IT saboteur lands 4 years in the clink

A network engineer who sabotaged his employer's systems has been sentenced to 4 years and ordered to pay about $half-a-million in fines and restitution.

"In June 2012, Mitchell found out he was going to be fired from EnerVest and in response he decided to reset the company's servers to their original factory settings. He also disabled cooling equipment for EnerVest's systems and disabled a data-replication process."

Sabotage is an emotive word for an information security risk that - in my experience - isn't sufficiently considered, but then insider threats as a whole have historically been discounted or ignored. During the past year or three, the relentless onslaught of massive banner headlines and shocking TV news reports on the insider incidents involving Snowden, Manning and others finally appear to have registered with the decision makers, so at long last we are starting to see insider risks and controls being explored in risk workshops and policy meetings around the globe. We can't yet say whether there has been a genuine, permanent change in the risk tolerance levels though. Only time will tell. I'm conscious, for example, that the Terry Childs incident - big news when it happened back in 2008 - is already forgotten by most (nearly including me, by the way: I had to Google the incident to find his name!). 

Meanwhile, from a business perspective, we are relieved to see increasing interest in information security management as a whole but particularly security awareness, pre-employment screening, induction training and so on. As a long-time proponent of management-level security awareness supplementing the staff/general employee stuff, I'm delighted to see that approach going mainstream: if the 2014 CISM manual is to be believed, even sleepy ISACA gets it, at long last! I'm still fighting an uphill battle to persuade organizations to extend security awareness to their IT and other professionals though, and most of all to make awareness a continuous year-round activity, two ideas that are screamingly obvious to me, but what do I know? 

Personally, I think it is important that we, the professional information security community, milk every last drop of publicity value from all kinds of information security incidents and near-misses. Initiatives such as the Privacy Rights Clearinghouse and Data Loss DB are doing a pretty good job to raise awareness of privacy breaches, while RISKS-List consistently reports on safety and other information/IT security issues (including the EnerVest sabotage story above: that's how it came to my attention). There are all manner of aggregation sites and blogs for information security, and of course a plethora of security product vendor sites pushing antivirus, firewalls and other must-haves. I've blogged before about security surveys: few may be statistically valid and directly applicable to your situation but most at least can be used to raise awareness of (some of) the risks we are facing, as well as helping us appreciate the risks.  Staying abreast of the news, picking up on significant and relevant stories, circulating and discussing them with work colleagues and using them to calibrate corporate risk decisions is one of our core duties as information security experts, just as necessary as our ongoing professional education.