A US programmer was allegedly caught offloading his data-sensitive job to a freelancer in China so he could spend the day surfing the web, a Verizon case study has told.
The broadband and telecommunications provider purports to have received a request from an undisclosed critical infrastructure company in late 2012 to look into a possible data breach on its network.
The US company had discovered an anomaly in its VPN logs, which showed a live, unauthorised VPN connection from Shenyang, China. Meanwhile, the developer whose credentials were being used remained in his office in the US.
The Shenyang connections were occurring almost daily and occasionally spanned the entire working day.
"Based on what information they had obtained, the company initially suspected some kind of unknown malware that was able to route traffic from a trusted internal connection to China, and then back," Verizon explained in its case study. "What other explanation could there be?"
The truth turned out to be simpler: The employee had contracted a Chinese consulting firm to do his job for him for around one fifth of his salary.
During its investigations, Verizon uncovered hundreds of .pdf invoices from a third party contractor/developer in Shenyang, China.
It later transpired that the employee had physically FedExed his RSA token to China so the third-party contractor could log in under his credentials.
Once the evidence had mounted, investigators checked the employee's web browsing history: a typical 'working' day involved surfing Reddit, eBay and Facebook between 9:00am and 5:00pm. He would then email an end-of-day update to management before clocking off for the day.
"Evidence suggested he had the same scam going across multiple companies in the area," the Verizon case study claims. "All told, it looked like he earned several hundred thousand dollars a year, and only had to pay the Chinese consulting firm about $50,000 a year."
"Quarter after quarter, his performance review noted him as the best developer in the building," Verizon noted.
How well do you know your staff?
Calvert Technologies provides consultancy and support to SMEs around Australia and is a Microsoft certified gold partner. CEO Dean Calvert said he expects to see more of such situations both globally and in Australia.
“I know a software development business owner who discovered after he’d split the business that one of his employees, who was also a director, had been subcontracting his work off to friends in India,” he said. “They didn’t have access into the company’s internal systems but were doing programming [for the employee].”
“As you see more of these outsourcing and low-cost services arrive, people will think how they can use it for themselves. As professionals advising businesses we have to keep one or two steps ahead of that.”
Calvert said for his clients and smaller businesses, the decision was around risk versus cost.
“Smaller organisations don’t have the ability to scan connections constantly, it’s going to be beyond the reach of the SME. And most won’t think the risk is high enough to pay more.”
“Business would have to have the risk profile that matches up to them being willing to pay for it. Unless they are dealing with defence or high finance, I don’t think your typical SME would want to lock things down as tightly as they should.”
Not really a problem?
Channel Dynamics director Moheb Moses said outsourcing work involving sensitive data to another party is a serious security issue, but argued when you separate both the security aspect and initial emotional response, the worker showed all the characteristics of a good employee.
“It was definitely deceitful, but couldn’t you argue that every manufacturer in the world is deceitful?” he said. “They all tell you their product is the best, but they can’t all be telling the truth. But did his deceit actually have a negative impact?”
“The security issue is definitely there, but from an innovation perspective, I’m going to give him a thumbs up,” Moses said. “From a productivity perspective I’m going to give him a thumbs up, and from a financial perspective the company has in no way been disadvantaged. The employee played a management function. He decided to be enterprising and outsource his work.”
Moheb said it was difficult for businesses to safeguard against such behaviour given its devious nature, but advised in data-sensitive situations using a thin client would prevent against any potential leakages. He did however warn against being too security-conscious.
“If you try to put in place practices that protect against the most devious perpetrator, you may actually make it inconvenient for everyone else," he said. "Like not giving anyone remote access because you’re too scared of a breach. There’s always offsets between security and inconvenience and performance. The challenge for every business is to find the balance.”