Here’s another example of the insider threat similar to situations that I’ve heard of happening many times throughout the years through conversations with folks at conferences and other professional meetings.
On June 27, 2007, the St. Louis Metropolitan Sewer District (MSD) fired an employee who had worked in the payroll department there for 10 years.
Why? He downloaded Social Security numbers and other personally identifiable information (PII) about 1,600 current and former MSD employees to his own personal computer, and then some of his coworkers reported to their management that he had threatened on June 20 to maliciously use the PII if his manager gave him a bad performance appraisal.
MSD contacted the FBI and the St. Louis police department right after learning of the threat, they obtained the now-ex-employee’s computer from his home and “said they are very confident that the document had not been copied or sent to another source.” The name of the ex-employee has not been released pending investigation.
Hmm…I’m always quite skeptical of statements saying that the data has not been maliciously or illegally used. Especially when this employee has been working in payroll for 10 years. As a trusted insider he could have accumulated a large amount of PII during this time.
It is not even realistically possible to prove that data on a computer, on a storage device, or otherwise in the possession of someone, has *not* been copied, distributed or maliciously used. There are too many ways in which such information can be copied, distributed or misused, many of which many not be discovered for months or even years.
“Police and the FBI told the district that they would not seek charges against the employee.”
Interesting.
When people know they will not be penalized (other than losing employment) for doing such outragiously bad things, what is to keep them from exploiting their positions of trust to try similar actions? Where is their motivation to do the right thing if their ethical compass is broken?
Perhaps the U.S. Justice Department, that is still doing investigation, will decide otherwise.
Defending against the insider theat, especially with personnel with positions of significant trust such as someone processing payroll, is always very hard.
Such positions of trust inherently bring with them the possibility that the people filling the positions could do bad things, exploiting their capabilities in ways that will not be caught by others.
You cannot prevent people in positions of trust from abusing their capabilities to do bad things. However, you must implement appropriate due care controls to mitigate the risks of them doing bad things as much as possible.
Trust is good, but it is not a control, and it is not a standard of due care.
So what should you do to mitigate the risks of positions of trust? Much has been, and can still be, written on this. However, at a high level organizations need to:
* Perform pre-employment background checks for job candidates applying to positions of trust. Be sure to include criminal checks, as allowable by law.
* Perform online background checks for personnel in positions of trust.
* Be aware of red flags that indicate those with trust positions may be doing something illicit.
* Have procedures for personnel to follow to report suspected violations.
* Have well-written information security policies based upon the risks to your organization.
* Consistently enforce information security policies and apply sanctions for noncompliance.
* Have the obvious and strong commitment of executive management for information security policies.
* Provide training and ongoing awareness of the information security policies.
* Provide targeted training and awareness communications to personnel in positions of trust.
Tags: awareness and training, due diligence, ethics, extortion, Information Security, insider threat, IT compliance, Metropolitan Sewer District, PII, policies and procedures, privacy