Angry employees pose greatest threat to a company's computers

Actor Tom Cruise in Mission Impossible: despite the popularity of technical espionage films like Mission Impossible, in which Cruise crawls through ventilation shafts to break into CIA headquarters and hack the computer system, most organisations need to worry more about employees stealing data than hackers or foreign agents

According to United States Federal Bureau of Investigation special agent Mr Dan Nielsen, who works with the FBI's Computer Investigations Unit, most computer crime is an inside job.

Mr Nielsen spoke at last week's annual RSA Data Security Conference in San Francisco, which brings together the leading luminaries of the encryption and security trade as well as 3,000 delegates from international governments, the technology industry, law enforcement and assorted hackers and crackers, the people adept at jimmying the cyber-locks on the Internet.

"Personnel-based vulnerability," as the FBI terms it, "is probably the number one place where we see problems coming in," said Mr Nielsen. Employee computer crime is common because employers give staff passwords to their computer systems, often with no attempt to block access to sensitive files.

The most problematic employees are angry employees who have been sacked, people who intend to leave the company to start a rival firm, or contractors and temporary employees.

None of these, apparently, appeals to the public: "You have to wonder, why is it that the outsiders get all the attention - and get all the movie deals?" asked Mr Nielsen. He noted that, according to their statistics, the government employee who worked in the computer room in the film Mission Impossible would have been the more likely hacker, but the film wouldn't have had the same appeal without Mr Cruise breaking and entering, then lowering himself from the ceiling to the computer keyboard, in the film's best-known scene.

The FBI is worried that organisations might disregard the more potent internal threat to their data because "the hacker, the cracker coming in from outside has more appeal".

This concern is reflected in the coverage given a widely-publicised story from the Los Angeles Times - carried on this page last week - in which an FBI agent outlined a variety of computer break-ins perpetrated by foreign agents. The story noted that Silicon Valley technology companies in California were particular targets for attempted hacks.

But in Silicon Valley, as the Santa Clara County District Attorney's office confirms, the major concern is employee crime. At the most visible end of the computer crime spectrum are lawsuits alleging theft of "intellectual property" - in these cases, computer files that employees are charged with having taken with them to a new place of employment - several of which push their way through the courts at any given time.

The most celebrated of these at the moment is a case which the Silicon Valley software company Cadence has brought against a start-up named Avant. Both firms make the complex software used to design the equipment used in the manufacture of microchips.

Seven executives at Avant, some of whom worked previously at Cadence, face criminal charges in the case and if found guilty, could receive prison sentences. The suit alleges that Avant engineers stole computer code to produce a software product similar to Cadence's. The judge in the case has already barred Avant from selling one of its products pending the outcome of the trial. If the case is successful, it would set precedents for the prosecution of employees for computer data crime - and thus, the lawsuit has rivetted attention in the Valley now for months.

According to Mr Nielsen, corrupt employees pose a threat to data in other ways besides stealing files. Computer systems might be blocked so that they can't be used. Sensitive information might be disclosed, compromising the organisation. And, data might be maliciously altered. Mr Nielsen said a typical example of the latter was a systems administrator who wanted to set up his or her own rival business and therefore had an interest in changing data.

He particularly warned organisations to beware of temporary employees, who are often brought in and given passwords which nobody bothers to cancel once the employee leaves. Mr Nielsen pointed out that the easiest way for a malicious person to gain access to an organisation's files was by applying to work as a temp for a firm.

"If I were setting up an intelligence agency, personally I'd set it up as a temping agency," he said.

He classified outsiders who commit computer crime into three categories: competitors, foreign agents, and "joy riders", or the hackers who enjoy digital breaking and entering just to wreak a little havoc in an organisation's computer system.

Despite all the public concern about Internet commerce and hackers, the least likely victim of a computer crime is, he said, the individual consumer.

"There's millions of Internet users out there, and they're all potential victims, but it really doesn't make sense for the average computer criminal," Mr Nielsen said. "It's like trying to set a fishhook into a river going by. You might pull up one or two, but it's not very efficient."