This past January, software vendor NetSupport worked with the FBI to arrest a sales manager who allegedly offered to sell the company's customer list to at least two competitors for $US20,000.
And in March, the FBI arrested a former employee of Global Crossing on charges of identity theft and posting threatening communications on the Internet - this after he allegedly posted menacing messages and personal information at his Web site (including Social Security numbers and birthdays) about hundreds of current and former employees at the communications company.
Those cases attract wide publicity, yet observers say they are surprised at how little companies do to minimise the risk posed by employees."I'll talk to my peers in other organisations, where it's sort of: Â'We think we're protected - there's a guy downstairs who takes care of it'," says Tim Talbot, senior vice president and CIO at Maryland-based PHH Arval, a fleet-management company, that's a subsidiary of the Avis Group."OK, so the guy downstairs has never made a mistake, knowingly or unknowingly?"
Many companies don't do enough to protect against insider threats because they are leery of breaking the trust they have built with their employees. Treat someone like a criminal, the thinking goes, and he might start to act like one. The good news is that there are some easy ways to improve internal security without making honest people feel like crooks - steps that will help protect against external threats as well. Here are five things you can do.
1 Emphasise Security from Day One
Good security starts with whom you hire, and that's why it's crucial to have a pre-employment screening, including reference checks, says one executive who's been there."You really have to know the people that you're hiring and make sure that their interests ally with yours," says Craig Goldberg, CEO of New York City-based Internet Trading Technologies, which successfully prosecuted two employees who, unhappy with the company, attempted extortion and then attacked the company's systems.
CIOs can also limit the damage any one employee can do by setting up access controls that map a person's job function to the resources he needs to do that job. Do that from day one, and your company can avoid giving the impression that access levels have to do with him as a person - they're simply part of a given job function. (See"Software Sentries", page 110, for details on the technology that can help you do this.)Also, there should be checks and balances in place that minimise the damage that one IT employee could do. One person might be in charge of changing files, another in charge of changing the network fabric and a third in charge of modifying payroll records."Most big computer systems have a log-in that might be in a generic way described as the superuser," says Daniel Geer, CTO of managed security company @Stake."If I gain the superuser power and I should not have it, the question is: how far does it extend? I'd rather not have the power to change the company invested in one person - not because I don't trust that person, but because if their credentials are stolen, that is an uncontainable risk."
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.