The case is a business nightmare. A disgruntled employee destroys critical data and then disappears.
The follow-up audit discovers that not only has he erased back-ups held in two fire-proof safes on the premises, but he convinced a director to bring in an off-site back-up, ostensibly to fix a corrupt file, and wiped that as well.
Gone was information about international patents, project data and five years of engineering drawings.
Gareth Pert's trail of destruction at Hamilton engineering firm Progressive Hydraulics ended in Manukau District Court, where the 23-year-old engineer pleaded guilty to unauthorised access of a system and intentional damage. He will be sentenced in May.
The firm says the motive appears to be revenge after Pert was pulled up for padding his time sheet.
Director Angela Sharp says Pert was first hired as a casual worker during the university holidays while he was finishing his degree, then kept on.
She says the incident two years ago was a nightmare for the small business - which is now a lot more careful about its back-ups.
Security specialist Tony Krzyzewski from Auckland firm Kaon Technologies says the surprising thing about the case is Pert's young age.
"Usually this sort of sabotage is done by a guy or girl in middle management who's been there a while and is trusted, and it all gets covered up," says Krzyzewski.
"We are still extremely naive about security in New Zealand, and we tend to trust people.
"That is a New Zealand trait. This is a classic example."
He says it highlights the importance of security policies for firms of any size.
"Information on security policies should not just be in a book. All people in an organisation should know them and understand their purpose."
Krzyzewski says too many people think information security is a technology fix.
"It's not. It starts with policy, then procedures, then technology and finally audit. I call it PPTA. That has to be disseminated to everyone in an organisation."
Telltale signs of inappropriate use of IT systems are often not in the system log at all.
"I've had a few instances of strange activities in an organisation where people say someone was acting a bit funny, or where staff advised management strange things were happening.
"Changes in work pattern, the person who is always there early or always there late.
"Someone who starts asking questions outside the normal scope of their job or requests new applications to be installed which are not in line with their job.
"Then there's the person who always has the USB key fob. I call USB 'uncontrolled security breaches'."
There are technologies that can be installed to control use of removable media such as USB member, removable hard disks or CDs. There is also common-sense user rules.
"The policy we have developed includes a requirement that each user account is only used by that named user, and any activities will be the responsibility of that named user.
"That makes people think twice about handing over their password."
Krzyzewski says large organisations and government agencies are increasingly aware of how to create true disaster recovery systems which have a provable ability to recover data, "but small and medium businesses are still flying by grace of God systems".
He says the online back-up systems offered by firms like Revera, or even investing in a few removable drives, is now so much cheaper.
"Just getting a few terabyte hard drives and rotating them, taking them home, is so easy to do now."
While Pert wasn't on an internship programme, Krzyzewski says the case also highlights the need for firms taking on students as part of their course work to have the right supervision in place.
"Firms tend to bring students in and carry on without sufficient training or security awareness.
"They may give them administration rights and they probably don't even have an employment contract.
Associate professor Lech Janczewski, who runs Auckland University's Information Systems Projects as well as chairing the New Zealand Information Security Forum, says firms are encouraged to treat students on projects as employees.
But he says security and confidentiality are emphasised, with the students required to sign declarations about sharing information.
"In 22 years of running these projects with hundreds of students, there have only been a couple of cases of students violating the rules," he says.
"We also prepare an extensive brief for sponsors, setting out what they can expect from students and what students can expect from them."
Trusting firms easy target for sabotage
AdvertisementAdvertise with NZME.