With a faltering economy resulting in increased jobs cuts and corporate belt tightening, security analysts are warning companies to be especially vigilant about protecting their data and networks against disgruntled employees.
As it is, one of the biggest threats to corporate data and systems traditionally has come from insiders, who with their privileged access to data and systems, have the potential ability do more accidental or malicious damage than even the outside attacker.
That threat greatly increases at times when companies are laying off staff, cutting back on raises and bonuses, deferring promotions, consolidating operations and outsourcing work to save money.
“All of these increase risk for the company from an insider perspective,” said Shelley Kirkpatrick, director of assessment services at Management Concepts, a Vienna, Va.-based management consultancy.
Tough economic times create uncertainty in the workplace, she said. Employees for instance, can be worried about losing jobs and promotions, concerned about financial liabilities, mortgages and rising energy costs.
“When there is uncertainty, it creates stress for employees. It makes the company more vulnerable” to threats, said Kirkpatrick, who was previously a behavioural threat assessment researcher at the Homeland Security Institute.
The threats can manifest themselves in a number of ways. Insiders with access to corporate information, such as customer data or corporate secrets, might want to steal or disclose it for financial gain or simply to get back at their companies.
Those with technical-savvy might seek to sabotage corporate data and systems by planting malicious code and so-called logic bombs that are designed to delete data at a future date on critical systems.
The danger is not confined to such actions alone. Stressed, unhappy workers make easy targets for opportunistic rivals as well, Kirkpatrick said. “If I am a competitor looking for a good opportunity to get trade secrets out of my competition, I am going to go after the people who may be stressed emotionally,” she said.
Examples of insider sabotage
The damage that insiders with privileged access can do should not be underestimated as several incidents in the past show, analysts said.
In July, for instance, a disgruntled administrator for the city of San Francisco locked access to a critical network by resetting administrative passwords to its switches and routers and then refusing to divulge them to officials for days.
In a similar incident, a Unix systems administrator at Medco Health Solutions Inc. who was concerned about being laid off, planted a logic bomb on an internal system that, had it gone off, would have deleted data on 70 servers.
While both incidents involved technically savvy insiders, similar threats can come from non-IT staff as well. In November 2006, a scientist working at DuPont admitted to stealing corporate data valued at around $400 million shortly before he left the company to work at a rival.
The key to being prepared for such threats is knowing what warning signs to look and how to respond to them, said Matt Doherty, a senior vice president at Hillard Heintze LLC, a Chicago-based security consultancy.
One example of a red flag might be an employee who suddenly starts working after hours, stays late for no obvious reason or keeps asking for overtime to make ends meet.
Similarly, someone trying to get access to systems and information that they really have no need for could be another sign that something is amiss, he said. Or it could be an employee who prints out large volumes of data after hours, or e-mails it to himself.
As important as such markers are, it is equally important to know what’s going on in terms of employee behavior and morale, Doherty said. Supervisors need to be trained to spot employees in distress or those who could pose a security problem in the future, he said.
Companies also need to educate employees about the importance of paying attention to signs of frustration among their co-workers and to have a centralized structure in place for reporting such behavior, he said.
“It’s critical for a supervisor to be aware of the employees, who they are and what’s going on in their lives. It’s really about keeping a finger on the pulse,” he said.
It’s also important to know that the stress can come from outside the work environment, Kirkpatrick said. An employee, for instance, could be experiencing financial problems or may have lost a home to foreclosure because of an inability to meet the mortgage payments.
Identifying and defusing a potential situation takes a coordinated effort, Kirkpatrick said. It’s best for companies to set up a cross-functional team composed of members from the human resources, IT, corporate security, legal and operations departments to deal with potential risks from insiders, Kirkpatrick said.
It’s important to ensure that information received about a potential problem is quickly acted upon. But companies need to make sure that any action they take does not violate the employee’s basic rights, she said.
Almost always “there are warning signs. But they are not always listened to,” she said.
Technical controls are vital as well. One of the most important is user authorization and access control, said Raffael Marty, chief security strategist at Splunk Inc., a San Francisco-based company that provides software to help firms search for data in large enterprise applications.
Companies that lay off large numbers of people or that engage in a consolidation or merger need to first ensure that former employees no longer have access to internal systems and data, Marty said.
“If a person either leaves his company or is fired, you have to make sure that user account is disabled and that has to happen immediately,” he said. In addition to terminating accounts, it’s also important to monitor critical applications and activity logs to make sure those who previously had access to them can’t access them through some other entry point, Marty said.
It’s a good idea, in general, to monitor privileged user activity to ensure that those with elevated and administrative access rights are not using them to “rob you blind,” added Ted Julian, vice president of marketing at Application Security Inc., a New York vendor of database security tools.
“Some sort of monitoring on your most sensitive systems is a must. You need that safety,” in addition to whatever other controls might be in place, he said.
The increased use of portable devices, such as laptops and handhelds, and removable media, such as USB memory sticks and iPods, has also made it easier for rogue insiders to walk away with large amounts of corporate data.
Analysts for sometime have said that it’s important for companies to have measures in place for centrally controlling and monitoring which devices can be attached to corporate networks and systems and what data can be downloaded, uploaded and stored on them.
Another category of tools used by companies as a measure against data theft is the so-called data leak prevention tools that keep an eye on network traffic to ensure that protected information doesn’t go outside in an unauthorized manner.