Cappelli heads the CERT Program at Carnegie Mellon University's Software Engineering Institute, and is technical lead of CERT's insider threat research. In a recent interview, she says that fraud cases are not abating. "I have to think that that's probably because of the data breach laws, because now organizations have to report data breaches, and so we keep seeing this upswing in fraud cases," Cappelli says. There are 20 fraud cases her team is investigating from 2009. Of those, 14 cases represent IT sabotage - a disgruntled employee trying to damage a system, typically when the employee has resigned or is about to be fired. "I try to point out to organizations that everyone is susceptible to IT sabotage, so this is a crime that no matter what sector you are in, you need to pay attention to," she warns.
Cappelli says that insider theft hit the government sector hard in 2009. Second was public health, "which was pretty interesting because in the past that has not even gotten a very big slice of our pie when we do the breakdown," she notes. Coming in third was the banking and finance industry.
The good thing about insider threat is there are indicators that companies can look for in the people who work at the company, which gives companies a chance for added insight. Yet, true prevention requires orchestrating all parts of the organization to work together. "It requires really planning ahead and addressing legal issues, policy issues, employee privacy issues, and getting your legal department involved," she says.
One example: a disgruntled system administrator. "We know from our research that if you have a disgruntled system administrator who is about to be fired or quit because they are so angry, they are going to create some unknown access path so they can get back into the organization," she says. The suspect may plant a malicious code. Technology won't help in this instance, she adds, because that is what these employees do everyday. They edit scripts, write scripts, release programs. Cappelli says relying on technology to say this system administrator just released a new program won't be effective. "You are not going to catch it," she says. But that same disgruntled employee would be on the HR radar, so management knows they are a problem. "HR knows that they are a problem. Someone needs to tell the information security staff, so that they can look in your logs and see what this person has been up to."
Another area that Cappelli says companies can focus on is theft of information technology intellectual property. "IT theft is typically committed by scientists, engineers, programmers, someone who steals what they created, and they steal it on their way out of the organization," she says. What happens typically is within 30 days of resignation the former employee takes some intellectual property with them. HR must communicate to the information security staff when such people have turned in their resignations. "You can then look back in the logs and see what they have been doing," she notes. Organizations also need a proactive strategy and proactive technology in place for events like this so that "you can go back and see what they have been doing with their laptop at home."