Human beings make mistakes. When employees have access to data they don’t need, the data is at risk of accidental deletion. Another common problem is the employee who inadvertently shares sensitive data with someone who shouldn’t have access to it.

Many employees don’t understand risks from viruses and worms or sophisticated phishing attempts. An employee might open an infected email and forward it to coworkers without realizing the danger. Another source of malware is universal serial bus (USB) flash drives. Employees often use them to transfer files back and forth from their work and home computers. If an employee’s home computer is infected with malware, he or she can transfer that malware to his or her office computer via the USB drive.

Laptops and other mobile devices are handy to use but are easily stolen. When users don’t exercise physical control over their laptops or smartphones, the devices often disappear. The larger issue may be the data on the device. Are the data confidential? Can someone with malicious intentions access the data? If inadvertently exposed, could it be used against the organization or perhaps people the organization deals with?

Training employees and controlling their actions with access controls reduces a significant number of these incidents.

There are two primary elements to every malicious access control story: the attacker who seeks to break into a computer system and the resource owner who needs to protect the confidentiality, integrity, and availability of resources against the attacker. What motivates certain individuals to try to gain access to resources to which they do not have a legitimate right?

A hacker usually has two primary motives to break into a computer system: wealth and status. Very young hackers, at 12 or 13 years old, usually begin by defeating copy protections on video games. They desire games but don’t always have the resources to purchase legitimate copies. Instead, they borrow games from friends, make copies, and study the protections until they determine a way around them. It’s possible that what they learn through these efforts might help them defeat more stringent access controls later in life. They might use their skills to access information with a higher monetary value. They could either sell the information for cash or use stolen credit card and bank account information to purchase items they want.

The status motivation is less obvious than the wealth motivation, and more powerful. A hacker generally does not gain positive status in mainstream society for hacking efforts, although he or she may gain notoriety. At the point that the hacker is engaging in illegal hacking activity, he or she has already rejected the possibility of mainstream status. Instead, the hacker works for status within the hacker subculture. There are two main keys to status in the hacker subculture:

• Esoteric knowledge of computer systems and networks
• Hacking into desirable targets

A target is a system or network that contains valuable data and has attracted the attention of the hacker. A target is considered highly desirable if the government, and specifically the military, owns it. A corporately owned target is considered highly desirable if it is protected by particularly strong access controls. By understanding the psychology of the hacker, you can more effectively design access controls to dissuade or prevent him or her from hacking your systems.

A wide variety of information can be obtained through a pre-employment screening, done either by the hiring company or by a third-party firm. Examples of pre-employment screening information includes:

• Driving records
• Credit reports
• Criminal records including arrest reports, incarceration records, and court records
• Medical records
• Bankruptcies
• Military service records
• School records
• Worker’s compensation records
• Character references
• Neighbor interviews
• References from previous employers
• Drug test results
• Sex offender listings

Much of this information is publicly available, but some information such as medical and school records, credit reports, and permission to conduct interviews with neighbors and other personal associates requires special permission from the applicant. Laws that restrict the use of such information are HIPAA (for medical records), the Family Educational Rights and Privacy Act or FERPA (for school records), and the Fair Credit Reporting Act (credit reports).

In general, according to the Fair Credit Reporting Act, negative credit information over 7 years old cannot be considered in an employment decision. In addition, although an employer can investigate an applicant’s bankruptcy history, that information cannot be used to make an employment decision.

If an employer uses information obtained in a credit check to deny employment, the employer must notify the applicant of the decision and provide the name and phone number of the reporting agency that performed the background check. Applicants generally have 10 days to dispute the negative information used to make the employment decision.

At best, a bad hiring decision can lead to lowered employee morale, failed projects, and the expense of hiring someone else to replace the unqualified employee. In the banking industry, hiring a prohibited person can lead to fines of up to $1,000,000 per day for every day the individual remains with the company or up to 5 years in prison for the hiring manager.

