It's January 2000, and the world hasn't imploded under the weight of the Y2K problem. Planes aren't falling out of the sky, and trains aren't careering off their tracks. But in a few short months, Craig Goldberg's start-up will come face to face with a more sinister threat that will take it to the brink of disaster: cybercrime.
The CEO of Internet Trading Technologies Inc (ITTI), a New York-based technology subsidiary of stock trade regulator LaBranche & Co, had just completed a second round of funding that helped fuel an expansion of the company's IT staff. Within two months, Goldberg hired a half-dozen more software developers and tapped a CIO with 15 years of experience to take on the role of chief operating officer.
Trouble lurked beneath the surface, however. Two of the company's software developers approached ITTI's new COO and demanded that the company "pay them a lot of money or they will resign immediately and not provide any assistance to the development team", according to Goldberg, who eventually succumbed to the demands.
But that wasn't enough for the two developers who left the premises, demanded more money and stock options and threatened to let the development work founder. "It felt like we were being held up," says Goldberg. Faced with the equivalent of a cyberhijacking, he refused to budge, and the developers were dismissed.
The first denial-of-service attack hit the next morning, a Thursday, and crashed the company's application server. Somebody sitting at a computer in a downtown Manhattan Kinko's had gained access to ITTI's server using an internal development password. The server was brought back online, only to be hit again two minutes later, says Goldberg. Passwords were changed, and development systems were air-gapped - physically disconnected from the Internet. But the attacks continued through the weekend.
The situation soon became critical. "If the attacks continued to go on, we would go out of business," Goldberg says. He called in a security consulting firm and the Secret Service.
The last attack, which occurred Monday morning, hit as federal authorities were installing monitoring equipment on ITTI's networks. Authorities traced the attacker to a computer at Queens College in New York, where one of the former employees was a student. Witnesses placed the individual at the specific computer at the precise time of the attack. Within an hour, the Secret Service officials had their man. No evidence or charges were brought against the other former employee.
Stress pointsExperts agree that cybercrimes, such as the one perpetrated against ITTI, are often the result of a combination of factors that are unique to the modern IT workplace. Although most managers believe, as Goldberg says, that: "security is both about risk management and hiring honest people", experts in criminal psychology say the onus is often on managers to take action to prevent current and former employees from lashing out in the form of cybercrime.
Jerrold Post, a professor of psychiatry at The George Washington University in Washington, developed the "Camp David profiles", which focus on understanding the psychology of terrorism and political violence. They were developed for then-President Jimmy Carter. Post says cybercrime can be seen as a subset of workplace violence, where employees become frustrated but have no way to mitigate the stress.
"In almost every case, the act which occurs in the information system era is the reflection of unmet personal needs that are channelled into the area of expertise," Post says. "Almost all these people are loyal at the time of hiring, so this isn't a matter of screening them out."
Post acknowledges that only a small percentage of IT workers who share a common set of personality traits actually commit crimes. However, for those who do become cyberoffenders, their actions are often the result of not having skilled managers who can alleviate workplace stressors, he says.
Post suggests several approaches that managers can take to both identify and alleviate those stressors for employees, including providing more distinct career paths. He also says managers need to acquire better leadership skills to help people feel like they really matter to an organisation.
Bill Tafoya has spent the better part of the past 25 years profiling criminals. A former special agent at the FBI and now a professor of criminal justice at Governors State University in Illinois, Tafoya says many IT workers today sometimes feel browbeaten by their employers.
"Most of the time, however, they merely become cynics who infect co-workers with their misanthropic view and undertake career-long, one-person work slowdowns," he says.
Managers often mishandle difficult situations, he says. "In some organisations, when personnel falter and are subsequently disciplined, the records department is a favourite reassignment [that] management uses for purposes of punishing the miscreant," Tafoya says. "I ask you, who is being punished?" Career paths need to be developed for IT personnel who handle a company's crown jewels - its information, he adds.
Obviously, not all cybercrimes occur as a result of frustrated employees. Many computer security breaches are the acts of dishonest people who crack into systems from the outside using the Internet.
Sometimes, they get a little indirect help from unsuspecting employees.
Scott Christie, an assistant attorney at the US Attorney's Office for the District of New Jersey in Newark, says a lack of oversight is a key enabler in many cybercrime cases.
"Without any oversight, [criminals] can do what they want without fear of being caught," says Christie.
Richard Hunter, an analyst at Gartner, says management inattention can be a contributing factor. "Some managers are inattentive to the point that they do not even check resumes for people being hired into positions where sensitive data is available".
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.