Why Your Access Control Policy May Be Your Most Important Cyber Policy

A joint investigation by the U.S. Attorney's Office in the state of New York and the FBI resulted in the arrest of an employee at a New York-based technology firm.

According to investigators, the employee abused his position as a senior developer to gain unauthorized access to his employer's computer systems; download several gigabytes of confidential files; and modify other files to conceal the theft. He then posed as a hacker and demanded nearly two million dollars in Bitcoin as ransom. When his employer refused to pay the ransom, the perpetrator released some of the files on a public platform.

The perpetrator, who worked in Oregon, used a virtual private network service to hide his IP address. However, while infiltrating his employer's systems, a brief power outage at his home exposed his IP address, and led investigators to his residence. Within days of the FBI seizing multiple electronic devices, the accused posted reports to the internet, posing as an inside whistleblower, stating the firm's system breach was due to a vulnerability. This misinformation about the situation resulted in a 20 percent drop in the value of the firm's stock.

The accused faces four federal charges and up to 37 years in prison. "Former Employee Of Technology Company Charged With Stealing Confidential Data And Extorting Company For Ransom While Posing As Anonymous Attacker" www.justice.gov (Dec. 01, 2021).


Insider cybercrimes are the most dangerous because the perpetrators know the systems and how the employer addresses cyber risks.

To avoid this situation, employers should carefully audit employee and contractor access control.

A simple rule of any access control policy is the fewer people that have access to your sensitive data, the safer your data is, so long as not one person or small group has total control.

As for who has access to what, the policy should only permit access based on what is necessary to perform a job or function. Moreover, if access is only temporary, then controls should be in place to eliminate access once the project is complete.

When an employee leaves your organization, be sure to immediately disable the employee’s systems access regardless of whether the departure was on good or poor terms.

In addition, continually monitor your employees’ patterns of system access, looking for the unusual activity, like an increase in time spent in confidential systems or accessing the system at atypical times of the day.

Finally, your opinion is important to us. Please complete the opinion survey: