Thursday, July 21, 2011

Employee Theft

Posted by OurTech Team | Thursday, July 21, 2011 | Category: , , , , |





The topic of employee theft could fill volumes, especially in light of the staggering statistic found at
www.social-engineer.org/wiki/archives/DisgruntledEmployees/DisgruntledEmployees-EmployeeTheft.ht
ml that more than 60 percent of employees interviewed admitted to taking data of one sort or another
from their employers.
Many times this data is sold to competitors (as happened in this story from a Morgan Stanley
employee:
www.social-engineer.org/wiki/archives/DisgruntledEmployees/DisgruntledEmployees-MorganStanley.ht
ml). Other times employee theft is in time or other resources; in some cases a disgruntled employee can
cause major damage.
I once talked to a client about employee discharge policies, things like disabling key cards,
disconnecting network accounts, and escorting discharged employees out of the building. The company
felt that everyone was part of the “family” and that those policies wouldn’t apply.
Unfortunately, the time came to let go of “Jim,” one of the higher-ranking people in the company. The
“firing” went well; it was amicable and Jim said he understood. The one thing the company did right was
to handle the firing around closing time to avoid embarrassment and distraction. Hands were shook and
then Jim asked the fateful question, “Can I take an hour to clean out my desk and take some personal
pictures off my computer? I will turn my key card into the security guard before I leave.”
Feeling good about the meeting, they all quickly agreed and left with smiles and a few laughs. Then
Jim went to his office, packed a box of all his personal items, took the pictures and other data off his
computer, connected to the network, and wiped clean 11 servers’ worth of data—accounting records,
payroll, invoices, orders, history, graphics, and much more just deleted in a matter of minutes. Jim turned
in his key card as he promised and calmly left the building with no proof that he was the one to initiate
these attacks.
The next morning a call came in to me from the owner describing the carnage in the ex-employee’s
wake. Hoping for a silver bullet, the client had no choice but try to recover what could be recovered
forensically and start over from the backups, which were more than two months old.
A disgruntled employee who is left unchecked can be more devastating than a team of determined
and skilled hackers. To the tune of $15 billion USD, that is what the loss is estimated at being to
businesses in the U.S. alone due to employee theft.
These stories may leave a question about what different categories of social engineers are out there
and whether they can be classified.

Currently have 0 Comments:


Leave a Reply