How Recessions Make Good People Do Bad Things
Whom can you trust? In security, many of us nurture a healthy sense of paranoia and tend to be distrustful. But as human beings, as social beings, we form bonds of trust with those around us.
Behavioral psychology and sociology show that we have tribal behaviors that lead us to associate and trust those in our "tribe."
Every time there's a recession, crime goes up. Even good people will make poor decisions under economic pressure. From a security professional's point of view, recessions are a time of higher risk. Both internal and external attacks are likely to increase. The rising tide of crime will lift all attacks, across all areas of exposure (view a slide show, "The 10 worst security breaches of all time"). On top of everything else, you may have to contend with layoffs. Nothing makes a good person angrier and more motivated than a pink slip.
Greed, anger or desperation are what motivate insiders to attack their own companies. Most serious computer crimes I have seen (or been involved in investigating) were insider attacks. If your company is making layoffs, you will have to contend with angry and desperate people.
Here are some of the insider issues to look out for during a recession:
-- Employees may find themselves struggling with medical payments, mortgage payments or other financial issues. Many insider attacks start with an insider with access to corporate capital "borrowing" some money with every intention of returning it. While they rationalize the action, these employees often will get into a snowballing situation that leads them to further embezzlement. Guard financial systems and make sure you have checks and balances in place.
-- Layoffs will often trigger acts of revenge. These are most dangerous if they involve people in IT or finance. Logic bombs are the most common type of revenge on IT systems. Embezzlement also can be an act of revenge or desperation. Tighten password and access controls. Audit remote-access systems for unusual behavior.
-- Most companies today have more than one user directory. User life-cycle management practices are often lax. It is not uncommon to find dozens of former employees with active access during audits. Make sure you have a comprehensive process for disabling account access and changing shared passwords (which you shouldn't have anyway).
-- Disable access first, give pink slip later. As harsh as it is to march someone out of the building, it takes only a few minutes for an employees with access to critical systems or money to cause enormous damage. If you have layoffs coming, disable accounts overnight before people are fired.
It feels wrong to distrust insiders and treat them with suspicion during difficult economic times. The truth is, however, that you have a responsibility to protect the rest of your employees from the potential damage caused by one angry or desperate person. Be courteous, respectful and apologetic. Then follow the process strictly.