Just as bank managers are at risk from having the keys to the safe, fears are rising that IT managers are being targeted by criminals because of what they know about their companies.
British IT crime chief Ken Hynds says criminal gangs are blackmailing companies after discovering weaknesses in their computer systems. The next step could well be physical intimidation, he says.
“Organised criminals will intimidate people with access to information,” he told Britain’s Computing magazine.
Companies should therefore be careful about who they let access IT systems. Criminal gangs are increasingly using people with IT knowledge, Hynds says.
There is “some truth” to the idea that New Zealand IT managers are being exposed to such dangers, says police electronic crime lab national manager Maarten Kleintjes, but he knows of no cases in which IT managers have been kidnapped or otherwise coerced.
Kleintjes believes the biggest risk to businesses is still from inside rather than outside. Employers “have to be sure the people [staff] can be trusted”, which means they must be properly screened, he says.
British security firms are advising IT managers to say little about their work to outsiders and other IT staff to not reveal too much about their boss. “If someone was to target the IT manager, he or she will find out as much about that individual as they can,” says Adrian Reid, managing director of UK computer forensic firm Datasec.
Similarly, Symantec New Zealand manager Richard Batchelar says he is often surprised by what competitive advantage he can gain from businesses telling him about their use of security products, including information about company firewalls. However, one organisation he spoke to recently said abolutely nothing, which he thought was a “fantastic stance”.
“Most IT managers want to bleat about their successes and failures. How do they know I am not a Hells Angel’s brother-in-law?” Batchelar asks.
Batchelar says IT managers know information that is just as important as that held by HR and other professionals and says Symantec would certainly fire them for serious breaches of security.
“[Information] will become a lot more controlled — and so it should — because of what is at stake. Companies deal in billions of dollars. Keep it under lock and key if that’s your role,” Batchelar says.
He recently heard of an IT specialist at a company in Australia being arrested for working with two outsiders to move company money from one bank account to another. Such criminal activity will be a growing occurrence, Batchelar warns.
UK media report that nearly three-quarters of UK companies have sensitive data on their computer networks. They suggest companies must do more to ensure one person does not have sole responsibility for such information.
“Companies should consider distributing responsibilities. It is harder to corrupt a group of people than one individual,” says Datasec’s Reid.