What’s the biggest threat to your computer network? If you said unpatched Microsoft flaws, worms, viruses, or even a weak firewall, unfortunately, you’re living in a fool’s paradise. The biggest single threat to your IT operation is someone you probably know by name. Think about it. Who knows better how to penetrate your systems—a hacker or someone down the hall who already has access to your systems?
IT departments' employees, especially administrators, have access to the organization's most confidential and valuable data, yet IT managers continue to focus most of their security resources on patching systems and building better firewalls (both of which are certainly important). Perhaps this is because they are afraid to acknowledge the real threat of an insider attack, or perhaps it’s because they don’t know how to deal with it. We're going to take a closer look at this problem and provide some suggestions.
Keeping data from walking out the door
Crafting and enforcing policies regarding the removal of any data from company systems should be a priority. This is a completely new mindset for many, but such policies must be put in place and strictly enforced. Making this more difficult is the need for many employees to take work home or on the road. Provision must be made for this, and the approval process must be simple enough that workers can do their jobs.
One obvious internal threat comes from disgruntled employees who have a grudge against the company, but another threat comes from the technical employees who copy important files when they leave a company. This practice isn’t often noticed because it’s such an understandable thing to do. It’s how employees document their work history and retain details from projects and work done in the past to help with their future endeavors.
Nevertheless, these workers may also be removing confidential information, such as customer lists and trade secrets, often without realizing what they are doing. It's important to encourage employees to keep a written log of projects and milestones as a better record and let them know that removing files is against company policy.
Terminated employees should not be allowed to remove any files. Changing account passwords while the employee is still being informed of the termination should be a standard policy. Many companies change locks and seize paper files, putting employees out the door within minutes of their termination. IT security needs to operate the same way, as unpleasant as it may be.
Allowing people to remain in their offices after they give notice or while they are transitioning to a new job is extremely dangerous. During the transition, you might establish a separate office with a printer, nonnetworked computer, and phone line so the employee can make a smooth transition, especially if he or she is involved in closing out current projects.
Employees being terminated who already suspect they are on the way out represent the greatest potential danger to your company’s confidential data. Those employees should leave immediately after the decision is made, not after rumors around fly for a week. By all means, give the employee a good severance package, arrange for an office at a placement firm, and throw a lavish goodbye party—just don't do it where he or she can get back into confidential files. Once terminated, no former employees should set foot inside the main office again unless someone accompanies them at all times and their passwords are disabled.
- Forbid storage of company data on home computers unless the employee telecommutes or does a lot of authorized work at home.
- Explain just how serious the crime of information theft can be, and make sure that you emphasize the legal penalties.
- Warn interviewers to note any job applicants who provide too much information about the last big project they worked on. This is a red flag that the applicant is likely to remove similar materials when he or she eventually leaves your company, and at a minimum, you need to discuss this and your policy with the applicant.
Don't forget physical security
IT security usually focuses on technology to the exclusion of other enforcement mechanisms. I focus on people first because I worked in security long before the PC was around. My early experience was with people stealing cars, committing arson, and even preparing for riots. Later, information security meant physically protecting a mainframe that had no link to the outside, so I primarily concentrated on people as the only threat to that system. Data theft would have involved physically stealing a tape or card deck.
Unfortunately, the vast majority of IT employees charged with protecting the company's data have little or no background in the security issues involved with employees or physical security. Since they are unable to evaluate (or simply aren't cognizant of) threats from people they work with, they tend to concentrate on the nameless, faceless attackers on the Internet.
The fastest way to improve IT security is to add one employee with a background in law-enforcement work. If this person also has a technical background, all the better. For example, a retired detective, even one who only works part-time, can turn your entire security program on its head in a matter of days by focusing on the security issues involved with people.
This isn’t about catching drug dealers or car thieves, so you need to select this new security worker with some care. To weed out “bad cops" kicked off the force for good reason, consider only candidates who are still on the force or have retired with a pension. (Disabilities are a common reason for early retirement.) Some good cops just quit, of course, but you aren’t an expert in this area, so let them get hired elsewhere by people better equipped to weed out the occasional bad one.
A good place to look is in large university campus police forces. These cops are used to dealing with educated people and are sensitive to the potential problems involved in the corporate world.
Ever heard of Timothy Lloyd? Probably not, but you should have, because what happened to this 39-year-old senior programmer could serve as a wakeup call both for managers and for employees. For 10 years, Lloyd was a senior programmer for defense contractor Omega Engineering. Then, he was demoted, and he decided that he'd been treated badly. Instead of just moving on, he planted a software time bomb that deleted a lot of important company files and cost the company an estimated $10 million.
What managers can learn is that even longtime employees can threaten their core IT assets. What employees need to know is that what Lloyd did was in violation of the 1994 Federal Fraud and Related Activities In Connection With Computers Act. After spending years in court, he has just been sentenced to three and a half years in federal prison and ordered to pay $2 million in restitution.
This case, as recently reported by Reuters, may be a revelation to some employees who see fooling around with the company’s computers as a right rather than as a potential crime.
Now for the hard part. Should IT watch itself? The most damaging spy of the last century turned out to be a top FBI spy hunter who was in a perfect position to hide his activities. Robert Hanssen went to Catholic Mass every day and spoke against the threat posed by communism at every opportunity, but he also worked for the Soviets and later the Russians. Hanssen’s case shows how dangerous it is to trust the sheep dog too much.
If you really want to secure your data, the latest trend (one I’ve advocated for 20 years) is to include both physical and electronic security in your planning and not to depend entirely on IT to watch itself. It always boils down to the people, and you can’t tell who you can trust just by looking at them.
The only way to really secure your business is to have security watch IT and have IT watch security, both reporting separately to the board—not to a single individual who might turn out to be another Hanssen.