Sadly an increasingly common occurrence in the current climate, making people redundant presents a ‘code red' threat to data and systems. Redundant staff, especially when the lay-off has been handled badly, may be inclined to take valuable data with them or access and disrupt systems once they have left. Rogue ex-employees might well release data onto the internet, sell it or use it in their new job.
If this sounds like a doomsday scenario, the stats show that it's already happening. In January the Ponemon Institute polled almost 1000 people in the US who had lost or left a job during 2008. Fifty-nine per cent admitted to stealing confidential information. More worrying still, a survey by Cyber-Ark found 88 per cent of UK IT professionals might take valuable and company-sensitive information if laid off.
Accenture's head of security in Europe, the Middle East and Africa, Floris van den Dool, describes the threat from rogue ex-employees as "interesting on the one hand, frightening on the other hand".
"In a recession, crime goes up because people lose their job and there is always a percentage of people who turn to crime to make a living," he says. "If you look at some of the analysis you see there is a very sharp increase in online attacks starting October last year and really correlated to the economy.
"We know there is whole fraud economy on the internet and they are always looking for people who can assist them. It is now easier to find those people. On the other hand, there are the disgruntled ex-employees who may hold a grudge against their old company. They think, ‘Hang on, am I going to use this restricted info for my own benefit, or I am going to take it to my next employer, or I am going to sell it to the competition?'. It is a combination of all that," he adds.
Despite the squeeze on budgets there is no evidence that CIOs and CSOs are spending less on security. A survey by Infosecurity Europe published in April this year found that spending on information security is likely to increase, according to 55 per cent of the 1000-plus respondents they asked, while 34 per cent expected their spending to remain the same as last year. The issue is whether the security spend is targeted accurately.
According to Van den Dool, risk assessment is paramount. "The main thing is to know what your critical information is - where would you be hurt the most if something went wrong? Where is the critical data?"
He believes there is an increasing recognition of how central this issue is to the business, and that the traditional CISO is being squeezed out. "I see the CISO perspective changing. The old CISO was an ex-IT person who may or may not have had an interest in security but who was forced to get an interest in security. What I see now is that a business person is picking up the CISO role and I think that is a very welcome development," he says.
Fran Howarth, principal analyst at research firm Quocirca, carried out a survey of 100 large US and UK organisations, asking them who they thought should be responsible for this area of concern. The overwelming response was that it should be the CIO.
"It is rife that people get back into systems. We have also got the problem that if people think they are going to be made unemployed they start gathering the information they need beforehand or they are going to secure some way of getting back into the system that no-one knows about," she says.
"CIOs really need watertight, role-based access controls. So many apps have their own user access and you have to be checking that the permissions are as they should be and that someone for example doesn't move from one role to another and retain their old permissions. This needs to be done with very watertight reporting and audit capabilities, and putting in this type of system is a big, expensive project."
For this reason she believes software as a service and cloud access control solutions offering managed authentication are becoming much more important to all but the very largest enterprises.
"CIOs should be looking at tools like those locking down what people can take out of the organisation and they can also extend this into databases as these products are starting to come out. Symantec and RSA are just bringing them out."
Large organisations using a system of shared passwords or privileged user log-on IDs to manage access to their systems and applications are especially vulnerable to access by rogue ex-employees. Where there are ‘God accounts', one master account has to be shared among administrators and while CIOs and CSOs tell users over and again to keep their passwords to themselves, change them regularly and make it a complicated combination of letters and numbers, the most powerful IDs on any system tend to be shared, written down, and typically not changed very often because every time it is changed you have to tell everyone sharing the account.
Aaron Slater, business protection manager at financial services firm Irish Life, focuses on employee IDs in the branch network as employees leave and change branches. "The organisation had gone through a number of acquisitions and mergers, which from an operational point of view had meant log-on IDs had moved into parts of the business from various back end systems.
"There were issues around the whole ‘I have log-on ID 1 for system A, I have log-on ID 2 for system B' because of the different systems from the different companies they may have originally come from."
