4 Watch for Unusual Activity
Despite those precautions, companies also need to protect against the possibility that those levels of security will be broken. At Sony Pictures Entertainment, right before a big movie release like Spider-Man, the hacks start coming from insiders and outsiders who want to get a prereleased version of the movie or see the stars' salaries. That's where the company's intrusion detection system (IDS) steps in, by watching for unauthorised activity. Employees who poke around for inappropriate information on Sony's network might generate an alert that lands on the desk of Jeff Uslan, the company's director of information protection and security."The system would tell me your machine address and IP address," he says."You might get a call from myself, saying: Â'Is there something I can help you with, because you're trying to get into these files that you shouldn't.'" The IDS would also help Uslan find out if a hacker had infiltrated Sony's system and was using an employee's credentials or computer to launch an attack.
In addition to an IDS, California-based shipping company APL uses a product called Silent Runner, from a company by the same name, to get a visual look at what's happening on the shipping company's network - a high number of FTP downloads, for example, or unusual activity in a department that is going through a painful reorganisation, or even e-mails that match keyword searches."I have a bird's-eye view of what's happening," says Van Nguyen, director of information security."I don't necessarily look at every single one of the 11,000 employees, but when I need to I can."
That isn't enough for everyone, of course. Some companies, especially ones that deal with financial transactions or other sensitive information, will have to go to a more extreme route and use more sophisticated monitoring and controls.
5 Know How to Let Go
A little sensitivity when someone leaves the company can go a long way in avoiding retaliation or sabotage. But there are technical details to take care of as well. It can take months for IT departments to painstakingly close the accounts of a former employee. That usually happens because of poor communication with HR or because there are so many different accounts controlled by different systems administrators, which is a major problem not only because employees might attempt to access system resources but also because hackers can take advantage of inactive accounts."We see a lot of companies that don't have policies to cancel passwords and log-in names when somebody is terminated," says FBI supervisory special agent David Ford, who manages a regional computer crimes office in Atlanta."You would think that would be the first thing that would happen, but a lot of companies don't take the basic steps you would expect."
Until recently, the New York City-based clothing designer Josephine Chaus was no exception. When Ed Eskew became vice president of IT about three years ago, there was no formal system in place for shutting down accounts of employees who resign or are let go. Now, human resources and IT work together closely - a process that, unfortunately, had to be used when the company recently had retrenchments."The moment a person is called from their desk into HR for termination, our IT people will go to their desk and remove the CPU" and change the password for their voice mail, Eskew says. People who leave the company voluntarily may get an interim password with limited access during their notice period.
Sound extreme? Perhaps, but Eskew says there's no way to tell how someone will react to being fired."You like to think that people will behave themselves professionally, but from a security perspective, how do you know? How do you explain that you didn't protect against that?"
But that's not always enough, as Lance learned when"Dr Crime" ended up behind bars. Now, says IT chief Gragnani,"when someone leaves our IT department under suspect circumstances, we will go back and review the program changes that person has implemented recently."
It's another prudent move for IT executives faced with securing their company's assets. But it's not like they have to spend all day, every day treating their colleagues as suspects.
Nasdaq's Bickner uses 80 per cent of his time getting people to do the right thing and only 20 per cent making sure no one does the wrong thing."Most of the people will do the right thing most of the time," he says."We're counting on people to make the right decisions and training them to do that. And the more you succeed on average, the less you begin to see any errant behaviour."
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.