These penalties may seem unreasonable for simply hiring an unqualified person to do a job. They are assessed when a bank hires an individual who has been convicted of a violation under Section 19 of the Federal Deposit Insurance Act. Section 19 deals with criminal offenses involving dishonesty, breach of trust, and money laundering.

A disgruntled employee is a person who is angry or dissatisfied, usually with some aspect of his or her employment. Disgruntled employees often believe they have been unfairly passed over for recognition or promotion, or that they are expected to accomplish more than is reasonable.

Some disgruntled employees are easy to spot—they complain loudly to anyone who will listen about the unfair treatment they receive. Others are more difficult to identify. Some things to watch for when identifying potentially disgruntled employees are:

• Work that is consistently below average—Not bad enough to warrant termination, but below average. This can indicate a person who does not care about his or her work.
• A pattern of coming in late and leaving early—This can indicate a person who simply does not want to be where he or she is.
• The loner—Someone who does not join in normal workplace socialization may not identify with the organization.
• Displays of passive-aggressive behavior—This can denote someone who is dissatisfied with his or her situation.

Most disgruntled employees do not show up for work with the intention of causing harm to coworkers, but they still represent a significant risk to the organization. In 2019, a disgruntled contractor working for Siemens pled guilty to planting a logic bomb in spreadsheets used by the company. The malicious software broke the spreadsheets periodically, requiring the firm to hire the contractor to “fix” them repeatedly. At the time that this book went to press, the contractor faced a $250,000 maximum fine and up to 10 years in prison.

If managers at Siemens had identified the contractor as potentially disgruntled, the situation could have been diffused and his frustrations dealt with in a more constructive manner. At the very least, his activities could have been more carefully monitored and his logic bomb found earlier.

Termination of employment is a sensitive issue that should be handled carefully. On one hand, the soon-to-be former employee should be treated respectfully and with understanding—after all, losing one’s job is a traumatic event that can have a significant impact on one’s life. On the other hand, the organization must protect itself from any negative actions on the part of the employee. When an employee leaves the organization, administrators should undertake a formal offboarding process that includes the following steps:

• Lock the terminated employee’s workstation and network accounts and back up data prior to the termination meeting. This will prevent the employee from causing damage after receiving notice of the termination decision.
• Lock or remove accounts on databases and file servers prior to or during the termination meeting.
• Change all passwords, especially those to online accounts that the terminated employee could access from outside the organization, prior to the termination meeting.
• Arrange for company property to be returned. This may include a corporate mobile phone, tablet, keys, a company car, an ID badge, a parking pass, a laptop computer, client files, and contact lists. A terminated employee could use these items to gain unauthorized access to facilities or data.
• Consider how the terminated employee will be allowed to retrieve personal belongings after the termination meeting. After the meeting, the employee should be considered a potentially hostile visitor to the facility and appropriate physical security measures should be taken. The employee should not be allowed to return to his or her office or another area of the facility unescorted.
• Consider whether security should be called to escort the terminated employee out of the building after the termination meeting.
• Change the locks on the terminated employee’s office door and change keypad codes as needed.
• Lock or remove the terminated employee’s email account. If the email account is left active, the employee could use that account to send seemingly official emails containing sensitive information to clients or members of the media.
• Change the terminated employee’s voicemail message and forward his or her office phone to another employee or to a manager. Change the personal identification number (PIN) on the voicemail system.

The majority of security breaches do not come from hardened criminals or teenagers looking for something to do, although those types of breaches do happen. As a security professional, you should be aware of them and mitigate those risks. Most security breaches are performed by disgruntled employees and former employees. These employees have intimate knowledge of the organization and its systems and may have friends and allies in the organization willing to help. One way to reduce the risk of employee retaliation is to perform thorough background checks on hiring candidates. However, because you can’t always predict human behavior, access control techniques such as those discussed in this section minimize the risk of retaliation by removing a disgruntled employee’s opportunity to do harm.