Every organisation is a potential hostage to the actions of the ‘rogue’ employee, however well organised its internal security measures. After all, insiders are responsible for two-thirds of all security incidents.
Rogues can come in many guises. The most innocent, although not necessarily the least dangerous, are those who, either out of ignorance, frustration or simply
by accident, bypass existing security practises.
In this way viruses can evade corporate firewalls via a carelessly opened email, an unprotected home PC or laptops holding confidential information left in taxis.
Then there are the rogues who abuse their IT privileges for criminal gain, or simply out of spite: employees who steal money or information electronically and IT staff who exorcise grievances by sabotaging systems.
Sometimes, they are aided by sloppy corporate security that grants systems administrators too much power or by a failure to delete ex-employees’ accounts the moment they walk through the exit door.
There is also some evidence of another kind of rogue – the ‘sleeper’ who joins an organisation specifically to penetrate its security, either independently or as part of an organised criminal conspiracy.
There are no foolproof technological safeguards against the activities of rogues, but some common sense measures can reduce the risks. For example, many companies scan their own premises for signs of unofficial WiFi networks, installed by staff who want to enjoy the benefits of wireless networking, but who fail to take account of the security risks.
At the same time, improved ID management can ensure that staff have access only to the systems they need to do their job, while highlighting evidence of rogue activity when, for example, someone repeatedly tries to log on to a system they should not be accessing.
Ultimately, much security comes down to setting an appropriate balance between trust and policing. For example, at the outset of an individual’s employment, companies need to conduct thorough background checks on anyone whose job requires high-level access before they are allowed through the door.
Once they do cross the corporate threshold, security policies and the responsibilities they place on individuals need to be spelled out at the induction and routinely refreshed.
This is just good practice, but it is worryingly absent at many organisations.