Information security professionals today are awash in overwhelming, and constantly replenished surges of information about cyberthreats. Because so much of this cyberthreat intelligence concerns external threats of increasing sophistication and complexity, from organized criminal networks to state actors, it can be easy for information security teams to overlook the possibility that disgruntled insiders may pose a risk to their organization’s networks and data.
Insider attacks, however, are a genuine and persistent dimension of the cyberthreat environment. The Ponemon Institute’s 2020 Cost of Insider Threats Report found that in only two years the number of insider threats has increased 47 percent — from 3,200 in 2018 to 4,716 in 2020 – while the cost of such incidents has increased 31 percent, from $8.76 million in 2018 to $11.45 million in 2020. In addition, careless or negligent employees account for 62 percent of incidents, leading to an average cost of $307,111 per incident, while incidents involving malicious insiders or credential thieves lead to an average cost of $871,686 per incident.
One recent case provides concrete examples of the damage that a single disaffected employee can cause within an organization. On September 24, the U.S. District Court in Maryland sentenced Shannon Stafford, a former information technology (IT) manager for a global company identified only as “Business A,” to a year and a day in federal prison and restitution of $193,258.10 for illegally accessing and damaging Business A’s computer network.
According to the U.S. Department of Justice, Stafford was employed in Business A’s information technology department from 2005 to 2015. As part of his duties, he had access to other employees’ system login credentials “and was authorized to use them in the course of performing his technical support duties.” He also was responsible for disabling network access credentials company users at the end of their employment.
Although Stafford was promoted in 2014 to a managerial role, as technical site lead for the company’s Washington office, he was demoted in March 2015 to an IT support role because of performance issues in his management position. After his performance issues continued, Stafford was fired on August 6, 2015.
Beginning on the evening of August 6, Stafford engaged in a series of actions directed at damaging Company A’s network:
- August 6: That evening, Stafford “repeatedly attempted to remotely access Business A’s computer networks from his residence,” using the laptop that the company had provided to him. He unsuccessfully tried to access Company A’s network approximately 10 times, using his own credentials and those of a former co-worker whom he had previously assisted.
- August 8: In the early morning, Stafford successfully used the former co-worker’s credentials and the company laptop to access, without authorization, the computer that had been located under his desk in the Washington office. He “used the Washington IT computer to execute demands to delete all of the file storage drives used by the Washington office, then changed the password to access the storage management system.” The deletion of those files
- caused a severe disruption to the company’s operations and the loss of some customer and user data. Changing the password hindered the company’s efforts to determine what happened and restore access to its remaining files. As a result of the deletion of the network file storage drives, Washington users were unable to access their stored files for approximately three days, until the data could be restored from backups. Customer and user data that was not included in the most recent backup prior to Stafford’s deletion of the files was permanently lost.
- August 11: Stafford “unsuccessfully attempted to remotely access the company’s computer network from his home approximately 13 times, using credentials that were not his.”
- August 13: A Company A representative “spoke to Stafford and demanded that he cease and desist his attempts to unlawfully access Business A’s computer systems.
- August 21 – September 9: Despite Company A’s demand, between August 21 and September 9, Stafford “attempted to access the company’s network from his home approximately 17 times, using credentials that were not his.”
- September 14: Stafford “used the credentials of another former co-worker to access a network file storage system computer that he had been responsible for maintaining in the IT department of the company’s Baltimore office, intending to cause the same type of damage he did when he deleted the Washington office’s stored files.” That attempt failed “because Business A had changed the password after Stafford’s attack on the Washington files.”
The actual loss to Business A that resulted from Stafford’s damage and attempted damage to its computer systems, including the costs of restoration of the deleted systems, investigation of the events, and response to the intrusion was at least $38,270. In addition, Business A incurred legal fees of $133,950.60 and a fee of $21,037.50 for a forensic investigation.
Ultimately, a federal grand jury indicted Stafford in 2017 on two computer damage-related charges: one for the August 8 damage to the files in Company A’s Washington office, and the other for Stafford’s damage attempts between August 21 and September 9. Stafford was convicted after a four-day trial.
In one sense, Stafford’s case is unremarkable because it did not involve the use of any sophisticated hacking techniques. Yet it is precisely the simplicity of his conduct and the ease with which he caused harm to his company that should be of concern to chief information security officers (CISOs) and chief compliance officers (CCOs) in all types of companies around the world. What Stafford did can easily be mimicked by other disgruntled IT staffers in other countries – as United Kingdom law enforcement has seen on several occasions (here, here, and here).
For that reasons, CISOs and CCOs should make use of the Stafford case in two ways. First, they should cite it in briefing senior executives in their organizations and remind them of the risks of internal computer sabotage. Those risks certainly include the immediate costs of lost business and repairing the damage. But CCOs and CISOs can also join forces with their businesses’ legal officers to point out the potential for regulatory enforcement action based on the organization’s failure to maintain adequate information security.
Second, they should make sure that their organizations’ internal procedures include certain minimum procedures in place when it appears that it may be necessary to terminate or demote an IT manager or employee whose workplace conduct includes serious indications of hostility or anger.
Based on Stafford’s and other insider sabotage cases, those procedures should include the following.
First, if an organization decides to terminate an IT employee, or receives a resignation letter with immediate effect from that employee, it should not accept the employee’s representations that he will return a company-issued computer. Rather, the company should take immediate lawful action to obtain custody of that computer. Under no circumstances should the company rely on the employee’s promises to return company property in due course. As Stafford’s and other insider-sabotage cases have shown, even one or two days after separation of that employee can be enough to allow the employee to use the company computer to cause damage.
Second, if an IT employee is about to be separated from the organization, even before, and during, the formal actions to inform the employee of his termination and escort him from the premises, the organization should review the employee’s outgoing emails for indications of intent to retaliate against the company and determine what levels of administrator access that employee may have.
In one insider-sabotage case, an IT help desk employee, even after his termination, was able to access an administrator account and shut down his company’s email server and application server and delete systems files essential to restoring computer operations. Even though the employee’s access rights reportedly had been revoked as he left the building, the company’s IT director found that the employee had emailed himself a list of network access codes and passwords for various company IT subsystems.
Third, with respect to IT administrators, the organization should have a second person, whether inside that organization or in an external information security firm, who has system privileges and access equivalent to or greater than those of the IT administrator. No organization should be totally reliant on a single individual who, if threatened with demotion or termination, could be tempted to retaliate against the organization’s networks or files.
Accordingly, if the organization has made the decision to terminate that administrator, it should direct the backup administrator to take all necessary steps to block the primary administrator’s access to the enterprise’s systems immediately before, or during, the organization’s notifying the disgruntled administrator of his termination, before that administrator can take action against the organization.
None of these measures are guaranteed to prevent a disaffected IT employee from lashing out at his organization by using what IT skills he has. All of them, however, can reduce the chances that such an employee will succeed in his destructive mission, and can be accomplished at minimal cost to the organization. The potential risks of operational shutdowns and loss of key files and processes, and of regulatory sanction for failure to maintain adequate cybersecurity measures, are too substantial to ignore.