One rogue IT employee can do more damage than an army of hackers. Here's how three companies could have better protected themselves.
The best defence is multipronged
The overall lesson from these horror stories is that no one single thing can protect you from rogue IT people. You might have great technical security - like the multitiered security system that ultimately detected Phil's unauthorised website - and yet a simple mistake by HR can lead to disaster. There could be big red flags in terms of behaviour or personality that go unnoticed - like Sally's missing laptops.
It's a combination of technical safeguards and human observation that offers the best protection, says CERT's Cappelli.
And yet it's hard to convince companies to do both. Executives tend to think such problems can be solved by technology alone, at least partly because they hear vendors of monitoring tools and other security-minded software claiming that their tools offer protection. "We're trying to figure out how to get the message to the C-level people that this is not just an IT problem," she says.
It's a difficult message to hear. And a lesson that many companies don't learn except the hard way. Even if more companies were forthcoming with the details of their horror stories, most CEOs would still think it could never happen to them. Until it does.