
Prevent insider attacks
Many organizations are at risk of insider security attacks, according to a report from security vendor Venafi.
According to the survey of 500 IT pros:
- 36% said they would be able to hold their company ransom by refusing to turn over encryption keys
- 31% said if they left the company, they could continue using their privileges to access sensitive information, and
- 43% said they’d be able to cause havoc for their current employer if they left the company.
While IT employees often present the highest risk, any worker with access to sensitive data can pose a problem — in other words, almost every employee in the office.
One way to prevent problems is to make sure all departments communicate with IT when staffing changes are made so that access privileges can be removed accordingly. That includes not only terminations, but also when employees change roles.
A good rule of thumb is also to limit the access employees have in the first place to only what they need to do their jobs.
IT should also take care when employees who have access to especially sensitive information leave the company and conduct additional monitoring. CERT recommends checking email logs for messages sent within 30 days of the resignation that are sent to addresses outside the company and contain attachments or are above a certain size. For some employees, if a large number of those messages are found, it could be cause for suspicion.