The company's owner first realised something was amiss when she received a call from a supposed client complaining about bad service.
"It was a shock," she told us. "I had no idea who the company was or that we were even working with them, but the irate 'client' assured me not only had they been using our services, they had been paying for them. Yet I had no record of these claims."
Upon further investigation, we found that because he was a senior member of staff, he had privileged levels of access to information that was a requirement of his position. This access then provided him with the knowledge to stop certain monitoring tools we had installed - but not everything. A rogue employee will do everything he can to deter detection. We had consulted and ensured that our client had more than a single layer of security to protect its information and while the nasty insider made it tougher to find, we had ensured that he could not escape.
I cannot stress this enough - the insider threat is not only real, the incidents are growing in frequency and severity. It is a sad truth that as times become more difficult people are trying to find different ways to take home extra money to live beyond their means. No matter how illegal their methods are, we hear so many excuses on how the perpetrators justify their actions.
I would like to point out some key points to consider:
This case raises the age old question - who manages the managers? Or who administers the administrators?
In this case, having access to sensitive data was a requirement for the rogue employee to perform his daily job. And tracking where this data went and who it was sent to, was what allowed us to catch the culprit red handed. This kind of tracking also made it easier to take corrective steps much faster than would normally be the case. Remember, a trusted individual can not only cause losses, but can destroy businesses.
Another important lesson to take way from this experience is to ensure that other senior management members and the CIO take note of and react to the warning signs. If something seems out of the ordinary with an individual, it probably is. You cannot turn your back on the signs. The first warning sign that the rogue employee was 'hiding something' was when a particular security solution had been repeatedly removed from his machine. Being a senior employee, he would have known how to remove the solution as part of the post-implementation training.
The initial suspicion caused us to start looking early and the unknown client calling to report bad service provided the final piece of the puzzle. As soon as we checked our multi-layered defences we quickly built a vast amount of solid evidence without wasting excessive time or spending more money.
I always say that a comprehensive, yet easy to understand information security policy is your starting point. From there it is imperative that you monitor and enforce compliance to these policies by your staff. I believe visibility is the key and even if you think you don't want to check up on somebody, it is an essential part of modern business to do so, just as this client's story has shown us. It is not a case of 'if' you will need to use our solutions, but rather a case of 'when'.
As far as I am concerned, there are two types of businesses - those that have suffered a loss due to the trusted insider and those that will. The key is having tools and mechanisms in place to ensure that the effects of this are mitigated as much as possible.