While hacking by outsiders is posing a larger and more significant threat to companies of all sizes, the threat of insider jobs – particularly by disgruntled former employees – is often a bigger one.
These attacks, carried out with malicious intent to hamstring a company’s operations, can cause serious problems. Take, for example, the following recent events:
- A former employee of Spellman High Voltage Electronics Corp. is facing charges after employees began reporting that they were unable to process routine transactions and were receiving error messages after he resigned, due to allegedly being passed over for a promotion.
The mayhem cost his former employer more than $90,000, and he was arrested. “The defendant engaged in a 21st-century campaign of cyber-vandalism and high-tech revenge,” said Loretta Lynch, the United States attorney for the Eastern District.
- A former employee of McLane Advanced Technologies was sentenced to 27 months in prison and ordered to pay $35,816 in restitution after pleading guilty to hacking into McLane’s systems and deleting payroll files to the point that staff could not clock in and the company could not issue payroll checks. He was upset after the company had fired him and then refused to help him obtain unemployment benefits.
With these cases in mind, there are internal steps you can take to avoid this sort of thing happening at your company, including:
Route all offsite access through a VPN — This can typically prevent someone from entering your system altogether. But once you have such a system in place, all outside connections need to be logged and monitored for suspicious activity.
Test your disaster recovery plan — You need to have a disaster recovery plan in place that includes backing up data every day, just in case someone deletes data from your servers. That way, if data is deleted you can immediately switch to a backup IT environment. Oftentimes, organizations do disaster recovery, but unless they practice the actual recovery, they don’t know if it will work, and it doesn’t matter whether they have a physical or a virtual environment. So, don’t forget to test any plans you have.
Block unapproved software — Sometimes your employee hackers will install extra software that makes it easier for them to root through your system and create havoc. You should have systems in place that do not allow anybody to install unapproved software.
Disable ex-employee accounts and passwords — Whenever an employee or contractor ceases to work at your business — or in the case of layoffs, beforehand — disable their network access, accounts and passwords.
Block root access to everything — Well-run IT shops always block direct, root-level (for Unix) or admin-level (for Windows) access to critical systems. They do this because they know that giving IT employees too much access is an invitation to commit abuse. Accordingly, give users unique passwords to systems and restrict what they can access. Assigning individual passwords to employees also makes it much easier to revoke them, and to monitor how they’re being used.
Make suspect behavior cause for concern — Watch for human-behavior warning signs such as complaining to others about the company and more than usual time accessing your company data on your network. Develop a response plan for when such signs are spotted.
Beware resignations, terminations — Most people who steal intellectual property or destroy systems do so within 30 days of resignation. Keep a close eye on departing or departed employees, and what they viewed. If someone resigns who has had access to your most sensitive company information, including trade secrets, you need to pay special attention to ensure it’s not compromised.
Marshall forces — Businesses that prepare for attacks in advance tend to better manage the aftermath. When it comes to combatting cases of suspected insider threat, include human resources, supervisors, upper management, security, legal and your IT crew in developing a company-wide plan.