The court trial of Roger Duronio, the systems administrator who allegedly crippled investment banking giant UBS’s computer network, is a timely reminder of the security threats that businesses face from their own employees.

US prosecutors say the 63-year-old launched a logic bomb – in effect, a delayed-action virus – that crashed 2,000 servers at the bank’s stockbroking division, UBS PaineWebber, and prevented more than 8,000 traders from buying and selling shares for more than a day. On top of trading losses, the attack reportedly cost the firm $3.1m (£1.7m) in IT repair fees.

Duronio allegedly sabotaged the IT systems after being told that he would not receive as big an annual bonus as he was expecting.

‘The biggest threat comes from employees accidentally doing something wrong and being too scared to admit it,’ said Clive Longbottom, service director at analyst Quocirca. ‘But in terms of malicious activity, the capability to cause damage from inside a company is far bigger than from hackers accessing externally.’

Research released this week conducted by YouGov and commissioned by Microsoft shows that the risk to UK businesses is just as clear.

The survey found that nearly a quarter of UK employees (22 per cent) have illegally accessed sensitive internal data, such as colleagues’ salary details, using company IT systems. And more than half (54 per cent) said they would, given the chance.

The research shows HR and payroll information to be the most popular target, with 36 per cent of staff saying they would nose around systems. Some 28 per cent said they would access managers’ notes, and 25 per cent said they would access colleagues’ private documents.

Longbottom says firms need stronger internal security technology and procedures to overcome downtime caused by malicious employees and to stop them accessing sensitive data.

‘If it is someone on the workshop floor or in the office then hopefully, at worst, all they can do is delete a file. This should not be a problem, as firms should back up documents,’ he said.

‘But the biggest worry is techies, as they have access to all the Unix, Linux and Windows servers and could potentially delete the firm’s whole operating system.’

IT auditing systems can help firms to track activity by systems administrators, says Longbottom, but these are only useful after an internal attack, when computer forensic records can be used in court. ‘If someone has full access to systems it is hard to police,’ he said.

‘You could have two-phase approval for every IT action, so the IT director needs to sign off what administrators do. But ultimately that would be too laborious.’

But many security risks could be removed by integrating security processes in the company. In some cases, internal fraud or systems attacks are carried out with false employee identities or by taking control of other workers’ user rights.

By introducing two-factor authentication devices that issue one-time passcodes, even systems administrators would have difficulty knowing an employee’s password at any given time, says Longbottom.

And by linking HR systems with those of the IT department to create new user identities for the network, unusual behaviour could be spotted more easily.

‘Requests for new staff to have access to the network should only be raised by HR. The IT department should not create IDs without permission,’ said Longbottom.

‘When a person leaves the company, HR systems should alert IT that the employee should no longer have access.’

It is also important that remote access rights to systems are removed, he says.

The US courts are still debating if Roger Duronio released the logic bomb, or if someone else assumed his electronic identity. But the fact remains that security threats increasingly come from within.

Information protection

A report released last week by technology consultant Deloitte reveals that 9 6 per cent of IT directors in financial services are concerned about employee misconduct using corporate computer systems. Yet only a third have provided information security and privacy training in the past year.

The annual survey also revealed that almost three-quarters (72 per cent) of financial services firms that did suffer security breaches last year estimate damages to the business to be about $1m (£550,000).

Nearly all the firms interviewed estimated that their information security budgets grew in the past year. Logical access control products topped the list of spending.