Information All Employers Should Know to Protect Their Businesses

Robert HobermanManaging Partner, Hoberman & Lesser CPAs, LLP

Revenge is the most frequent motive for computer sabotage committed by once-trusted company insiders, according to a study issued by the Department of Homeland Security.

So while companies are busy fending off outside attacks from hackers, they must also watch out for devastating acts of cyber vandalism carried out by disgruntled current or former employees and independent contractors.

The report details sabotage cases nationwide in various industries. While 71 percent of the unauthorized intrusions examined came from outside hackers, a disturbing 29 percent were traced back to insiders.

Companies are warned to stay on top of potential internal problems by developing strict procedures for the revoking of employee technology privileges.

“Insider attacks can only be prevented through a layered defense strategy consisting of policies, procedures, and technical controls,” the report noted. “Therefore, management must pay close attention to many aspects of its organization, including its business policies and procedures, organizational culture, and technical environment.”

Key finding: In most cases, the perpetrators first act out at work in ways that caused concern. They carefully plan their attacks and sometimes communicate their intentions to others in the organization. In other words, there are red flags that are often ignored or never seen by management.

The study focuses on the motivations and techniques commonly used by insiders with real or imagined grievances against their employers.

Because so many companies rely on computers and the Internet for both internal and external functions, access privileges to their networks are given out of necessity to large numbers of employees, a number of whom have only modest levels of supervision. Many insiders are also able to dial in from home or other remote locations.

And as employees become increasingly Web savvy and technically proficient, they are able to find weak spots in systems security. In many cases, perpetrators had a direct technical role in the development and operation of the computer system itself.

“Most of the insiders who committed acts of sabotage were former employees who had held technical positions with the targeted organizations,” the report said.

How did they do it? By creating unauthorized backdoor accounts, accessing systems from remote locations after business hours, stealing back-up tapes and using other methods of attack.

Deny access: Because of the high probability that the offender was connected to the IT side of the company, the report recommends that strict procedures be instituted to quickly lock out employees who quit or are terminated. The same goes for independent contractors whose work has been completed.

One vulnerable area is group access, in which several employees use the same password to log into systems.

“It is critical that all group passwords be changed immediately upon termination of any user previously authorized to have the password,” the report said. “These include group passwords for remote access, and company, customer, database administrator, application, and system administrator accounts.”

Increase scrutiny: The report also concluded that a lot of damage can be avoided by closer monitoring of employees so that a deteriorating situation can be corrected before someone lashes out electronically. The loss of a job, trouble with supervisors, demotions or unwelcome transfers were cited in the report as the most likely triggers that send employees down the path of simmering anger and eventual acting out.

“Eighty-four percent of the incidents were motivated at least in part by a desire to seek revenge,” the report stated, adding, “57 percent of the insiders were perceived by others as disgruntled employees.”

Companies would do well, the report stated, to implement well-publicized policies governing the removal of an individual’s access. Whether or not the employee is retained or let go, the company can rest assured that at least its IT systems will hum along smoothly throughout the process.

Six More Recommendations from the Report

  1. Establish formal grievance procedures and additional forums for employees to voice concerns after they experience a negative work-related event.
  2. Set up a formal inter-department process for reporting problem behavior and sharing information about troubled colleagues before harm occurs. Consider an anonymous reporting mechanism.
  3. Remind all coworkers of a departed employee to change their passwords if there is the slightest chance they may have shared their passwords with that person. Recognize that sometimes, even in violation of policy, employees share their passwords.
  4. Coordinate the denial of building access with the denial of access to computer accounts. Keep in mind that colleagues might allow former employees on the premises if they’re unaware of resignations or terminations. In one case, for example an employee was terminated from a cancer research project, where he used the same computer with other colleagues. His physical access to the building was immediately disabled. However, he returned to the building after normal working hours, and when he was denied entry, another employee let him into the building believing that the card malfunctioned. The former employee then deleted 18 months of data from the research his office had been working on.
  5. Proactively monitor system logs and remote access to detect an attack before it becomes apparent. In 70 percent of the cases examined in the report, system logs were the way inside perpetrators were identified. These included logs for remote access, file access, system file changes, database/application and e-mail. However, keep in mind that system logs can be altered. In one case, an employee working on a network crash manipulated the company’s system log to make it look like his supervisor caused it. Other ways damage was detected: By using phone records, usernames and auditing procedures and tracking the insiders’ source IP addresses at remote locations such as their homes.
  6. Notify law enforcement. Computer sabotage may be under-reported for a variety of reasons, including a lack of evidence, insufficient information to prosecute and concerns about negative publicity. But a forensic examination of workplace computers can help identify perpetrators and an examination of the insiders’ home computers can help corroborate the identification. “Therefore, it is critical for identification and successful prosecution that organizations contact a forensic specialist to advise (them) on maintaining the integrity of the evidence for law enforcement or other investigation,” the report states.