A federal indictment alleging the most expensive instance of computer
sabotage to date reinforces what white-collar prosecutors have known for some
time: Companies that rely on computer networks need to take active steps to
insulate themselves against risk.
As reported
previously, a former programmer at a firm that makes instruments for
customers like NASA and the Navy was charged yesterday with activating
a computer program that wiped out all of the company's software.
Federal investigators estimate that the alleged attack cost the company, Omega Engineering of New Jersey, $10
million. While the problem of disgruntled employees wreaking havoc on their
workplaces has existed for some time, the price tag for this latest incident
could bring renewed attention to prevention of data crimes.
Julius Finkelstein, who heads up the high-tech crimes unit at the District
Attorney's office in Santa Clara County, California, said he has handled at
least one case in which a former programmer planted a time-delayed computer
file that deleted files from the company's system. He added that the problem is a fact of life for companies that rely on computer systems to store records and other crucial documents.
"Companies are vulnerable because their network is no better than the
people who administer it," he said. "Companies are particularly
vulnerable when the employee is a system administrator that has unfettered
access and was allowed to create anything he wanted on the system."
Finkelstein outlined two ways in which companies can inoculate themselves
against computer sabotage. The first is to take preventive measures that effectively hamper a recently terminated employee's efforts to attack. "You have to immediately cut off access [to the company's computer] and walk the person out of the company," he said, adding that the company should then change passwords and consider hiring an outside consultant to check for viruses and other destructive programs.
Finkelstein said companies also need to prepare for catastrophic events by regularly backing up their systems. He noted that background checks of system administrators and other high-level computer employees appear to have little value, because computer saboteurs usually have no criminal record.
"These are crimes of passion," Finkelstein said. "[Sabotage] is hard to
find in a background check."
Nonetheless, Greg Carr, who supervises the financial crimes unit of Arizona's Chandler Police Department, said companies need to give more thought to who they put in charge of running their important computer systems.
"People just don't think about the computer people who actually can do damage," said Carr. "Banks [for example] look more at the person who's cashing your check than the people who are running the computers."