Contrary to popular impression, the greatest danger to your firm’s IT security may not be the outside hacker. The greatest danger to your network may be someone on your own team. Using these preventative steps can help.
Contrary to popular impression, the greatest danger to your firm’s IT security may not be the outside hacker. The greatest danger to your network may be someone on your own team. Evidence shows that few firms have adequately weighed the risk of sabotage by internal employees. In a recent survey co-sponsored by the Federal Bureau of Investigation, one-half of the companies that suffered breaches of IT system security over the previous year were the victims of employee sabotage.
As the market for talented IT pros gets more tightly squeezed, the problem seems to be increasing. Some reports indicate losses due to employee sabotage are increasing at rates of 30 percent or more each year. In Baltimore, Maryland, a disgruntled VP left his firm. On his way out, this unhappy employee took company secrets and erased all of the files that held data for an important new technology. He’s not the only internal troublemaker. In New Jersey, a network administrator allegedly planted a “logic bomb” that deleted the firm’s design and production files 20 days after he left the firm. In China, a former programmer allegedly planted a virus in thousands of copies of software and destroyed years of his co-workers efforts.
What can firms do to avoid this problem while continuing to foster a collegial, friendly working environment? Using these preventative steps can help.
Dig deep. In the rush to recruit new techies or contractors for particular projects, hiring managers often overlook the best way to prevent worker sabotage: Avoid hiring people who, based on their previous record, may engage in sabotage. One red flag to look for is evidence that the worker refused to follow an employer’s instructions. Few employers delve deeply into candidates’ background. Usually, the hiring manager only reviews a resume and makes a few quick reference checks. The best way to screen for loyalty—and to weed out possible saboteurs—is to conduct a thorough background check that carefully reviews employment and personal history.
Need to know. A disloyal worker can only hurt what he can reach. It’s critical to limit every worker’s system access to a “need to know” basis. Some companies go so far as to eliminate modems, floppy discs and CD-ROM drives from desktops to prevent workers from importing damaging programs or exporting sensitive data. Most firms limit access by using passwords, firewalls, virus protection software and automatic log-off/lock-out software. However, many companies fail to change passwords frequently or to update their virus protection to scan for the latest viruses. If a disgruntled technologist leaves and passcodes and firewalls aren’t changed, the inside access secrets are no longer inside or secret. Even if you have effective password and virus protection, avoid giving any one worker access to all of the system files. Companies that give such access are particularly vulnerable to that worker. He can wreak havoc on the company if he wishes to do so. To avoid this, divide critical access among several workers so that no one employee can control the entire system.
Many actors, few stars. While it’s important to limit access to a need-to-know basis, it’s also important to have more than one method of access to critical systems and data. Most companies religiously back up important files and store them offsite. However, these same companies sometimes make the serious mistake of placing critical knowledge in the hands on only one worker, making for a possible company hostage situation. The better practice is to train several workers in the same tasks, and to rotate the tasks periodically so that the loss of one employee does not limit the company’s access to systems or data.
Arm the loyalists. In-house sabotage is almost always the work of an individual malcontent rather than a conspiracy. Most workers abhor the thought of sabotage and would do everything necessary to stop it, but they often lack the tools or training to do so. Every company should train workers on the best methods to prevent sabotage. Training starts with an employee handbook, which should contain a code of conduct and ethics, and a description of the information that the company considers confidential or trade secrets. It should emphasize the importance of protecting the company’s proprietary information and the procedures the company has for preserving it. It should also have an effective email and Internet policy that among other things, advises that the company’s systems are the company property and that usage is subject to monitoring.
Training does not end with the employee handbook. Every company should also require employees—as well as contractors and consultants—to sign an enforceable agreement not to reveal, steal or erase the company’s confidential information. Security training for all new workers and periodic refresher courses or bulletins for current workers, can be effective reminders of the importance of password protection and other methods of preventing harm to company assets. The company should also monitor worker access to systems. Monitoring can reveal unauthorized access or access during abnormal time periods that may indicate the potential for sabotage.
Act quickly. Companies must act quickly whenever they terminate an employee or suspect sabotage. Upon notice of termination, immediately eliminate the employee’s access to any sensitive systems or data. Then, upon termination, ensure that the employee returns all keys, passwords, laptops, telecommuting files and other methods of access to the company and its information. Remind the employee of his/her obligation not to disseminate confidential information. Where there is strong evidence of attempted sabotage, it is usually appropriate to fire the saboteur and remove him or her from the premises without delay. If there is any evidence of theft of proprietary information, or any risk that the wrongful conduct will continue, the company should strongly consider an immediate application to a court for an order prohibiting the conduct and requiring the return of any stolen information.
Every employee owes his or her employer a duty of loyalty. The theft or destruction of information is a violation of that duty and other laws that courts enforce frequently through injunctions and damage awards. The theft of information and the unauthorized access to a computer is also a crime, and may be reported to law enforcement officials for prosecution.
The threat of employee sabotage poses a significant risk to company assets. A few simply preventative steps can sharply reduce the risk. And if and when sabotage hits, the company can limit the damage and seek compensation, but only if it acts quickly and effectively.
About the author: Dan Johnson is an attorney with the Washington office of McKenna & Cuneo. This article originally appeared in www.itrecruitermag.com and is reprinted here with permission.