While hacking by outsiders is posing a larger and more significant threat to companies of all sizes, the threat of insider jobs – particularly by disgruntled former employees – is often an even bigger one.
These attacks, carried out with malicious intent to hamstring a company’s operations, can cause serious problems. Take, for example, the following recent events:
- A former employee of Spellman High Voltage Electronics Corp. is facing charges after strange things started happening to the company’s systems after he resigned, due to allegedly being passed over for a promotion.
Shortly after he left, employees at Spellman began reporting that they were unable to process routine transactions and were receiving error messages. An applicant for his old position received an e-mail from an anonymous address, warning him, “Don’t accept any position.” And the company’s business calendar was changed by a month, throwing production and finance operations into disorder.
The mayhem cost his former employer more than $90,000, and he was arrested. “The defendant engaged in a 21st-century campaign of cyber-vandalism and high-tech revenge,” said Loretta Lynch, the United States attorney for the Eastern District.
- A former employee of McLane Advanced Technologies was sentenced to 27 months in prison and ordered to pay $35,816 in restitution after pleading guilty to hacking into McLane’s systems and deleting payroll files to the point that staff could not clock in and the company could not issue payroll checks.
He was upset after the company had fired him and then refused to help him obtain unemployment benefits.
- A network engineer, who was fired by the American branch of Gucci, stands accused of breaking into the computer systems of the Italian luxury goods organization, shutting down servers and deleting data.
The New York County District Attorney’s office accuses the former employee of using an account that he had secretly created while employed by Gucci to access the network after his employment was terminated.
He has been charged with computer tampering, identity theft, falsifying business records, computer trespass, criminal possession of computer-related material, unlawful duplication of computer-related material, and unauthorized use of a computer. The intrusion is said to have cost the company some $200,000.
What you can do
With these cases in mind, there are internal steps you can take to avoid this sort of thing happening at your company.
Route all offsite access through a VPN – This can typically prevent someone from entering your system altogether. But, once you have such a system in place, all outside connections need to be logged and monitored for suspicious activity.
Test your disaster recovery plan – You need to have a disaster recovery plan in place that includes backing up data every day, just in case someone deletes it from your servers. That way, if data is deleted you can immediately switch to a back-up IT environment.
A lot of times, organizations do disaster recovery, but unless they practice the actual recovery, they don’t know if it will work, and it doesn’t matter whether they have a physical or a virtual environment. So, don’t forget to test any plans you have.
Block unapproved software – Sometimes your employee hackers will install extra software that makes it easier for them to root through your system and create havoc. You should have systems in place that do not allow anybody to install unapproved software.
Disable ex-employee accounts and passwords – Whenever an employee or contractor ceases to work at your business – or in the case of layoffs, beforehand – you must disable their network access, accounts and passwords. You should regularly review which users have access to your systems, and know that changing passwords and resetting access rights is essential when a member of your staff leaves your employment.
Think like a malicious insider – IT managers must think like an inside attacker, and identify the weak points of their infrastructure that they themselves would exploit were they so inclined. As a senior manager, you should ask your IT managers just what they are doing to thwart any possible insider attacks.
Make suspect behavior cause for concern – Watch for human-behavior warning signs, such as complaining to others about the company and a more than usual amount of time spent accessing company data on your network. Develop a response plan for when such signs get spotted.
Beware resignations, terminations – Most insider attacks occur within a narrow window. Most people who steal intellectual property or destroy systems do so within 30 days of resignation. Accordingly, keep a close eye on departing or departed employees, and what they viewed.
If someone resigns who has had access to your most sensitive company information, including trade secrets, you need to pay special attention to ensure it’s not compromised.
Marshal forces – Businesses that prepare for attacks in advance tend to better manage the aftermath. When it comes to combating cases of suspected insider threat, include human resources, management, upper management, security, legal and software engineering.