Disgruntled employees may seek IT revenge

Of all the security vendors exhibiting at InfoSecurity in London this week, none claim they can detect a major threat to enterprises: unhappiness.

Security software doesn't do a very good job of detecting employees who may have a grudge against their company. And often, those unhappy individuals are motivated by deep-seated human emotions: jealously, greed, or power, said Bob Ayers, associated fellow at the think tank Chatham House Information Security Program.

Take, for example, the case of a loathed senior executive of a major European bank. In preparation for a new post, his computer was sent to the IT department, where a security officer said it contained child pornography, Ayers said.

The executive denied the accusation vehemently. Further investigation showed that the pornographic images were placed on the machine by the security officer, an act of revenge against the executive for firing the security officer's father years ago.

"We tend to view insider threats as something with the objective of gaining money or something that can be sold for money," said Ayers, who worked in computer security and intelligence for the U.S. Department of Defense for more than 30 years. "You need to consider other motives than simply financial."

Unfortunately, it's very hard to detect employees who may be inclined to act maliciously within a company, said Stephen Bonner, head of information risk management for banking group Barclays.

Ironically, the warning signs of bad employees can also be indicators of good ones: a willingness to work late, a desire to take on more responsibility, and close interest in other colleagues' work, he said.

Bonner divides employees into three categories: those who will always do good, those who are mostly good but do bad things, and those who simply prefer bad behavior. Enterprises can help mitigate their risk by performing background checks and asking employees to take a pledge to act ethically.

Once on the job, managers can also take note of employees' actions. Those who act out -- after not receiving a satisfactory bonus, for example -- may be more inclined to seek retribution against their employer, Bonner said.

On the technical side, it's good to let employees know their activities will be monitored. But there's a catch. If employees perceive they are being overly monitored they may act differently, so the monitoring policy should be in line with the organization's work culture, he said.

The last recommendations seems like common sense: if companies treat people well, their employees tend to behave better. And addressing human resources problems directly can help to avoid what could translate into IT problems later.

But enterprises will always have a certain degree of exposure. "There are people we have to trust in our organizations to work effectively," Bonner said.