Sound protection for data, Intellectual Property, real property, and other day-to-day assets companies and senior management must secure demands that plans and procedures recognize threats posed by employees with access to those assets. Security managers tend to spend effort on low probability events including, tornadoes, fire, civil unrest and others while ignoring the risks their own employees create.
In 2009 a programmer at Goldman Sachs stole code used by the bank to run their high-speed trading operations. Sergey Aleynikov worked as a programmer at Goldman Sachs, and left his job with “hundreds of thousands of lines” of source code. Although he was prosecuted, the charges were thrown out. From the Guardian, “Because Aleynikov did not ‘assume physical control’ over anything when he took the source code, and because he did not thereby ‘deprive [Goldman] of its use,’ Aleynikov did not violate the [National Stolen Property Act],’ the court wrote in its decision for United States v Aleynikov.”
More recently Syrian President Bashar al-Assad was betrayed by a security staffer who carried a bomb into a staff meeting. Syria is conducting a war and the senior leadership team has been holding frequent planning meetings. This is an organization that is already on the highest alert, yet the blast killed Defense Minister Dawood Rajiha, Deputy Defense Minister Assef Shawkat (al-Assad’s brother-in-law), and Hasan Turkmani, a security adviser and assistant vice president.
In case you think Syria is an extreme example consider this case. In December, 2009, another suicide bomber attacked a CIA operations center in Khost, Afghanistan which killed eight Americans. Most were CIA agents. Like the Syrian attack, the suspect was well-known to the people he targeted. A week after the bombing, NBC news published an article that identified the attacker as Humam Khalid Abu-Mulal al-Balawi, 36, a Jordanian Doctor and al-Qaida sympathizer from Zarqa. The CIA planned to use him to infiltrate Al-Qaida as a double-agent.
Internal threats are real and have potential to cause serious damage. And none of the expensive firewalls, access control systems, alarms, fire-suppression, locks, gates, fences and security systems companies are already sustaining can prevent loss from a Trojan Horse. You must consider ways to compartmentalize data and assets and limit the damage caused by theft or malicious destruction employees can do to a company or organization.