Insider Threat Likely More Pervasive Than You Think

Don Tennant
Slide Show

Symantec Hosted Services' Top 5 Security Threats

There's an excellent article on Computerworld today that should be required reading for every IT organization on the planet.



Headlined "Security Fail: When Trusted IT People Go Bad," it makes a compelling argument that the likelihood you have a bad apple among your IT workers is much higher than you might suspect.



Check out this scenario:

It's a CIO's worst nightmare: You get a call from the Business Software Alliance (BSA), saying that some of the Microsoft software your company uses might be pirated.

You investigate and find that not only is your software illegal, it was sold to you by a company secretly owned and operated by none other than your own IT systems administrator, a trusted employee for seven years. When you start digging into the admin's activities, you find a for-pay porn Web site he's been running on one of your corporate servers. Then you find that he's downloaded 400 customer credit card numbers from your e-commerce server.


And here's the worst part: He's the only one with the administrative passwords.

Actually, the worst part is that all of that really happened to a large retailer in Pennsylvania that wanted to keep the whole thing quiet. Sweeping the episode under the rug like that is, in fact, what 75 percent of companies do when they fall prey to such insider activity, according to a survey cited by Computerworld. As a result, opportunities to learn from those experiences are lost, and we're lulled into a false sense of security because we hear about such a small percentage of the activity that actually occurs.


As is often the case when stories like this are reported, some of the most valuable insights come from readers. One reader noted that power corrupts both employees and employers:

Companies planning to outsource wring everything they can from current employees and drop them without a thought or remorse. So this corporate bad behavior is just supposed to go unnoticed? The 'use people up' mentality of the current corporate culture is creating an adversarial relationship, so no wonder these things happen. Maybe if companies started thinking about more than the bottom line but also about people they would do a little better.

Another reader expanded on that theme:

Perhaps another thing companies should do is treat their employees in such a manner that doesn't inspire revenge plots. Rather than turning themselves into the corporate version of the TSA, maybe these companies should ask themselves what they have done that inspires such malevolent action against them by people they considered their best employees.

I've been around long enough to have seen that there are plenty of IT workers out there who are bitter and vengeful. Many of them have legitimate gripes, and many don't. Regardless, illegal or unethical behavior on the part of any IT employee is inexcusable.


That said, a lot more corporate soul-searching needs to be done. As these readers pointed out, adversarial relationships are unhealthy, and companies need to be much more willing to consider how their actions impact the lives of their employees, and how those actions might compel their employees to engage in uncharacteristic behavior.


One more thing. I had a reason for calling this blog, "From Under the Rug." Way too much is swept under there, including accounts of rogue IT employees, and it needs to be brought out into the open. There is no shame in having an employee who goes bad. But an unwillingness to allow others to learn from that experience reflects poorly on any employer that could otherwise help prevent such harm.

Add Comment      Leave a comment on this blog post
Jan 19, 2011 2:38 AM RayJ RayJ  says:

Where is the CIO in all this? That person is the CEO/President's chief IT advisor and is responsible for pointing out the senior executive the possible consequences of such things as "using up people". As well, the CIO is the responsible one to ensure controls, etc. exist to mitigate adverse IT employee behaviour.   

Jan 19, 2011 12:18 PM KML KML  says:

If you are in a customer service oriented field (who isn't) it can affect your client's perception of you as a trusted company. We had an IT worker go postal and almost destroy our firm. Investigation showed a lengthy history of criminal acts and instability. Sometimes you just don't know. Police said if we saw where he lived we would never have hired him. I ask now who conducts home investigations as part of a background check? It was an incredibly painful experience that we are still recovering from. The nature of the position requires a level of trust that few, if any, could live up to.

As an industry, more safeguards should be created to minimize the single controls by IT professionals. There should be passwords and a second trusted administrator (that has to be verified) set up for each account / access so that if there is a situation the second person still has access and can shut out the first. This is the only way to stop the control IT workers have over environments that can be used to wreak havoc.

Jan 20, 2011 5:36 AM mataj mataj  says:

CERT's Common Sense Guide, quoted by the articles:

Everything is nicely categorized in there (table on page 25, for example), but I miss one, fairly importand category: Crimes perpetrated by computer security experts. They certainly have a lot of opportunity to commit crime. Common sense guide advises bacground checks for everyone. Yeah, fine, but who's going to background check the background checkers? How can you be sure, that organization doing the background checks isn't itself operated by some criminal gang? Identity theft, personal information peddling, infiltration of IT organizations using bogus background cheks... why not?

At the end, it all boils down to professional attitude towards one's job, and fair play between employer and employees. Alas, all that was thrown out of the window thanks to the botched introduction of Taylor's Scientific Management in IT during the dotcom boom era. And now, the only thing we can do about it is to search for an answer to the age old question: "Who watches the watchmen?"

Jan 26, 2011 11:02 AM mataj mataj  says:

I fully agree with this response to the ComputerWorld article

The worst security threat are icompetent managers.


Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.