Clearly delineating which IT staff members have specific privileges and responsibilities is crucial to preventing inside attacks, Lindstrom says.
Dan Twing, president and COO of analyst firm Enterprise Management Associates, says several important steps can be taken by companies to guard against internal sabotage before it occurs:
1. Create and maintain good documentation for networks and resources used by broad parts of the IT department. That means having tightly-controlled records for passwords and access points, as well as clear documentation for the systems infrastructure from top to bottom, on-premises and off-premises. "There's just so much that isn't documented by IT departments," he says. "Some IT people don't write things down so they can be the hero in an emergency and swoop in to fix things, or they are too lazy to document things and they think that makes them indispensable."
2. Maintain "super administrator" access where possible so your company can maintain the highest level of control over your systems to prevent infiltration. Be sure that this is clearly documented and is controlled by only a few senior and trusted people in your organisation.
3. Have fast and clear change procedures for administrative passwords so that no worker can make system changes once they leave the company. If they need access for something, they can be given compartmentalised access which can be overseen by other trusted IT team members so they can do their work separate from the production environment. "The more of this that you do, yes, you are slowed down a bit, but you gain control," Twing says. "There's always a trade-off."
4. Use IT tools that allow you to set thresholds and alerts when there are unexpected activities inside the network to aid in the detection of possible sabotage events. "Remember that you need to be monitoring internal processes and systems as much as you are monitoring your perimeters to keep hackers out," he says. "At least you can stop something internal before it becomes big. Don't just assume that your external perimeter is the only place where bad things can happen."
Andrew Walls, a security analyst with Gartner, says the critical balance in all of this is ensuring that your IT people have the needed powers to get their jobs done while also setting limits to their overall control over the systems.
"Many organisations have this idea that IT is this arcane world and that the wizards who reside there have to always be trusted," Walls says. "That idea went away a long time ago. The same rules that govern the rest of your company's staff have to apply to your IT staff."
In the recent Shionogi case, Walls says it is ironic that the former IT worker used licensed IT tools to cause the harm from within the company. That could have been avoided if his network access had been removed immediately, within 20 minutes of his departure from the company, Walls says. "In no uncertain terms, if you terminate a person from their employment, their access must disappear immediately, not in five or 20 hours. In many organisations, they actually start removing access privileges before the person is even gone. That's what enabled this whole attack."
Sign up for CIO Asia eNewsletters.