Are departing staff the new worst enemy of the IT department?
A recurring subject of the past few weeks has been one of employee sabotage and how redundant staff are returning to seek revenge.
As the recession continues it could be argued that less attention is being made than is required on staff movement, especially once someone has been made redundant or has been fired.
With IT staff in this instance particularly in the spotlight, there is the possibility of staff being released and bearing a grudge, accessing the servers and network remotely when the passwords remain unchanged.
This was the case in one recent incident, when at the end of January SC reported on the former IT administrator who was indicted on charges of planting a malicious script to destroy data on all of the servers of the major US bank Fannie Mae.
Rajendrasinh Babubhai Makwana worked for the bank for three years as a computer engineer until his contract was terminated. During this time he had root access to all of the main systems, which the company failed to revoke until the evening of the day he left. He set a computer time bomb that was designed to go off on the 31st of January 2009 at 9am.
However this week the case of ‘malicious insider attacks' was pushed further, with Microsoft's Doug Leland claiming that the recession will lead to an increase in such events.
Speaking to the BBC, Leland said: “With 1.5 million predicted job losses in the US alone, there's an increased risk and exposure to these attacks. This is one of the most significant threats companies face. The malicious insider is classed as the greatest security concern because they have access, and relatively easy access, to corporate assets.”
So what can companies do, if anything, to protect themselves from their own ex-employees? Gary Clark, VP EMEA at SafeNet claimed that organisations are failing to learn from the mistakes of others as sensitive information is exposed again and again through accidental loss or intentional theft.
Clark said: “It's well known that in a recession, levels of crime – particularly cases of fraud and identity theft – rise. With people more likely to take advantage of an opportunity for personal gain, organisations need to make sure sensitive information is not publicly exposed.
“The public should be able to trust their data is secure at all times; organisations need to have stringent practices and safeguards in place to protect it. These include identifying process weaknesses, adopting robust security standards and, most importantly, encrypting all sensitive data.”
So is the problem one of passwords being unchanged when the employee leaves, or is there a deeper issue at the heart of it? Stephen Midgley, senior director at Absolute Software, claimed that while some companies may focus on ensuring passwords are changed to lock out former employees, they should look at something rather more obvious – the hardware.
Midgley said: “With an increase in disgruntled employees comes an inevitable increase in security risks from the inside. According to Gartner, 70 per cent of laptop thefts are internal, and this can only be on the rise. Insider theft means the person stealing the laptop, or the information it contains, almost certainly holds the encryption keys they need.
If the theft is targeted, the thieves sophisticated enough and the information desirable, then many kinds of encryption can start to look pretty shaky. As well as angry staff, industrial and government espionage are not unheard of and a stolen laptop in the wrong hands gives its new owner both the time and opportunity to work on cracking its defences.”
He claimed further that companies would do well to ensure that laptops cannot transfer secure or confidential data, which returns us back to the age old story of data transfer and how USB sticks and laptops should not be used to transfer or store data.
Midgley said: “The last thing employees or bosses want to do is lie awake at night wondering if sensitive information stored on a stolen laptop will come to light whether in the criminal fraternity or even the media.”
In agreement was Chris Mayers, chief security architect at Citrix, who said: “The only way to ensure that company IP, customer information and commercial data is protected is to ensure it never leaves the data centre, and that access to it is carefully controlled. That way, when a disgruntled employee leaves the organisation, with a laptop under their arm, all they are leaving with is the piece of kit, not the information it once had on it.”
In recent conversations with several companies, the subject of how closely HR and IT work has been raised. Daniel Power, European sales director at KACE, asked how the two manage to co-exist without contact, particularly when employees will respond to an order by HR but not by IT.
Sadly this is a modern phenomenon, and something that there is no easy solution too. It does come down to a consistent statement of basic security, but as departments get smaller and more redundancies are made, a balance of information and security must be kept.