Sometimes, You Should Ask and Tell

Spotting suspicious behavior - and reporting it - is the key to stopping insider attacks

1:15 PM -- A hundred years ago, before I turned journalist, I worked in PR for a large telecommunications service provider. It was a typical, large corporation, with a whole culture of its own -- and plenty of "secrets" that a lot of people knew.

The first director of my department was escorted out by security guards after being nailed on sexual harassment charges. The guy who replaced him was married, but he used to go on long, expensive "business trips" with a young woman from a nearby department, who bragged to her friends about being a "kept woman."

One of the guys who worked in my group was fired for stealing computers from the company. Our vice president of sales (also married) was spotted doing, um, some very un-businesslike things with his administrative assistant -- in his open, glass-walled office on mahogany row.

My point is that at any big company, there are lots of worrisome things going on around the office that people see or know about, yet never report. They gossip and exchange stories, but they seldom tell anyone "officially" about illicit -- even dangerous -- changes in behavior that are happening right before their eyes.

Having worked in an environment like that, it actually didn't surprise me last week when Gary Min, a chemist at DuPont, was caught stealing $400 million worth of intellectual property from his company. (See Insider Tries to Steal $400 Million at DuPont.)

My guess is that a lot of people noticed when he walked out of the building carrying stacks of documents (enough to fill his house, a separate apartment, and a rented storage bin) which turned out to be confidential. And I'll bet lots of people in his group noticed that he was working extra long hours at his computer, yet didn't seem to be getting any additional work done.

I'd guess that lots of people saw Min's changes in behavior, but nobody reported them. People in an office often feel it's not their business to report such things -- nobody wants to be a fink.

But if you talk to any security expert, they will tell you that spotting unusual or suspicious behavior is one of the keys to preventing insider threats. (See 10 Signs an Employee Is About to Go Bad.) When an employee radically changes his hours of work, shows a marked change in mood, or otherwise behaves unusually, it's often a sign of trouble. And unhappy employees are the ones most likely to steal or intentionally damage corporate data.

Officials at one large company spotted suspicious behavior by one of its executives and did something about it. They hired Steve Stasiukonis -- a penetration tester who specializes in social engineering and a columnist here at Dark Reading -- to track the employee's online behavior and find out what he was doing. In the end, the executive was caught red-handed, though not without a fight. (See Let's Wrestle for It.)

The moral of the story is that companies need to change their "don't ask, don't tell" culture regarding internal behavior, just as they need to be more willing to challenge external visitors who come into their buildings. As one of our readers noted on our message boards, IT and physical security people can't always see changes in employee behavior. Only those who work closely with the employee can.

No, it's no fun to be a fink. And it isn't necessary to report every employee who shows up late for work or makes off with an extra box of paper clips. But if you see serious changes in a fellow employee's behavior, or find them with data that doesn't relate to their jobs, it's worth asking a few questions.

I'll bet the people who worked with Gary Min wish they had.

— Tim Wilson, Site Editor, Dark Reading