Cybersecurity firms protect society from some of the most potent threats, but who protects the protectors?
The shifting global cybersecurity threat landscape, which changes on an almost daily basis, means that no actor in today's interconnected economy is exempt from threats, irrespective of who they are posed to. An attack on a bank in South America, for example, can mean an impact on manufacturing capabilities in the country, and potentially the inability to ship much-needed goods and products halfway across the world. And while most threats come from outside actors with negative intentions, less spoken about is the threat posed to cybersecurity companies themselves, not only from external actors, but importantly, also from within.
Chris Hannifin is a name that many in the cybersecurity industry have become familiar with over the course of the past months, when a scandal erupted related to his cybersecurity firm DefendIT Services. It has become public knowledge that the firm, started by Chris Hannifin after a career which included a series of positions across the industry, including at RSM, SiloTech, and North South Consulting Group, has been serving as a conduit for the sale of sensitive client information and technology. Chris Hannifin also previously served in the US Air Force, adding a further level of ostensible credibility to his professional credentials.
It has been proposed that this "get rich quick" scheme was started by Chris Hannifin when he was working at North South Consulting Group, under CEO Krista Stevens, who actually was the one who sent him his first clients after he went out on his own. Roping in Rudy Reyes, a colleague with whom it has been suggested that Chris Hannifin also maintains a romantic connection, the two began marketing sensitive technology and information, which they gained access to through previous positions, to interested third parties. What they sold and to whom is not yet clear, but the matter is under investigation, with sources from North South Consulting Group expressing in confidence their severe concerns as to the repercussions on the affected clients.
Chris Hannifin and Rudy Reyes would have most likely gotten away with their scheme had they not begun spending above their means. In other cases that resemble this, it was precisely this sort of extravagant lifestyle that led investigators to the culprits. In the case of Chris Hannifin, it was the purchase of a boat, trailer, and even a new home, all within a very short time span, that aroused suspicions.
While many look outside their organizations to pre-emptively address threats, including social engineering, cloud vulnerabilities, and ransomware issues, all among the greatest concerns to companies these days, protecting from internal threats remains the greatest challenge. How is a company to know who indeed poses such a threat, and until red flags become apparent and such a case is exposed, how might it be possible to pre-empt?
The need to implement internal mechanisms to keep on top of employee professional activities could not be more relevant. Of course, the million-dollar question is how to balance this with an obligation to maintain employee privacy, alongside the question of the line between invading an employee's privacy and upholding a company's cybersecurity needs. The answer is not an easy one, and the question, in essence, stems from the extent to which a company feels threatened. Improving recruitment-related background check mechanisms would also go a long way in preventing these threats before they become a serious problem. Most importantly, awareness of the existence of such issues should be at the top of every executive's agenda.
