Easy access to information means employees can jeopardize a company’s security

In 2006, computer forensics expert Kris Haworth was sent to Pakistan to investigate possible cybercrime. The stakes were high: “People were going to Dubai because of security concerns, I had ransom insurance — all that stuff,” Haworth said. “There were machine guns; we had security. I had machine guns pointed at me.”

Haworth wasn’t in search of an extremist hacker, though; rather, she was investigating alleged theft of intellectual property. The Pakistani founder of Align Technologies, which makes the Invisalign braces, had left that company and started a new braces firm, OrthoClear, in Pakistan. He claimed to be using different technology, but Haworth found evidence proving OrthoClear was violating Align patents. The companies settled, with OrthoClear transferring all intellectual property to Align, and dissolving.

Though her work rarely takes her to Pakistan, cases like this aren’t uncommon for Haworth, managing director of The Forensics Group, a San Francisco-based cyber investigation firm that expanded to Kirkland in March. Though external hacking receives the vast majority of media coverage, Haworth’s organization spends most of its time investigating alleged malfeasance by those a company in theory should be able to trust: its employees.

“It’s almost always a fraud investigation,” Haworth said. “Insider trading, allegations that (a company) falsely stated their income … a lot of intellectual property theft.”

Employees pose a unique threat to businesses in that they often have access to sensitive material. While a hacker must fight for a way past a company’s safeguards, an employee sometimes can drop that material onto a thumb drive and walk out. So when charges of fraud are levied and The Forensics Group is called in to gather evidence for a case, it has the unfortunate task of sorting through an increasingly vast amount of data to find any evidence.

The first, and often final, place Haworth looks for incriminating data is in a person’s email. “First of all, people are stupid,” she said. “I’ve seen emails that say, ‘Did you destroy evidence before litigation?’ ‘Yes.’ ‘Thanks.’ That was from an attorney to a client.” Beyond the component of human error are the multiple backups of email correspondence. If a damning message doesn’t live in a person’s outbox, then it might be on the computer’s hard drive, and it’s more than likely on server backup tapes.

Employees who jeopardize a company’s digital assets typically fall under two categories, according to Marc Dupuis, an assistant professor of cybersecurity at the University of Washington Bothell. First are those who unknowingly grant malware access to company servers or divulge intellectual property to an interested party. Curiosity or ignorance is often the culprit. But the second type of employees have malicious intent, either to harm the company or to facilitate personal gain.

Dupuis cites people who exhibit the “dark triad” of personality traits — narcissism, psychopathy, and manipulative behavior — as the most likely to intentionally jeopardize a company’s security. Haworth has seen cases where employees steal information for personal gain without regard to coworkers, share intellectual property out of spite, and manipulate financial reports.

There are ways a company can mitigate the risk of malicious insiders. One is to separate duties. “You don’t have one IT person with all the keys to the castle,” Dupuis said. “They might be able to add users, for example, but they can’t change their privileges or passwords. You don’t want one person to be too powerful.” Threats also are mitigated when employees are given the minimal amount of clearances or privileges necessary to do the job. Furthermore, software such as DarkLight can monitor employee actions and flag unusual operations.

Implementing procedures and technology to enhance security helps, but not letting risky employees in the door might be a company’s best bet to remain safe. Background checks should be conducted on any potential hires, and Dupuis suggests continuing background checks for employees who have access to high-level information. Life factors such as crime or personal or financial strain can lead a person to harm the company.

“Attendance, performance, dependability, disregard for authority — if all of these point to someone who is angry, that should be a red flag,” Dupuis said. “In more cases than not, when you talk about malicious insiders, there were a lot of clear indicators that this person was going down a bad path.”

Haworth has seen stress cloud employees’ judgment and lead them to justify fraudulent actions. “You’ve got this mindset that whatever somebody has created, even if it was on their employer’s time, it’s theirs. So they take it,” she said. “I’ve seen it so many times. When the stock market went down, people would say, ‘Oh, I’ve lost all this money, I’ve worked 30 years for this company, and I deserve this. And they just start filtering off information.”

This post has been corrected. The Forensics Group expanded to Kirkland in March, not July.