What can you do when the insider threat is IT itself?

IT pros are not always the good guys, and when they go bad, the damage is immense.

IT is charged with keeping threats at bay, from both traditional external hackers and, increasingly, company insiders. One insider that is too often overlooked is IT itself. Look around your IT department - can you trust every single person there?

It turns out that a notable portion of insider breaches come from technical staff: 6% from developers and another 6% from admins, according to the latest Verizon Data Breach Investigations Report. The report shows that many of these breaches come from privilege abuse, although there are still plenty of other techniques IT staffers use. Great importance should be given to the moral character of your IT admins, after all, they do hold a lot of power at their fingertips, especially when a sizeable chunk of the business goes through IT systems.

In a recent Infoworld column, Roger A. Grimes offered a few war stories and some bits of advice on how to hire truly trustworthy IT pros and spot the bad seeds.

"When someone you admired, trusted, and invested yourself in ends up embezzling from the company, illegally accessing private emails, or using customer credit card data to buy computer equipment for their home, your incorrectly placed trust in that person will haunt you," Grimes wrote. One person he hired had not disclosed that he had a criminal record, and only after a background check had he learned. By then, the person had already been employed.:

"The one employee I kept on after they committed this transgression ended up stealing thousands of dollars in computer equipment from the company," he wrote. "I found out when he asked me to drop by his house to help diagnose possible malware on his home computer. When I entered his abode, I saw that he had a multi-thousand-dollar computer rack, computers, and networking equipment identical to what we had at work. When he realized I recognized the equipment, his expression was clear. It had been a mistake to invite me to his house, at least without first hiding the stolen equipment."

Grimes suggests that background checks are very important when hiring IT staff, and he warns against hire candidates who have been found to have lied, or those who always have something bad to say about their previous employers. Grimes also recommends keeping an eye out for current employees who know too much about things they probably shouldn't.

Some years back, I covered this topic in a 2006 cover story for Redmond magazine: IT Gone Bad. The stories came straight from IT pros themselves and gave a good overview of what goes on behind the curtain of admin privileges.

"We have a network guy who monitors everyone's Internet usage. Most employees don't know this because our boss tells everyone that there's no one monitoring the Internet and that he doesn't want to know anyway, but this network guy always seems to know what everyone is surfing for. He even talks about it with other employees," said an IT pro interviewed for the article.

In another case, a school district IT director and a co-worker conspired to defraud the system.

"They had a computer consulting business they ran on the side and would leave the district several times a day to work on client computers without taking vacation time," an IT source revealed. "They discovered the program eBlaster, which records everything you do on the computer and attaches key logs, screenshots, Internet usage and a lot of other info in an email and sends it to a specified address for review. This was initially used to monitor users suspected of spending too much time surfing the Internet or inappropriate email. It was put on the CFO, COO, and superintendent's computer. It's also suspected that it was put on a few of the school board members' computers."

This was done in order to advance their career by either blackmail or through special knowledge they gained from all the information they harvested.

With so many businesses relying on tech as a means of communication, the computer network can be a treasure trove of sensitive data, easily accessible by IT admins. Trust is of utmost importance, but what else can you do, and how does Verizon suggest you block breaches, including those from the inside?

"The first step in protecting your data is in knowing where it is and who has access to it," the report reads. "From this, build controls to protect it and detect misuse. It won't prevent determined insiders (because they have access to it already), but there are many other benefits that warrant doing it."

That's good advice, and I take it to mean that even IT should fall under strict data access privilege policies, and all network activity, including that from IT, should be tracked for security threats.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2015 IDG Communications, Inc.