Q&A With Imprivata's David Ting: Protecting Your Company From Insider Threats
As more businesses undergo layoffs, disgruntled employees -- including a lot of tech-savvy ones -- are looking for ways to exact revenge by sabotaging systems and stealing data. But there are ways to protect your company, and they involve a keen awareness of your IT.
When a fired Fannie Mae engineer allegedly planted a server bomb at his former employer, it had the potential to erase all data and backup data, among other disasters. As we dive deeper into this recession, more layoffs are likely and, with that, more disgruntled ex-employees with an ax to grind. And tech-knowledgeable people are capable of wreaking all sorts of havoc. "Anything you can think that's malicious, it's been done," said David Ting, chief technology officer at Imprivata, a 100-employee authentication and access management company. He noted that there are insider break-ins all the time at companies, but they're just not as publicized as the Fannie Mae incident -- which means your business is probably more vulnerable than you suspect.
White PapersMore >>
bMighty: What's the mood among small and midsize businesses today?
David Ting: Small and midsize businesses are terrified that their company name will be dragged into the presses because of data breaches and blatant IT attacks. As we shed employees, we leave a door unlocked. Medical records could get leaked, and credit information could get stolen. Small and midsize businesses don't have budget expenditures larger companies have, so they worry more about things they aren't doing.
In this down economy, people are paying more attention to policies and procedures: Do I have control over my accounts? The question Imprivata asks is, do you have more IT accounts than you do employees? You'd be surprised how many -- sometimes twice as many. But companies don't always know what they can lock down. Until you get to a smaller ratio of accounts to employees, you don't have your house in order.
Don't Miss: When Employees Leave, Make Sure They're Gone
The days when IT could control everything -- that's gone. We lost that battle as soon as we started using hosted applications. IT gets to host certain servers, but applications are now managed by administrators, and people are further at the edge of the business.
bMighty bSecure is a virtual event designed to help your company stay secure in the most cost-effective way possible. bMighty and InformationWeek editors will bring together SMB security consultants, analysts, and other experts, along with real IT execs and users from small and midsize companies to share the secrets of keeping your company secure without breaking the bank.
Many chief information officers worry about whether employees are trustworthy. Has downsizing hurt morale and led employees to do vengeful acts? Because sometimes current employees feel destructive. And IT-savvy employees can wreak huge amounts of damage. So IT now becomes the lifeblood of your company -- take that down, and you can wreak huge amounts of damage.
bMighty: What threats do smaller companies face?
Ting: These are classic examples:
- Malicious, outright fraud of property that results in monetary exchange so people can get into accounts.
- Theft of intellectual property, in which technically savvy individuals know where information is, such as customer lists and formulations kept under wraps. They can give that to competitors.
- Sabotage and revenge. Sabotage is perpetrated by someone with knowledge about IT structure. Their motives include that they believe their net worth is higher: "I've been slighted for a promotion. Look how important I am!" Or they're dismissed for some other reason. They launch an all-out attack on the company. Administrators passed over for promotions have planted logic bombs to destroy critical systems. In some cases they've issued checks to relatives, scientists have cleaned out entire databases of formulations, and famous sport stars who've gone in for treatments have had their information sold -- anything you can think that's malicious, it's been done.