Did you buy a Powerball ticket with hopes of winning $1.5 billion? If so, you’re in good company. Thousands of people in Michigan and Ohio were disappointed last week when the numbers were announced. Some even suggested that the lottery is rigged—and while that might sound extreme, it actually happened not that long ago.
In 2012, Eddie Tipton, director of security for a multi-state lottery association, was accused of tampering with lottery drawings in several states over a six-year period, including a $16.5 million jackpot in Iowa where he attempted to claim the prize. Tipton was convicted and sentenced to 10 years in jail.
How’d he do it? Tipton used his security clearance to manipulate the monitoring system in the lottery office’s draw room, programing it to only record one second per minute. This gave him the opportunity to enter the room undetected. Once inside, Tipton installed rootkit software on the computer that randomly generates the winning lottery numbers. Rootkit, a malicious software that allows unauthorized access to a computer system while masking its existence, gave Tipton advance knowledge of the winning numbers. This allowed Tipton and his accomplices to select winning numbers in multiple lotteries and collect the jackpots for at least six years.
So how did Tipton get caught? He brought too much attention to himself when he bought a $16.5 million winning ticket and tried to claim the prize.
This case makes me think of another arena where insider threats are prevalent: cybersecurity. The June 2015 Insider Threat Report indicates that threats are increasing, with the biggest risk coming from privileged users, followed by contractors or consultants, followed, lastly, by regular employees. According to similar research from Carnegie Mellon University, 44 percent of insider cybersecurity crimes are financial fraud, 25 percent are attempts to sabotage the organization, and 16 percent involve intellectual property theft.
Insider threats can go undetected for long periods of time, which is why it’s important to implement preventative controls and proactive monitoring procedures before an incident takes place. Organizations should consider implementing the following cybersecurity measures:
- Only allow employees access to information they need to perform their duties, and be sure to segregate conflicting access. For example, an employee that can add or update a vendor in an accounts payable system should not have access to check payments.
- Segregate administrative access, and restrict employees from performing transactional activities.
- Monitor user activities with full transactional access or access to sensitive functions, such as payroll and payments.
- Only provide employees system access during the time frame it’s needed. For example, access to payroll might not be allowed after business hours.
- Let employees know that their usage is being monitored and will be reviewed periodically.
- Routinely perform thorough background checks on all employees.
- Require everyone with access to company systems (employees, contractors, consultants, etc.) to review and sign information-security and non-disclosure policies.
- Provide a system for whistleblowers to anonymously alert the organization to insider threats.
- Immediately disable terminated employees’ system access. If there’s reason for concern, review the last 30 days of the terminated employee’s activities.
Unlike the Tipton case, most insider incidents don’t make the headlines, but they’re happening and can cause real and immediate harm to an organization. An ounce of prevention is worth a pound of cure.
This content originally appeared at crainsdetroit.com and crainscleveland.com and is part of a special blog series on cybersecurity.