Insiders sabotage security

The Internet and e-mail, for all they have done for corporate growth, have their weak spots. Employees, under the guise of anonymity and spurred on by data’s inherent lack of palpability, do things they would never dream of doing in the corporeal world. Insider jobs, be it the theft of proprietary information or illicit access of corporate data, can be done without leaving the cubicle, somehow disassociating perpetrators from their actions.

“The real threat was, and still is, internal,” said Rene Hamel, speaking at the recent RBC Financial Group’s eBusiness Intelligence Symposium in Toronto.

Hamel, a senior manager with KPMG Forensics in Toronto and an ex-RCMP officer, said the key to reducing the internal threat is “to understand the flow of information.”

It is extremely important to put in place the necessary tools to control information leaks, he said. “And to do so you need to work closely with the IT department.”

Companies need to identify critical information, its inherent worth to the company and precisely who has access to it, he explained. But this is often not the case. Valuable corporate information is stored on a wide array of devices, he said. Everything from copiers and fax machines (with their buffers) to cell phones and PDAs are potential information repositories. So an internal thief does not always need access to the network to find important information. Controlling where information is and where it can go is the key to its containment.

But a more common problem is employees accessing inappropriate information via the Internet or e-mailing sensitive data to friends while at work. Various statistics cite the number of companies who have reprimanded employees for inappropriate Internet access at between 50 and 70 per cent. Those that have gone so far as dismissing an employee sit at around 30 per cent.

How a company initially protects the information is crucial, especially if it envisions the case going to criminal or civil court, Hamel said.

Chain of custody must be ironclad if corporate actions are to be successful.

One company fired an employee, in part due to him accessing pornography at work. A fellow employee accused him and reported it to HR. His machine, days later, was whisked away by a system administrator and placed in an unlocked office. Several important mistakes were made.

“The longer you wait…the worse it is,” Hamel said. The employee, especially one caught red-handed, can take this time to delete data or concoct a story, Hamel said. The machine in question needs to be confiscated immediately. It is not necessary for IT to be involved. A senior manager or corporate officer must be present during the removal and actual lock-up of the machine in question. Lack of a senior manager’s presence can bring the evidence’s chain custody into question.

In this case the company is probably safe only because of societal pressures. Most people accused (and guilty) of accessing pornography at work tend not to fight it. But the fact is, he noted, were the employee to decide to challenge the accusation, the company could find itself in an unpleasant situation defending its actions rather than its policies.

“The company thinks nothing of it and two weeks later [it] gets a letter from a lawyer suing them for wrongful dismissal,” he said.

The fact that the computer in question sat, unguarded, in an open room accessible to anyone, is a problem.

Would the computer evidence be thrown out? “Most definitely,” Hamel said.

“Recovering, analyzing and presenting electronic information as evidence is a legal issue, not an IT issue,” Hamel said.