Insider Activity
–
Employee Sabotage and Pre-Emptive Disaster Recovery
|
| Release
date: August 2002 |
| Ask the
owner of any company about security and they will reel
off a check list ranging from firewalls and anti-virus
software to the locks and burglar alarms for their buildings.
Yet it does not occur to them that their most trusted
asset – their employees - could be more deadly than
the most dangerous virus. It is often said that a company
is only as strong as its weakest link and in the majority
of cases, this weakest link will be their employees. When
threatened, employees can be prone to irrational actions,
and consequently the most reliable and hard working, dedicated
employee has the potential to turn into an ‘insider’,
intent on revenge and sabotage. |
| In 1996
Timothy Lloyd planted a logic bomb in Omega Engineering's
network after discovering that he was going to be fired.
The results were overwhelming, causing an estimated $12
million in damages to Omega's systems and networks. The
company was forced to make 80 employees redundant and
it cost a leading electronics firm its position in a competitive
marketplace. This may sound like an extract from a Hollywood
film, but it was not a one off occurrence. Many businesses
are victims of their own employees deliberately acting
against the best interests of the company. |
| The behaviour
of these ‘insider’ saboteurs can range from
a member of the IT team using their intimate knowledge
of the systems to bring the company to its knees by ‘crashing’
servers, destroying back-up tapes, or like Timothy Lloyd,
planting logic bombs. On the other hand, non-IT employees
could steal a colleague’s laptop or hard drive containing
essential sales data, delete mission-critical information
or documents either to further their own career or reap
revenge on their management team. |
| The stigma
attached to employee sabotage means that many businesses
will never admit to this happening within their walls.
William Malik, Vice President and Research Director for
the Gartner Group, said, “Most firms would rather
go public with the news that their Chief Executive Officer
was an active alcoholic, than the news that there was
an insider security problem.” As a result, regardless
of industry or size of the company, employees the world
over are holding their bosses to ransom and threatening
to destroy their businesses. |
| Why
Does This Happen? |
| Working
practices over the past fifteen years have changed dramatically,
a job for life no longer exists no matter how dedicated
the employee is to the company. This shift in mindset
is exacerbated by an economic climate where companies
have to dramatically cut costs and make staff redundancies
in order to stay afloat. Consequently these measures,
combined with decreasing job security, the use of outside
consultants and general outsourcing, all result in a destabilisation
of an employees’ working environment. These factors
can be intensified by a lack of internal communication
and an apparent disregard for those involved, creating
the impression that those running the businesses are hostile
to the needs of their employees. This all-too-familiar
chain of events can sometimes lead to irrational actions
against those in positions of authority and increases
aggressive internal competitiveness within the company,
leading to an isolationist atmosphere of “them and
us.” |
| Despite
previous behaviour and background, any employee has the
potential for ‘insider’ behaviour. Their triggers
can range from desperation to succeed (at whatever the
cost) to revenge at being made redundant or being given
little recognition (whether career led or financial). |
| Eric
Shaw, a clinical psychologist and Director of research
at Political Psychology Associates Ltd defined six types
of ‘insider’ that could be deemed as a threat
to a company. The ‘Explorer’, ‘Samaritan’,
‘Hacker’, ‘Avenger’, ‘Machiavellian’
and ‘Exception’. |
| ‘Explorers’
are the most innocent ‘insiders’ and apply
to both technical and non-technical employees. These people,
as a result of sheer curiosity, unknowingly commit violations
or delete items while exploring the system. |
| ‘Samaritans’
tend to be technical and believe that despite illegally
hacking into systems and fixing errors, they are doing
this for the benefit of the company. This naivety can
be turned against the management, if their position within
the company is threatened. |
| ‘Hackers’
are those who continue to hack into internal systems once
hired by a company. A sub-group of this category is known
as ‘Golden Parachuters’. Like Timothy Lloyd
this type of ‘insider’ installs logic bombs
in systems to act as ‘job insurance.’ When
their activities are discovered, these will then be diffused
in exchange for severance options or will be detonated
once the employee has left the company. |
| ‘Avengers’
are the typical disgruntled employees who have
suffered from career setbacks, such as failing to receive
a raise or promotion or have been made redundant. As a
result of this, they decide to take matters into their
own hands with their actions ranging from the odd document
being deleted to rendering a server useless and deleting
back-up files. In extreme cases, confidential information
is either leaked to the public or taken to competitors. |
| ‘Machiavellian’
‘insiders’ use malicious activities
to further their career, whether it is planting logic
bombs as bribery or stealing a colleague’s hard
drive. Such actions tend to be triggered by colleagues
or competitors within the company rather than the company
or management itself. For example, this is prevalent in
the cut throat life of the sales team, where jobs and
positions depend upon their targets and figures. |
| ‘Exceptions’
tend to be affected when a series of events make them
feel that they are not being appreciated for the work
that they have been doing. These tend to be long serving
employees with a background of dedication to the company.
The actions of an exception ‘insider’ range
from being deliberately difficult when with working with
others, not providing essential information, deleting
documents and taking advantage of email and web access
and using them “in lieu of a decent wage.” |
What
Can Be Done?
There are two problems where employee sabotage is concerned.
In the current economic climate, it is impossible to avoid
antagonising employees with decisions that are essential
to secure the stability and future of a business. There
is also the stigmatism that is associated with ‘insider’
sabotage. Admitting that a trusted employee has been working
against the company can damage both internal and external
reputations and trust. In addition, the internal reaction
towards this phenomenon can also be detrimental for morale
– no-one likes to think that the person they are
working with is actually working against them. |
| Employee
sabotage cannot be prevented, but a well-placed disaster
recovery programme can pre-empt the disruptive effects
of such attacks. The main aim of any ‘insiders’
is to disrupt the company enough to cause permanent damage.
This usually involves cutting off access to, or destroying
data. An insufficient back-up plan, relying on solutions
such as tape that could either be destroyed or tampered
with, could prove to be the deciding factor in whether
a business can bounce back from an attack or be irreparably
damaged. By ensuring that a comprehensive off-site data
back-up plan is in place, where information is automatically
saved away from the business via the Internet, with minimal
human intervention, company property will be safe from
attacks by the likes of ‘exception’ and ‘avenger’
‘insiders’. Consequently, if an attack does
occur, the data can be restored within minutes even if
the on-site systems are in jeopardy. |
| In conclusion,
it is impossible for a company to have a ‘trust
no one’ strategy towards its employees. The possibility
of an internal attack is always going to be an issue.
However being aware of the potential problem is for many
companies, the hardest part of the battle. At the same
time adopting a more philanthropic attitude towards employees,
especially during a restructuring period, might diffuse
the possible threats of employee sabotage. Taking this
strategy and combining it with an all-encompassing off-site
data back-up plan will ensure that the IT assets that
saboteur intends to destroy, and the business itself,
is kept safe. |
