Inside Job

Cross America's Most Wanted with Revenge of the Nerds and this is what you get: a 32-year-old man who deleted data from GTE's multistate computer network and tried to thwart attempts to recover the files; a teacher who used a Queens College computer to disable systems at Internet Trading Technologies; a saboteur who planted a "code bomb" that wiped out Omega Engineering's design and production programs—an attack that cost $10 million in lost contracts and productivity.

The common thread? Each of these cybercriminals once drew a paycheck from his victim.

The corporate world is largely fixated on threats presented by terrorists and increasingly sophisticated hackers, but experts say that damage often comes from within—from disgruntled employees or recently laid-off workers who still have access to, or intimate knowledge of, company systems. "It's the dark side of business, but it's something people really need to think about," says Tom Harvey, president and CEO of Assurex Global Services, a consortium of commercial insurance agencies. "The data we have is mostly anecdotal, but we've seen enough to know that this is a real danger. It's like the old Pogo cartoon: 'We have met the enemy, and he is us.' "

In a 2001 joint survey of 538 companies by the Computer Security Institute and the FBI, almost half reported cases of "unauthorized access by insiders," and a sobering 91 percent reported employee abuse of network and Internet privileges. Richard Power, CSI's editorial director, wrote in the survey's summary that while the threat of outside hackers is rising, "the potential damage that one insider can cause could be devastating, whether to the future of a single corporation or an entire people."

LOCKDOWN How can you avoid becoming a victim of cyber-rage? Tips from the top computer-security experts: Develop policies.  Every company should have a formal process for eliminating computer access for employees who leave the company. Create safety valves.  Build a network that is compartmentalized like a ship's holds, so if someone gains access illegally, they get to only part of the system. Look for early trouble signs.  An employee trying to access parts of the network that are off-limits could signal a problem. Ask partners to review their security.  Some well-guarded networks get attacked through their less-vigilant partners. Screen content.  Create a process for reviewing all content before it can be posted to the company Web site. Cover your assets.  Review insurance policies and make sure the company is covered in case of an attack.

No Company Is Safe

Hyperbole? Maybe. But the threat from workers past and present encompasses myriad acts of sabotage, including the theft of secrets. Robert Hanssen, the FBI computer programmer accused of pilfering secret files to sell to Russia, demonstrated that even the most security-conscious organizations are vulnerable.

The stakes have risen significantly since the days when a peeved ex-employee's idea of revenge was to send a dozen pizzas to the CEO's office—today's networked computers give individuals global reach. The CSI/FBI report indicates that among the companies reporting losses, the average cost of a case of sabotage was just over $2 million—and that's not counting residual damage in relationships with customers and business partners. That's an expensive proposition, especially during an economic downturn.

Experts agree that the roller-coaster economy has contributed to the situation. In the scramble to grow during the Internet boom, securing company assets was the last thing on execs' minds. "It was all about, 'Can we hire 1,000 people in the next three months?' " says Paul Gigg, CEO of Access360, a security firm that specializes in managing access to computer systems. "People were doing less screening, fewer interviews, and fewer background checks."

When companies started handing out pink slips, that became a potential problem. "These are insiders, so they know exactly where stuff is—not like hackers who are poking around trying to find something," Gigg says. "There's no protection there, from the firewall or anything else. And a lot of companies aren't provisioning just their own employees with access, but also business partners' employees."

Companies often unwittingly allow former employees to retain access to mainframes, databases, file servers, intranets, and e-mail even after leaving the company. Gigg says he had access to "ghost accounts" that had not been properly retired by two former employers for several months after his departure.

The results aren't always apocalyptic. In some cases, an ex-employee intends only to embarrass, and those situations can be easily avoided. "In an economy where it's common to downsize, allowing people to post whatever they want to the company Web site is not a good idea," says Rik Farrow, who teaches a CSI course on computer attacks and countermeasures.

Fence Me In

But a growing number of companies—especially in the airline, banking, and law industries—are looking for ways to foil would-be saboteurs. Waveset Technologies offers a free Inactive Account Scanner that helps companies seek out and eliminate dormant log-ins. Access360 and VeriSign teamed up to create a program that tracks employees' movements within a firm and eliminates their access when their names disappear from payroll or human resources databases. The technology is due later this year.

On a broader scale, Virginia-based TruSecure conducts companywide security audits to help businesses identify risks and reduce vulnerabilities through the managed security service it offers.

Even after a security checkup, it's still advisable to sleep with one eye open. Counterpane Internet Security helps you do just that. By installing a monitoring device in its clients' networks, the Silicon Valley–based company can catch saboteurs in midhack. Counterpane personnel watch for any unusual transmissions, like multiple failed login attempts. "If anything untoward is taking place, we can see it and call them up and tell them how they can take care of it," says executive VP John Bruce. The firm, created in 1999, has about 200 clients.

And because no security is 100 percent effective, it may be worth looking into insurance policies that cover business interruption, unauthorized access, viruses, and even extortion.

Experts suggest that companies coordinate IT and human resources staffs to come up with security policies, especially if they're laying people off. "Companies often look to their IT people, but they'll all tell you there's no such thing as a 100 percent foolproof system," Harvey says. "We're more and more vulnerable in areas like how we use the Web."

Given that, some say it's surprising how few companies still take security seriously. "If an employee is disgruntled, he won't need a degree in computer science to do damage," Bruce says. "Everybody understands about security, but in a lot of cases something has to happen very close to home for them to really get it."

Copyright © 2004 Ziff Davis Media Inc. All Rights Reserved. Originally appearing in Ziff Davis Smart Business.