Chief security officers say it's very difficult to protect business-technology systems from trusted employees. "If someone on the inside is brazen enough, there's not much you can do. You've got to trust people," says a security officer at a major financial-services firm.
There have been plenty of examples in recent months of insiders and former employees committing computer crimes. Just last month, federal investigators said they thwarted the largest identity-theft ring in U.S. history. It was led largely by a person who had access to customer credit reports and reportedly victimized more than 30,000 people, with losses expected to exceed $2.7 million. In September, a San Dimas, Calif., man pleaded guilty to illegally accessing the computer systems of his former employer to gain competitive advantage after taking a job with a rival company.
Duronio is accused of damaging files at UBS PaineWebber with a logic bomb.
"Companies aren't spending enough, or doing enough, to protect their systems," says Mark Rasch, former head of the Justice Department's computer crimes unit and senior VP and chief security counsel for security vendor Solutionary Inc. "It's still mostly just talk. The bad news is it's going to take a catastrophic event" to get companies to take security seriously, and Rasch believes that such an event "is going to happen."
And it may be caused by insiders, those who know a company's systems and weaknesses and can inflict serious damage. It takes solid technology, tough policies, and tight control over systems changes to protect a company's electronic assets from malicious employees, security experts say.
"It's a matter of strong change control," says Peter Tippett, vice chairman and chief technologist for security-services company TruSecure Corp. "When it comes to administrators with access to servers, you have to have them watch each other. It should take two administrators present for any changes to the system." All server changes need to be logged to separate systems that the administrators can't access and change, Tippett says. "You start doing that, and they'll know they'll get caught. It's a deterrent."
That advice looks good on paper, says the chief security officer at a consumer-goods manufacturer in New Jersey. "I barely have the staff to keep up on maintenance and patches," he says. "I can't afford to have two administrators at every server for every update."
Still, it might be cheaper than dealing with the damage caused by a disgruntled staffer or former employee. While no company can totally protect its systems, especially from insiders, aggressive policies can cut the risk. "It will still happen from time to time," Tippett says. "But you can greatly reduce the likelihood."