Slater wanted a single sign-on but it was looking too expensive to re-do all the systems from scratch. "There were several options - some web-only, some operating from a password synch point of view; others maintained separate databases and tried to collate log-on IDs together. Our apps varied - we had some mainframe technology VB apps and some web front-end apps."
Slater went for a Passlogix managed authentication system which means employees have no need to know their -access IDs. After a single network log-on the system allows them access to the applications and the data they are authorised to use. While the single sign-on approach helps Slater keep tabs on who is accessing what, the technology is only part of the access control story. If an employee leaves there is a process outside of the single sign-on process for changing access. "We have strict controls around approval, removing access, reinstating access, that type of thing," he says.
Better than cure
The technology approach is best combined with a will to make the redundancy process the best it can be to dampen ex-employee motivation to breach systems or steal data (see Preventing data theft, above).
Steve Flatt, director at the Psychological Therapies Unit, Liverpool, which provides mental health support for 30,000 commercial organisations, says that their counselling services can reduce the threat of employee retaliation.
"We are seeing people who are going to be made redundant. A number of companies have very thoughtfully put packages in place where people can come and talk about their anxieties. If they feel that they have an axe to grind they come to an outside organisation so that they have a dispassionate, more objective view of their particular difficulties.
"Because they feel they are being listened to, they will often go back to work with a will and either work out their redundancy or the whole thing will be a very good-natured process."
He points out that not all ex-employees act out of malice; their motivation can be quite complex. "It is about feeling so aggrieved that they want to do something in order to regain some sense of control over their lives. Some people will literally just want to remain in contact and not necessarily do any kind of malicious act, but it is about trying to maintain this sense of self and if you work for a company for a number of years your [sense of] self is really built up around it."
Redundancy and even the threat of it can change people who may have been trustworthy. "It is of course at times like these when the temptation to move in to ‘looking after number one' is at its peak," says Steve Garton, director of security at Advent IM, an independent protective security consultancy. "Loyalties weaken and integrity is often pushed to the brink, as our employees, including managers, move in to self-preservation mode, which immediately erodes any existing team spirit.
"Is it time to be thinking out of the box? Do we all rely on the vetting/screening process too much? We have certainly heard clients say that we employ trusted individuals who have been screened and therefore we do not see them as a threat. Is this naïve, or the only way to realistically do business?"
Protecting against the threat to systems and data from disgruntled ex-employees is a business issue, not just a technical one. If there was a data breach, the majority of the resulting losses would not be technology or data related. Equally, contingency plans against this risk should be balanced between the human and technical -elements, with the CIO, the CSO and HR in partnership.
Case Study: Rowanmoor Pensions
Following a management buy-out from parent group Abbey, Rowanmoor Pensions had six months to set up its data and IT infrastructure from scratch to meet stringent FSA regulations, and security was key. The new pensions group looks after 4300 pension schemes totalling £3.2bn and has made it very difficult indeed for a potential rogue ex-employee to access any of its systems or data.
Director David Seaton decided to throw out all the old PC-based architecture that he inherited from the Abbey business and start again with a thin-client model. He believed the threat from remote access was so high that he decided not to allow it. Laptop use is now restricted to PowerPoint presentations by staff at client sites.
"We can lock down systems and software completely with thin client. People can't upload or download," he says.
Applications and data are accessed remotely via a hosted managed service from solution provider Intercept IT.
"Staff can only log in when they are in the building. We have locked down all the USB ports and only financial services staff can download data," Seaton adds.
Employees' electronic door fobs are switched off the day they leave the company. At the same time that person's mailbox is opened up to HR and emails are stopped and sent on to HR so that anything suspicious can be followed up.
Rowanmoor employees are left in no doubt as to their responsibilities. "We have a written IT and email policy for our staff to see on the internet and they are also very aware that with this system everything is traceable. People are very aware that anyone downloading data (that they shouldn't) could go to prison for it and we would report it," Seaton explains.
Read about preventing data theft here.