In the last post, I touched upon the reasons that Insider Threat is often ignore by corporations and businesses (yes.....this probably means you.) I also discussed the reasons why this threat is of much greater than concern than some 17-year old kid in some remote former Eastern Bloc country, hacking his way through your multiple firewalls and successfully evading your many IDS and IPS sensors. But as I've learned with discussions with executives: "It doesn't really matter unless you can show me the financial impact." (and when I say financial impact, I'm really talking about the impact of the risk on your net cash flow.) In other words - Show me the money!
Before I jump in and do that, let's just take an overview at the many facts that exist out there with regard to Insider Threat. The Computer Crime Research organization did a study in 2005 and found the following:
- "98% of all crimes committed against companies in the U.K. had an insider connection."
- "In the US, about six per cent of revenue is lost on an average annually due to employee fraud and abuse which translates to about US$ 600 billion in terms of its GDP or US$ 4,500 per employee.”
Additional data from CSI in their his year's Annual Security Survey, has some especially revealing numbers that enforce this risk. The survey, which has run since 2002, found that financial fraud, often through the loss of customer data or intellectual property, surpassed viruses as the greatest cause of financial loss. Viruses fell to second, after being #1 for the past 7 years. Another key point:
"Insider abuse of network access or e-mail (such as trafficking in pornography or pirated software) edged out virus incidents as the most prevalent security problem, with 59 and 52 percent of respondents reporting each respectively."
In case you're looking for individual case studies, there are more than a few examples. As I've mentioned in previous posts, one need only look as far as Mr. Gary Min (aka Yonggang Min), who worked as a research chemist for the DuPont. Between the periods of August 2005 and December 2005, Mr. Min downloaded over 22,000 abstracts and over 16,706 documents from DuPont's Electronic Data Library (EDL). That's 15X more than anyone else in the company!! The IT staff at DuPont were alerted when the excessive amount of files downloaded tripped off some sensors (BTW, a terrific job by the IT guys at DuPont! Nice when security procedures work as expected.) So they continued to watch Mr. Min closely. Well, in October 2005, Min accepted a new job with a DuPont competitor, and agreed on a start date of......January 2006. He didn't bother telling anyone. Well, long story short, Mr. Min took the DuPont docs with him, loaded them up at his new job in January and the FBI caught him. (Note: Mr Min's plead guilty and sentencing is scheduled for October 2007. I'll keep you posted.)
Cost to DuPont: $400 Million dollars
Another? Let's take a look at Mr. John Rusnak. John was a foreign currency trader working for a bank in 1993. He gambled on conversion rates in €, ¥, and $. Life was good for John, until the Asian market fell in 1995…..and then he lost $29.1 million in 1997. Well, no one wants to tell their boss they just lost that much, so he began editing the formulas and internal docs that calculated the rates. John's edits showed him actually making money and he was lauded as a financial whiz kid!! When the errors were identified and Mr. Rusnak questioned, he provided even more fraudulent docs, including paying a guy at a fax store, to say he was a satisfied customer of John's, when called. Realizing he was fighting a losing battle, John turned himself into the FBI.
Cost to the bank: $691 Million dollars
What's even more disturbing is the apparent trend of this new "Gen X" and their thoughts on what is, and what is not intellectual property. Like many of you, I understand that anything I create, conceptualize, write, etc. while an employee of the Microsoft Corporation....is Microsoft property. For this (sometimes feeble) effort, I am compensated. I signed my employee agreement freely, and was not under duress (unless of course you consider the duress of, "Oh crap. I'm about to graduate from college and I need to find a job ASAP"). Sure, there has been times I've been disgruntled with my employer, but I still respect the agreement I signed. I gave them my word, and my integrity is of utmost importance to me. (I've heard integrity described as "the actions you do when people are not watching you"). In a 2007 survey of employees conducted by Liquid Machines, they found the following:
- Have you ever taken data with you when you left a job? Data can be anything, including documents, lists, letters, sales contracts, etc.?
- Yes - 45%
- No - 55%
- Have you ever forwarded data to someone who was previously an employee of your organization?
- Yes - 13%
- No - 87%
....almost half of people knowingly took data with them when they left their old job. The disturbing part of all this is the thought process. The survey discusses that most people had a feeling of entitlement to the documents. For instance, "Hey....if it wasn't for me....this company wouldn't even have these customers/contracts/financial reports. I created them. I'm taking them with me."
This is the mentality that you must change if you hope to lessen the impact posed by Insider Threat.
NEXT TIME: Insider Threat continues with "We love Bob. He's been with us forever. Bob would never do us harm."