One rogue IT employee can do more damage than an army of hackers. Here's how three companies could have better protected themselves.
Outsourcing incenses employee
'Sally', a systems administrator and a database manager, had been with a Fortune 500 consumer products company for 10 years and was one of its most trusted and capable IT workers, according to Larry Ponemon, founder and chairman of the Ponemon Institute, an IT security research firm.
She was known as a pinch-hitter - someone who was able to help solve all kinds of problems. For that reason, she had accumulated many high-level network privileges that went beyond what her job required. "There is this tendency to give these people more privileges than they need because you never know when they'll need to be helping someone else out," says Ponemon.
She sometimes worked from home, taking her laptop, which was configured with those high-level privileges. The company's culture was such that IT stars like Sally were given special treatment, says Ponemon. "The IT people could decide what tools they wanted on their systems," he explains.
But when the corporation decided to outsource most of its IT operations to India, Sally didn't feel so special. Although the company had not yet formally notified the IT staff, says Ponemon, it was obvious to IT insiders that time was running out for most of the department's employees.
Sally wanted revenge. Before she was officially let go, she planted logic bombs that caused entire racks of servers to crash once she was gone.
At first, the company had no clue what was going on. They switched to their redundant servers, but Sally had planted bombs in those as well. The company had a hard time containing the damage because it didn't follow any apparent rhyme or reason. "A malicious employee [who's] angry can do a lot of damage in a way that's hard to discover immediately and hard to trace later," Ponemon notes.
Eventually, they traced the sabotage to Sally and confronted her. In return for Sally's agreement to help fix the systems, the company did not prosecute her. In addition, Sally had to agree never to talk publicly about the incident. "They didn't want her going on TV and talking about how she broke the backbone of a Fortune 500 company."
Cost to the company
The estimated total cost to the company: $7m, which includes $5m in opportunity costs (downtime, disruption to business and potential loss of customers) and $2m in fees for forensics and security consultants, among other things.
NEXT PAGE: Preventive measures