Departing Shots
When you sack or retrench IS staff, make sure your company doesn't get burned
None of the CIOs contacted for this article said they had experienced sabotage by disgruntled ex-employees, which may be surprising considering the Information Security Research Centre (ISRC) at Queensland University of Technology (QUT) says it is estimated that there is one act of employee sabotage every week in Australia.
Hagemeyer's Ratcliffe says he personally has not experienced any sabotage, but he does know of one case where an employee who had been reprimanded came back in the evening and set fire to the computer room. "You can't totally protect against sabotage," Ratcliffe says. "You need to put trust in people. If you have open and honest communications, and involve staff in decisions that affect them, you are part way there."
Acts of sabotage can be very invidious when acting on network systems: compromising the network, destroying data or denying services. Disabling Web sites is particularly prevalent. Fewer incidents of large-scale sabotage, such as disabling electronic transaction systems for up to a week, have been noted, but these can cause damage costing in the millions of dollars.
"Most of the incidents are low scale," says associate professor Mark Looi, deputy head of QUT's School of Software Engineering and Data Communications, and a consultant and researcher for the ISRC. "They mainly comprise Web site disablement and hacking, and changed information. In most cases the victims of incidents simply correct the problem, and proceed no further. But sabotage is very much a real concern, especially following retrenchment of staff through downsizing and mergers.
"Perpetrators are always individuals. We are yet to have a case of sabotage by corporates or groups," says Looi. "All of the incidents are vindictive; there is no benefit to the perpetrator outside of inflicting damage. Network administrators and IT managers, if not leaving on good terms, have sufficient access and knowledge to inflict damage." This includes the creation of back-door entries that bypass normal security provisions. These may have been created for a variety of reasons, some legitimate such as doing work from home, and others less benign. "In security audits undertaken by the ISRC, we have detected a back door in 15 to 20 per cent of cases," Looi says.
Preventing such occurrences requires vigilance and adherence to due process. For example, a retrenched person should not have access to the system between the retrenchment and when they leave. "There is no such thing as 100 per cent protection," Looi says, "but you do need to be aware of the types of action possible and be vigilant for up to three months after an employee has left. A properly trained IT support [team] should be able to prevent external attack.
Once the incident has occurred, going to court can be a lengthy process. "There is insufficient precedent, and preparation can be lengthy," Looi says. "However, the courts do seem to be supportive. In the two court cases that I've been involved in, both resulted in convictions.
"There are always ways to assess the identity of perpetrators," he says, although he is coy about details. "Computer forensics has gained momentum over the last 12 months. One thing you do need to particularly understand, however, is don't damage the evidence."
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.