IT-related security incidents cost UK business millions of pounds each year, and finding ways to tackle the issue is consistently high on the average chief executive officer’s agenda. However, while organisations busily put in firewalls and anti-virus software in a bid to mitigate external threats, many are leaving themselves wide open to danger internally, by failing to vet IT staff rigorously enough – despite the fact these same staff often have access to sensitive company equipment and data.
According to The Information Security Breaches Survey 2002, a PricewaterhouseCoopers report sponsored by the Department of Trade and Industry, 34 per cent of UK businesses indicated their worst security breach was caused by an insider, compared to 66 per cent of incidents brought about by external sources. In large companies, internal breaches increase to 48 per cent.
While such internal threats are not confined to IT staff, the figures do highlight a problem and the report points out unreassuringly: “The number of employee-related security incidents is growing rather than diminishing.”
Surprisingly, while such increased security risks from company personnel are a result of “higher levels of staff turnover and changing staff roles”, the survey claims only 16 per cent of all UK organisations questioned are concerned – and just 37 per cent of large organisations, despite the fact that they are suffering many more damaging attacks.
Even more worryingly, however, the survey states only 59 per cent of respondents carry out background checks on either existing staff or new job applicants. As the report says bluntly: “People are often the weakest link for security, yet many organisations are failing to address this.”
So what are the potential risks posed by staff, and IT staff in particular? James Mullock, a partner in the technical department of lawyers Osbourne Clarke, says: “Where I see the most problems for clients is in relation to people in charge of IT projects, because they can cause the most damage and the results tend to be the most disastrous. They tend to have full access to networks and valuable data, and they have the ability to set up backdoors into a network both on and off-site.”
While Joanna Buckingham, director of pre-employment screening at Control Risks Group, a business risk consultancy, acknowledges different IT roles pose different risks, she adds: “I would class IT as one of the highest-risk categories overall, as staff here can potentially do more damage than senior management in some instances.”
And one of the key roles to generate concern is that of software developers, according to David Lane, IT director at Pauleys, which sources and distributes chilled food throughout the UK and was acquired by Brake Brothers in October last year.
Lane explains: “It’s imperative to ensure you guard your intellectual property (IP) because it’s your livelihood, and you don’t want IT staff running off with copies of your software, source code or data and re-marketing it or giving it to your competitors.”
Mike Lord, IT director at the British Market Research Bureau, agrees wholeheartedly. He suspended a couple of software staff he inherited after joining the company, following the discovery they were trying to set up their own business using the company’s intellectual property.
“There are potential risks that can come from various areas depending on motivation, such as attempting to undermine internal systems or exposing data to other businesses in the same line. One of the key issues for us would be the embarrassment caused by market research data being exposed. While it’s not of huge intrinsic value, because such data is not held together with names and addresses, we do consider security a key issue here.”
While lack of security in this area has the potential to affect all organisations in all sectors, it is particularly important in certain vertical markets such as financial services, retail or telcos, which hold sensitive customer information like credit card details.
Osbourne Clarke’s Mullock says: “The starting point in law is the Data Protection Act, which states any business managing information about individuals has to have adequate security, and there are specific laws and codes of practice that govern different sectors.”
“While there is nothing to say you must do background checks, if you’ve not taken adequate steps and find you’ve hired someone with a history of breaking the law, you could be deemed to be downright negligent – and if the business suffers damage, you could potentially be open to litigation.”
However, John Gladman, head of ICT at Surrey County Council, believes the biggest problem is not so much permanent IT staff as temporary or contract personnel.
“One of the biggest threats relates to temporary staff and outsourced services. You have no control over this, because the contract with the service provider is based on that service rather than on the employment of staff. It’s a big issue everywhere that is often overlooked, so people tend to focus on vetting permanent staff rather than on those that are indirectly employed.”
