Separating duties can be a particularly tough challenge for companies with small IT staffs, Linkous acknowledges. He suggests that small companies monitor everything, including logs, network traffic and system configuration changes, and have the results evaluated by someone other than the systems administrator and his direct reports. Most important, he says, is letting IT people know that they are being watched.
Second, the company failed to do a thorough background check when it hired Ed. In CERT's research, 30% of the insiders who committed IT sabotage had a previous arrest. In fact, any kind of false credentials should raise a red flag. Although the company had done a criminal background check on Ed (which was clean), it did not verify the credentials on his résumé, some of which were later found to be fraudulent. (He did not, for example, have the MBA that he claimed to have.)
Third, Ed's personality could have been viewed as a red flag. "He seemed to believe that he was smarter than everyone else in the room," says Linkous, who met Ed face-to-face by posing as an ERP vendor before the sting operation. Ed's arrogance reminded Linkous of the infamous Enron executives. "He was extremely confident, cocky and very dismissive of other people."
CERT has found that rogues often have prickly personalities. "We don't have any cases where, after the fact, people said, 'I can't believe it -- he was such a nice guy,'" says Cappelli.
Outsourcing Incenses Employee
"Sally," a systems administrator and a database manager, had been with a Fortune 500 consumer products company for 10 years and was one of its most trusted and capable IT workers, according to Larry Ponemon, founder and chairman of the Ponemon Institute, an IT security research firm.
She was known as a pinch hitter -- someone who was able to help solve all kinds of problems. For that reason, she had accumulated many high-level network privileges that went beyond what her job required. "There is this tendency to give these people more privileges than they need because you never know when they'll need to be helping someone else out," says Ponemon.
She sometimes worked from home, taking her laptop, which was configured with those high-level privileges. The company's culture was such that IT stars like Sally were given special treatment, says Ponemon. "The IT people made an end-run around certain policies," he says. "They could decide what tools they wanted on their systems."
But when the corporation decided to outsource most of its IT operations to India, Sally didn't feel so special. Although the company had not yet formally notified the IT staff, says Ponemon, it was obvious to IT insiders that time was running out for most of the department's employees.
Sally wanted revenge. So she planted logic bombs that caused entire racks of servers to crash once she was gone.
At first, the company had no clue what was going on. It switched to its redundant servers, but Sally had planted bombs in those as well. The company had a hard time containing the damage because it didn't follow any apparent rhyme or reason. "A malicious employee [who's] angry can do a lot of damage in a way that's hard to discover immediately and hard to trace later," Ponemon notes.
Eventually, they traced the sabotage to Sally and confronted her. In return for Sally's agreement to help fix the systems, the company did not prosecute her. In addition, Sally had to agree never to talk publicly about the incident. "They didn't want her going on Oprah and talking about how she broke the backbone of a Fortune 500 company," says Ponemon.
The cost: The estimated total cost to the company: $7 million, which includes $5 million in opportunity costs (downtime, disruption to business and potential loss of customers) and $2 million in fees for forensics and security consultants, among other things.
Preventive measures: What did the company do wrong? First, the incident is a classic example of "privilege escalation," which is what happens when privileges are granted to an individual to handle a specific task but are not revoked when the person no longer needs them, says Ponemon.
Second, an entitlement culture led to no separation of duties and very little oversight of IT. Because of that, management missed an important red flag. After the incident, the company discovered that Sally had "lost" 11 laptops over the previous three years. The help desk staff was aware of this, but no one ever reported it to management, partly because of Sally's status in the organization. Nobody knows what she did with those laptops; it could be that she was just careless -- but "that's a problem in and of itself if you're a systems administrator," Ponemon observes.
Third, given the tense atmosphere created by the outsourcing decision, the company should have been more vigilant and more proactive in monitoring potentially angry employees.
Even if you haven't announced anything to your employees, it's a mistake to think they don't know what's going on, says Ponemon. "The average rank-and-file [worker] knows within a nanosecond of when the CEO signs the [outsourcing] contract," he says. If you aren't already monitoring your IT people, now is the time to start. For best results, kick off the program with a very public pronouncement that you are now monitoring the staff.
According to CERT, many cases of sabotage are the result of a disgruntled employee committing an act of revenge. And such acts can happen in the blink of an eye, as the next story illustrates.