A Firing Gone Wrong
When this Fortune 100 company upgraded its security, it made a nasty discovery. One of its senior system admins, who had been there at least eight years, had surreptitiously added a page to the company's e-commerce website. If you typed in the company URL followed by a certain string of characters, you got to a page where this admin, whom we'll call "Phil," was doing a brisk business selling pirated satellite TV equipment, primarily from China, according to Jon Heimerl, director of strategic security at Solutionary, a managed security services provider hired to address the problem.
The good news: Improved security caught the perpetrator. The bad news: Management botched the firing process, giving him an opportunity to take a parting shot.
Itself a retailer in high-tech equipment, the company wanted to get rid of Phil and his website as quickly as possible because it feared lawsuits from satellite equipment manufacturers. But while Phil's manager and security staffers were on their way to his office, a human resources representative called Phil and told him to stay put. Heimerl isn't sure exactly what the HR person said, but it was apparently enough for Phil to guess that the jig was up.
Already logged in to the corporate network, he immediately deleted the corporate encryption key ring. "As he was hitting the Delete key, security and his manager showed up and said, 'Stop what you're doing right now, and step away from the terminal,'" according to Heimerl. But it was too late.
The file held all the encryption keys for the company, including the escrow key -- a master key that allows the company to decrypt any file of any employee. Most employees kept their own encryption keys on their local systems. However, the key ring held the only copies of encryption keys for about 25 employees -- most of whom worked in the legal and contracts departments -- and the only copy of the corporate encryption key. That meant that anything those employees had encrypted in the three years since they had started using the encryption system was permanently indecipherable -- and thus virtually lost to them.
The cost: Heimerl hasn't calculated how much money the incident cost the company, but he estimates that the loss of the key ring file amounted to about 18 person-years of lost productivity -- a figure that takes into account both the work that went into creating files that are now permanently encrypted and the time devoted to re-creating materials from drafts, old emails and other unencrypted documents.
Preventive measures: Focusing only on what happened after they discovered the rogue website, the company made two crucial mistakes, says Heimerl. It should have shut down Phil's access immediately upon discovering his activities. But managers also left themselves vulnerable by not keeping a secure backup of critical corporate information. (Ironically, the company thought the key ring was so sensitive that no copies should be made.)
The Best Defense Is Multifaceted
The overall lesson from these horror stories is that no single thing can protect you from rogue IT people. You might have great technical security -- like the multitiered security system that ultimately detected Phil's unauthorized website -- and yet a simple mistake by HR can lead to disaster. Or there could be big red flags in terms of behavior or personality that go unnoticed -- like Sally's missing laptops.
It's a combination of technical safeguards and human observation that offers the best protection, says CERT's Cappelli.
And yet it's hard to convince companies to do both. Executives tend to think such problems can be solved with technology alone, at least partly because they hear vendors of monitoring systems and other security products claiming that their tools offer protection. "We're trying to figure out how to get the message to the C-level people that this is not just an IT problem," Cappelli says.
It's a difficult message to hear, and a lesson that many companies only learn the hard way. Even if more companies were forthcoming with the details of their horror stories, most CEOs would still think it could never happen to them. Until it did.
Harbert is a Washington, D.C.-based writer specializing in technology, business and public policy. She can be contacted through her website, TamHarbert.com.
This version of this story was originally published in Computerworld's print edition. It was adapted from an article that appeared earlier on Computerworld.com.