March 02, 2009, 11:26 AM — A senior corporate executive leaves the company, taking with him his framed family photographs, his prized gold pen-and-pencil set -- and the passwords of several hundred employees.
One of your firm's most experienced sales reps hears a rumor that she is sure to be laid off. And she is, but before she gets her pink slip at the beginning of the next quarter, she manages to download to her Gmail account a long list of A-plus customers and their ordering and payment histories.
If you're thinking "Never at my company" or "Not my employees," think again . Scenarios like those above are playing out every day, experts say, and even the most trusted and skilled professionals can be driven to data theft and other computer crimes in the face of crippling economic pressures and looming job layoffs.
Recent statistics bear this out. In a late 2008 survey conducted by IT security firm Cyber-Ark Software Inc., 56% of financial services workers in New York, London and Amsterdam admitted to being worried about layoffs. In preparing for the worst, more than half said they had already downloaded competitive corporate data that they planned to use to get their next jobs.
In the U.S., the percentage was slightly higher, with 58% of Wall Street workers saying they had done so. And 71% of all workers said they would definitely take data with them if they were confronted with the prospect of a layoff tomorrow.
"When people are desperate to pay for the roof over their head or put food on the table, they're capable of doing things they wouldn't normally do, which is why crime goes up when the economy suffers," says David Griffeth, vice president of business line integration and reporting at RBS Citizens Bank. "That doesn't go away because you have a bachelor's degree or a master's degree. It's a common fear based on need. You have a different level of comfort with the crime you commit."
Supply and Demand
"It makes sense that [data] theft is on the rise when demand is low and supply is high. Right now, there's a huge supply of employees, and if one person can make himself more attractive to a potential new employer, it would be a great temptation," says Keith Jones, a digital forensics investigator and partner at Jones Dykstra & Associates, a computer security consultancy in Columbia, Md.
Meanwhile, the legion of laid-off workers continues to grow. In the past few months, Citigroup, SAP, Sun Microsystems, IBM, Sprint and Microsoft have all announced layoffs, adding to the tens of thousands of already unemployed people, many of whom are technically savvy and have access to key computer systems, highly sensitive corporate data or both.
What's surprising -- and potentially lethal to corporate security -- is how many departed workers retain such access via so-called orphaned accounts long after they've been discharged. Four out of 10 companies have no clue whether user accounts remain active after employees leave, according to a study of 850 security, IT and human resources executives by Symark International Inc. , a security software company.
In addition, 30% of executives reported that they have no process in place to locate and disable orphaned accounts. Another sorry statistic: 38% of them have no way of determining whether a current or former employee is using or has used an orphaned account to access information.
The most common threat is that an employee may take intellectual property, including strategic plans or customer data, before or soon after he is let go, says Jonathan Penn, an analyst at Forrester Research Inc.
And things can get even more dicey when IT staffers are laid off. Often, these are employees with "the keys to the kingdom," says Jones.
He notes that Roger Duronio, a former IT worker at UBS Paine Webber who was convicted and sentenced to eight years in prison for planting a software logic bomb, was able to do such extensive damage to company data because "he had access everywhere." (A logic bomb is software code that triggers malicious functions under certain prescribed conditions; for example, one could be set to delete all customer accounts at a particular time on a specific date.)
Systems administrators and users with privileged account access -- such as those who know root passwords -- can definitely pose a greater threat, says Sally Hudson, an analyst at market research firm IDC. "Those with access to privileged passwords possess the power to change system data, user access and configuration. They also have the power to easily sabotage the critical IT operations of any organization," she says.
Despite these vulnerabilities, there are steps that companies can take to limit potential damage, especially when conducting layoffs.
Do your homework. Exit strategies and security measures should vary depending on the employee's role. Executives and managers who are charged with laying off personnel shouldn't assume that disabling computer access is simply a matter of pulling a plug.
"Before you lay off, look closely at the classes of people," advises Jones. "If they're from sales, HR or finance or [are] senior employees, it may take longer to [disable their access] because they have greater access to systems" than other employees do.
Involve IT in layoff plans as early in the process as possible. "It's important for IT to be synchronized tightly with HR," says Ken van Wyk, an information security specialist and consultant in Alexandria, Va. "But IT people need to understand how sensitive their roles are, and there has to be zero tolerance for spreading rumors. If an IT person tells people that they're going to be laid off, that IT person also needs to be included in the exit roster."
Make sure the proper security programs and policies are in place well before the layoff, advises IDC's Hudson. Among other things, you should make sure you're using systems to secure content, prevent data loss and manage threats. Such systems include firewalls, content- and spam-filtering tools and antivirus software.
You should also have a secure identity and access management infrastructure. Also known as an IAM, this type of setup "controls the who, what, where, when and why of user activities throughout the enterprise," Hudson explains. Having the ability to monitor and evaluate how access rights are being used is critical to meeting governmental mandates and identifying system misuse.
Compartmentalize system access according to employees' roles. This is a secure system design principle that companies should implement at the beginning of any software-development effort. "Access control means tightening up a lot more on the business logic layer," explains van Wyk.
But all too often, companies forgo this step "because it requires more time and thinking through of the design of software," he says. In the absence of an initial secure design, the next best measure is to implement software that records users' access to systems and the actions they take while using various business applications, van Wyk says.
"Almost all business applications have some level of user ID and password security, and then, once you're in, you're in," he says. But with a tracking system, when a user goes into a database, everything that he does there is recorded -- and potentially reported to law enforcement, van Wyk explains.
Part on good terms, but plan for bad times. Jones recommends that even if a layoff goes smoothly with no apparent disgruntlement on the part of the employee, a company should still collect evidence of its own due diligence in case there's some sort of investigation in the future.
That's because companies that experience any kind of security breach, including the theft of data by a laid-off employee, must be able to show that they took all possible precautions and measures to protect that data.
Specifically, Jones says companies should take forensic images of departing employees' laptops, so they're available if an investigation is launched. (A forensic image is a copy of a computer's hard disk.)
"Usually, when something bad happens, it doesn't happen right away," Jones explains. In fact, it can take six, 12 or even 24 months before it comes to light. Yes, there is the added expense of taking the image, he says, but you have to offset that with the potential cost of litigation.