author photo
By Bruce Sussman
Thu | Sep 3, 2020 | 12:08 PM PDT

Terry Petrill was supposed to be working on cybersecurity for his employer. But according to court documents, he was working on his personal financial security instead. 

And now Petrill is headed to jail.

FBI investigated IT security director in theft case

Petrill was the IT security director for Horry County, South Carolina. His sentencing documents say he got into a criminal routine that made him a successful insider threat for more than three years.

"Petrill ordered forty-one Cisco 3850 switches that were to be installed on the Horry County Network. When the switches would arrive, Petrill would maintain custody of the switches and advised that he would handle the installation."

But instead of installing them, he advertised them for sale:

"...Petrill did not install the switches on the network, and instead sold them to third parties and kept the proceeds for himself. Petrill sold nine of the switches on Ebay and the remainder were not located."

How much were the secretly sold switches worth? The county says it lost $345,265 through the insider's scheme.

Jail time and restitution for IT security director

Petrill admitted to the crime, and the judge in the case sentenced him to two years in federal prison and ordered him to repay the county for its losses.

"Those who steal from our local governments are raiding the South Carolina taxpayers," said U.S. Attorney Peter McCoy. "This is unacceptable, and as this case shows we will seek prison time and restitution against those who engage in such theft."

Insider threat costs hit record level

The cost of insider threats, both accidental and malicious, hit a record level in early 2020, according to the Ponemon Institute. 

"Large organizations with a headcount of more than 75,000 spent an average of $17.92 million over the past year. To contrast, smaller organizations with a headcount below 500 spent an average of $7.68 million."

At our SecureWorld cybersecurity conferences, we've heard about many insider threat cases that led to millions in business losses.

That includes an AT&T Wireless insider threat case in which a cybercriminal activated insiders via social media. And while an insider threat attempt against Tesla was just thwarted, a recent insider threat case at Twitter succeeded.

The new Ponemon Institute report, sponsored by ObserveIT and IBM, also breaks down different categories of insider threats by percentages.

  • 62% of incidents are by negligent insiders.
  • 37% of incidents are by criminal or credential insiders.

And on a per incident basis, the criminal and credential insider incidents are by far the most expensive.

Why does it take so long for insider threats to get caught?

In the case of the IT security director for Horry County, SC, the FBI says he was stealing the networking gear for years before getting caught. How can that insider, and others, get away with things for so long?

SecureWorld asked Dr. Larry Ponemon that very question:

"We found that companies err on the side of goodness. They don't want to accuse somebody without full evidence of a crime, so they write it off as negligence," Ponemon said. 

"And we discovered insider threats are not viewed as seriously as external threats, like a cyber attack. But when companies had an insider threat, in general, they were much more costly than external incidents. This was largely because the insider that is smart has the skills to hide the crime, for months, for years, sometimes forever."

Now there is some motivation to make sure your organization's insider threat management program is as robust as possible.