- Learn why your biggest security risks are inside your organisation
- See how guarding against internal threats can protect against external ones too
- Discover how CIOs balance the need to trust workers with efforts to reduce risks
When John Michael Sullivan moved to Charlotte, North Carolina, to help develop a mobile computer program for Lance Incorporated, he hung up an old plaque. Inscribed "Dr Crime's Terminal of Doom", the memento celebrated Sullivan's youthful love of the movie Indiana Jones and the Temple of Doom - and his reputation as a computer hacker who went by the handle Dr Crime.
"I was a hacker long before being a hacker was cool," Sullivan wrote on a Web page the FBI later found on his hard drive, describing his affection for the plaque."More than once I was accused (falsely?) of perpetrating acts of computer crime against various systems and agencies. But regardless if I did or didn't, I never got caught . . . And although I have Â'settled in' to a real job, Dr Crime still lives . . . quietly, anonymously and discreet."
Or not. After Sullivan was demoted at snack-food maker Lance in May 1998, he planted a logic bomb. This malicious code, set to execute on September 23, 1998, the anniversary of his hire date, would destroy part of the program being written for the handheld computers for Lance's sales force. When the bomb went off - months after Sullivan had resigned - more than 700 salespeople who rove the Southeastern United States with truckloads of Captain's Wafers, Cape Cod Potato Chips and Toastchee crackers couldn't communicate electronically with headquarters for days, and Lance feared the attack might cost $US1 million.
The evidence Dr Crime left is unique, but the scenario? Hardly. Whether it's sabotage or the theft of trade secrets, a growing number of companies are learning the hard way that their biggest security risks are on the inside. Employees, contractors, temps and other insiders are trusted users. They know how a company works, and they understand its weaknesses - and that gives the occasional bad apple a chance to really make things rotten.
Rather than handling the situation internally as something to cover up, as do many companies faced with insider crime, Lance decided to act."We wanted to send the message that these types of actions were not accepted by senior management," said Rudy Gragnani, vice president of IS at the $US583 million company, in an interview that his edgy legal department allowed him to conduct only via e-mail."The livelihood of our sales representatives was being impacted, and we took this situation very seriously."
In April 2001, the then-40-year-old Sullivan - who also wrote on that Web page that he'd relocated from New York to North Carolina to give his family a better quality of life - was sentenced to two years in prison without parole and ordered to pay almost $US200,000 restitution. He lost an appeal in February 2002.
Damage by insiders such as Sullivan"is an incredibly fast-growing problem", says Patrick Gray, who worked for the FBI for 20 years until he retired in late 2001 to join Internet Security Systems, a managed security company based in Atlanta."It's a tough threat that CIOs are going to have to address. Whether you're a Fortune 100 company or a three or four person company, you still have to deal with that biosphere that sits between the keyboard and the chair."
Supposedly the wake-up calls came in 1996, in computer sabotage's most famous chapter, when a former systems administrator at New Jersey-based Omega Engineering unleashed malicious code that cost the company more than $US10 million; in February 2002, Tim Lloyd, 39, was sentenced to 41 months in federal prison and ordered to pay Omega more than $US2 million in restitution.
But the bells are still ringing.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.