"The biggest problem with cyber risk is that everybody perceives it as a technical threat. But it isn't - it's a people issue."
ED SAVAGE, CYBER SECURITY CONSULTING, PA CONSULTING GROUPAndrew BaxterFinancial Times15 December 2011
Andrew Baxter reports on the dangers posed by disgruntled, IT-literate employees - and asks how they can be avoided
Companies appear far more afraid of bored Russian teenage computer hackers than they are of a threat much closer to home - their own employees, and in particular, workers who have recently left.
Recent publicity over cybersecurity following attacks on Sony, the Japanese consumer electronics giant, RSA, the security company owned by data storage group EMC, and others, highlights the danger of hiring a potential security risk.
Yet evidence suggests that companies, along with governments and other public sector organisations, are so focused on the external threats from teenagers or hackers in China or elsewhere that they are missing a trick when it comes to the risks posed by a potential enemy within.
Cyber-attacks by insiders are common, says Peter Yapp, head of information security at Control Risks, the UK-based risk consultancy. "Typically, it is people who have run into financial problems, with a betting addiction, for example, or have been overlooked for promotion, had a poor pay rise or received no bonus - those are the triggers."
The disgruntled employee is less likely to cause trouble, however, than someone who has recently been sacked or made redundant as a result of downsizing. "The people involved have got back in [to the company's IT system] because controls have not been tightened down after they left, or they just know so much about the system, or they have left themselves a little insurance policy so they can get back in," says Mr Yapp.
In one recent example with which Control Risks became involved, a small internet service provider found that one of its switches had been hacked into, the password had been changed, and the business was, in effect, held to ransom by a former employee.
Both Mr Yapp and other cybersecurity, human resources and behavioural experts, notably at London based PA Consulting Group, are urging employers to make greater efforts to prevent attacks. There are challenges, they say, but it is not rocket science and, more than anything else, simply requires joined-up thinking.
"The biggest problem with cyber risk is that everybody perceives it as a technical threat. But it isn't - it's a people issue," says Ed Savage, a cybersecurity expert at PA Consulting.
"So you have to address this through whoever owns the people risk, and the problem is often that the HR department believes it's the IT department's problem, or the head of security or compliance."
Due diligence must begin at the prerecruitment stage. Psychometric testing is available and references from previous employers can and should be taken up - and taken seriously - as a matter of course. But companies need to go the extra mile when filling sensitive roles, particularly in IT, or where valuable information is being entrusted to new recruits, says Mr Yapp.
An example would be someone writing software for the finance sector, he says. "You want to know where they've come from and what they've done. Getting a couple of references just doesn't do it. You wouldn't do this for everybody, but you must for key individuals in high risk roles." And that shining reference from a current employer also needs to be checked - is it just happy to get rid of the employee? Pre-recruitment monitoring, however, is difficult. Individuals tend not to be malicious and most begin a job feeling well-disposed to a new employer. At interview, they will present a wholly positive picture of themselves.
"To be able to predict, in a selection situation, whether someone is going to cause a problem in the organisation is very difficult," says Justin Spray, a director and psychologist at Mendas, a London-based occupational psychology firm.
His colleague Simon Draycott notes that a bigger industry has developed in the US around "integrity testing" of prospective employees but many of the measures used are just personality assessments. "Straight away, they are open to manipulation," he says.
It seems generally to be after recruitment that employees occasionally go off the rails. "US research shows very clearly that most malign insiders join a company as perfectly loyal and committed employees, but a workplace intervention takes place that changes their psychological contract and they become disgruntled and resentful," says Bill Windle, a behavioural expert at PA Consulting.
"There are typically three or four weeks of behavioural or social cues that colleagues or line managers could pick up," he says. "It is a short window during which an alert employer might be able to rescue an individual before he or she causes damage."
But if a cyber-attack does take place, it can be many months before it is discovered, and even longer before it is addressed, he says.
When an employee has left a company nursing a grievance or under a cloud, preventing subsequent access to the system is crucial, says Mr Windle.
"If you can't manage identity in today's world, you can't manage your people risks."
It is here, say the experts, that companies have to shake off their silo mentality. "We often find there is no link between IT and HR. HR knows the employee's last day was last Friday, and IT hears about it three months later. So remote log-ins still work," says Mr Yapp.
Many physical security systems run on the same wiring as normal office PCs, he says, yet few companies are able to spot the obvious intrusion when an employee uses their pass to enter a building but has also apparently logged on remotely elsewhere in the world.
"The technologies are converging but the people and departments behind it aren't. It just seems like a missed opportunity."
PA has launched an initiative it calls "strategic protective monitoring" to help companies bring its silos together and become more alert to the risks. This involves using elements that an organisation already has but might not have switched on, says Mr Windle, and the line manager is at the heart of it. "Pre-employment screening is just that - after a person has joined the company there is no more screening, just line management."
In this holistic approach to cybersecurity, the HR department needs to see itself, and be seen, as the key internal customer of [computer system] monitoring, he says.
The consultancy is working with the UK's Centre for the Protection of National Infrastructure on new advice for organisations for managing employee risk.
Perhaps unsurprisingly, given the huge potential losses from insider crime, financial institutions in the City of London and elsewhere have spent more heavily on cybersecurity and general IT risk prevention than others.
And not just on technology - Mark Braund, chief executive of InterQuest Group, a London-based IT and technology recruitment company, reports a significant rise over the past year in supplying people for senior IT security, crime prevention and risk management roles in the City.
This suggests that the financial sector, at least, understands the importance of both technology and people in thwarting the malign insider.
The bigger risk now, according to Mr Yapp at Control Risks, is in those companies that have not properly valued their intellectual property and take it for granted. This could include businesses in a range of sectors including oil and gas, and pharmaceuticals.
Control Risks is carrying out more education to help instil a preventative mindset but it is harder to win clients over to this approach and the balance of its work is still reactive, says Mr Yapp.
He adds that when a company is hacked by an ex-employee - such as one recent client that found its three main servers had been wiped clean - getting the business up and running again often takes priority over finding out what went wrong and pursuing the attacker.
Identifying a professional hacker who knows how to cover his tracks by using anonymous tools can also be tricky, and law enforcement agencies often need to see the attack happening live, says Mr Yapp.
Employees or former employees tend to be less elusive, however, believing they will not be caught. But they might name their laptop after themselves, for example, or log on to the office system from home to print out files just before leaving a job. "People think they won't be seen, but it is all logged," says Mr Yapp.
'Predicting, in a selection situation, whether someone is going to cause a problem in an organisation is difficult'