Protection from threat
So what can organisations do to protect themselves from these internal threats? In the case of permanent job applicants, the first thing to do after a shortlist of candidates has been drawn up is to undertake a face-to-face interview. This is not only to establish their motivation for joining the organisation and leaving their last job, but also to assess their skills levels and how likely they are to fit into the existing team.
Roy Sharples, head of IT at the Centre of Engineering and Manufact-uring Excellence (CEME), a vocationally oriented university, explains: “By the end of the interview, we tend to have defined evidence that the candidate has or lacks the characteristics and skills that we listed on the person specification.”
If there is no evidence to back up certain claims, however, he continues, “We try to find out by some other means, or highlight this as an uncertainty and therefore a risk. By sticking to evidence for or against the characteristics, we should have determined what we need and are far less likely to be influenced by subjective judgements and unfair prejudices.”
Other techniques for establishing the suitability of potential candidates at this stage include having them undertake a technical test to indicate their abilities and involving them in “simulations”.
Sharples says: “Candidates are given a problem to solve and you watch for evidence of interpersonal skills, listening, building on their or other people’s ideas, managing stress, asking opinions and other desirable behaviours.”
Should a candidate pass the interview stage, the next step is to check references to ensure their CVs are accurate. Depending on the size and staff policies of the organisation they work for, chief executive officers can either do this themselves, employ the help of their human resources (HR) departments, or hire a third-party vetting agency to do it.
The latter provides different levels of checks, ranging from academic and employment history to credit and criminal records checks, which vary in price and take from three to 15 days. Under UK employment law, the permission of candidates must be obtained, however.
But, whichever route chief executive officers choose, Control Risks’ Buckingham warns that, on average, one in four job applicants lie about something and in as many as 10 per cent of cases, there are significant discrepancies between what prospective staff members say about themselves and reality.
Pauleys’ Lane agrees: “It’s important because few people tell the truth. When they’re moving from one job to another, they’re trying to move up the greasy pole and so they’re always going to expand on what they’ve done.”
Don’t phone a friend
Lane also recommends not only checking but also validating references. For example, if contacting a referee by telephone, he advises going through the company’s main switchboard rather than using a direct dial number or mobile phone so “you can find out if that person really exists and they haven’t just given you the name of one of their mates”.
“You may never come across this type of thing, but it’s all about being sensible and following things through. You’ve got to treat it as if everyone wants to pull the wool over your eyes.” Lane adds.
The downside of references, however, is companies may provide a glowing one to get rid of a bad apple. Many refuse to provide any information at all beyond confirming dates of employment and the role an individual played in the organisation due to potential threats of litigation for slander.
But this does not mean potential employers cannot send a letter asking them to answer yes and no questions, such as: “Would you employ this person again?”
Chief executive officers can also take advantage of peer networks to find out more about potential hires. Surrey’s Gladman advises: “There’s much more openness and willingness to share information in the public sector, because we’re not in direct competition with each other, but getting to know people is a good way to find out information about new employees on an informal basis.”
In the case of contract personnel and staff working for outsourcing companies, however, Gladman advises including clauses in services contracts stipulating the provider has to make all reasonable efforts to vet their staff on the employer’s behalf. Clauses demanding the right to audit and check staff if there are any suspicions should also be incorporated.
Another thing to consider is asking staff to work for a trial period of between three and six months under close supervision, although this generally depends on seniority.
“If during that period they were not living up to their CV and there was a clearly marked difference between their skills and what they said at interview, we would probably terminate their contract,” Gladman says.
But, after all this rigorous vetting, what can chief executive officers do if they find they have doubts about the security risk posed by a new staff member?
Before they even take employees on, it is imperative to “nail down contracts of employment so it’s clear to everyone about what belongs to whom and what they can and can’t do with it”, says Pauleys’ Lane.
But should any suspicions arise, it is important to deal with them sooner rather than later and put systems in place to monitor staff activities.
“It’s always good to change routines so that if anyone wants to do anything nasty, it makes life more difficult for them. If you do random things at random times, people never know when you’re going to do them,” he adds.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.