Did you hear the one about the help desk guy who defrauded consumers to the tune of $2.7 million? A help desk guy—low-level, maybe paid by the hour, and not exactly required to be a cutting-edge IT employee or even trained in the latest technologies. The company he worked for, Teledata Communications Inc., provides software to client companies that enables them to access consumer credit reports from credit reporting agencies. And Mr. Help Desk, also known as Philip Cummings, had access to user names and passwords that clients used to access those consumer reports. That was all he needed.
While you were enjoying Thanksgiving weekend, some 30,000 Americans were discovering that they were victims of identity theft that may take years to correct and repair. All thanks to an insider job. If you think it can’t happen at your company, you’re undoubtedly seriously deluding yourself.
You’re at risk
“We live in the world of the electronic criminal,” said Richard Jones, president and CEO of M2000/IS, an information security consultancy and national law firm. “Insiders are often the biggest threat to information security.”
Background checks are more crucial than ever, especially in IT, because companies stand to lose everything if they’re not careful.
“Screening is a good word,” said Scott Moritz, senior managing director for IPSA International, a global provider of risk mitigation services. “Screenings are based on a relatively low-level unit cost. The problem is that too many companies use screenings inconsistently—or out of proportion to actual risk.”
Moritz, a former FBI special agent, points out that all too often, the same level of screening is performed across the board. That’s a mistake: “When you’re hiring the person who is going to design your security architecture, you need to do more than a simple credit and criminal check,” he said. The first step, therefore, is to assess your vulnerability with any new hire—what’s their level of access, and how badly can they hurt you? “Anyone with root-user access needs to be checked out very closely,” said Moritz.
A typical background check reviews a potential employee’s credit and criminal records. Obviously, you want to avoid hiring a convicted embezzler. But more subtle clues are waiting to be found in the public record. “You can have an honest, upstanding citizen whose child is ill and needs expensive medical care. Financial need can cloud judgment and lead to terrible decision-making and outcomes,” explains Moritz.
He cites recent divorce as another common cause of personal debt that can lead otherwise moral people astray.
The premise of background investigations is that past behavior is the best indicator of future behavior. But the worst people—those Moritz dubs “malevolent”—may have gotten away with multiple crimes in the past. So a background check won’t necessarily turn up anything, although a psychological profile might uncover some clues.
You must check everyone
Unfortunately, and ironically, the higher a person’s status within an organization, the less companies want to conduct extensive background checks and profiles. But that’s an irresponsible attitude, said Jones, who is often called in when a company wants to terminate a senior IT employee. “The more keys to the kingdom someone has, the more thorough the checks need to be.”
According to Jones, when his teams come in to evaluate security risks before a termination, over 75 percent of the time they find that CIOs, CTOs, and other senior IT staff have built themselves back-door entrances. He said that it’s always less expensive to act before the hire than after.
Jones frequently asks CIOs if their networks are secure. “They always say yes,” he said. “And when I ask them how they know, they tell me, ‘Well, because my system administrator says it is.’” Ignoring security risks, he cautions, won’t make them go away. “A security-minded organization must carry out security reinvestigations. Create corporate policy that makes it clear that you can conduct future investigations—and then adhere to the policy,” he said, and added that people whose access poses the greatest risk to the company should be investigated annually.
In addition, Moritz pointed out that hundreds of companies employ rigorous background checks for employees but don’t bother to vet consultants. If that’s your practice, “You’ve just rendered your entire system ineffective,” he said.
What’s the price of security? Jones said that a company that’s earning $10-50 million annually should expect to spend about $15,000 to develop security policy and procedures. A vulnerability analysis will run another $25,000, and the same amount will be needed to properly implement solutions, although he pointed out that additional hardware costs might be necessary.
Tough decision: You can spend under $100,000 now to secure your company. Or you can risk it all—and give us something to read about next Thanksgiving weekend.