ST. PETERSBURG — David Scott decided he had to cut ties with one of his contract workers.
A Web developer, the man was proving unreliable, said Scott, owner of the small St. Petersburg-based Web design and marketing company Cosmic Digital Design. Scott delivered the news in March.
Within hours, sites that Cosmic Digital had designed for client companies began disappearing from the Web. Somebody had logged into the servers remotely and deleted files. It cost Cosmic about $277,000 in lost product.
Scott feared he might be the victim of an inside hit — a modern scourge that's real and growing for businesses large and small as they come to rely more heavily on information technology.
"It was a pretty devastating attack," Scott said. "We weren't prepared for something like this."
• • •
Before the attack, security was low on Scott's priority list. Visual art and design have always been his passion.
He worked as an illustrator after graduating from Southern Methodist University in Dallas, then went to Bermuda for a few years to work at a friend's graphic design firm. He settled in the Tampa Bay area and opened Cosmic Digital Design in 2007, with an eye on getting a slice of the investments companies were making in their websites.
By 2017, more than half of Cosmic Digital's business was Web-based design, Scott said. So he hired contract Web developers to do what he couldn't. One of them was Ivan Marik, who came aboard in late 2015.
"Essentially he was in charge of making sure all the websites functioned the way they're supposed to," Scott said.
Scott was the artist, while Marik was supposed to turn his visuals into a working website.
Marik was loyal and dedicated, always in the office to address problems as they arose and answer any questions.
"He did a pretty good job," Scott said. "I was pretty happy with him."
• • •
Things went downhill at the beginning of 2017, Scott said.
Marik wasn't coming in regularly any longer. He'd say he was sick or had family issues, but Scott didn't feel it was his place to pry. What mattered to him, he said, was that Marik was missing deadlines.
Things came to a head when Marik was building a website for one of Cosmic Digital's larger client companies. The client wasn't happy with the work, Scott said. He told Marik they needed to go in a different direction but Marik resisted, so Scott took him off the project, he said.
The work had represented the bulk of Marik's responsibilities. Afterward, Scott said, he couldn't afford to keep Marik around.
"I had to make a decision and let him go."
Scott declined to describe their March 16 conversation.
"What I will say is the news didn't go over very well with him," he said.
• • •
That was 2 p.m.
Around 5 p.m., Scott was on the phone with one of his clients and he tried to pull up the client's website. But all that would load was a blank screen. So he checked another site, and found the same thing. And another, and another.
"Then panic set in," Scott said, "and I realized at that point in time what had happened."
In all, 13 of the company's sites had been deleted. Scott had backups for about half, but the ones that couldn't immediately be recovered included three of his biggest clients.
Scott checked his server logs first thing the next morning and identified the unique IP address he believed was responsible for the hack. He contacted St. Petersburg police who, due to the technical nature of the investigation, referred it to the Florida Department of Law Enforcement.
FDLE investigators linked the IP address to Marik, and they arrested him Nov. 1.
Marik, contacted by the Tampa Bay Times after he posted bail, denied that he accessed Cosmic Digital's servers and deleted files.
"I don't know what you're talking about," Marik said by phone. "I have nothing to say about that. This is an ongoing case and I'm not going to discuss any of that crap."
Scott stands by his story.
"I have his digital footprint," Scott said. "I have his IP address showing he accessed the website servers at that particular time. And the server logs do show that that IP address deleted files."
• • •
Afterward, Scott was able to rebuild the sites he had lost.
"We've basically recovered from it, but it did cost us some relationships," he said.
The episode highlights an all-too-common problem. On average, successful insider attacks cost companies about $445,000, according to a 2015 study referenced by a Carnegie Mellon University report. With an average of 3.8 insider attacks per year, the cost to a company can reach $1.7 million, the report said.
Even Twitter, valued at more than $15 billion, fell victim to an insider attack this month when a contractor who was leaving the company disabled President Donald Trump's account.
Since the attack on Scott's company, he installed firewalls on all his websites. And he won't work with developers who require certain administrative privileges on his servers.
Security strategies vary by industry and company, but there are easy ways businesses can defend themselves from those on the inside. One is establishing a protocol to share network access with new employees and revoke it from departing employees, said FDLE Special Agent Corey Monaghan, who specializes in crimes that involve network intrusion and investigated Cosmic Digital's case.
Another is to ensure all employees have their own logon credentials and to encourage strong passwords, so internal leaks or breaches can be traced to one person, Monaghan said.
And because many people who commit insider attacks are unhappy on the job, Monaghan said, information technology departments at larger companies should work closely with human resources to identify disgruntled employees and, if necessary, pay extra attention to their network activity.
Scott called his experience "a cautionary tale." Cosmic Digital wasn't ready for an insider attack.
"It is now," he said. "If you're going to dabble in website design, you've got to pay attention to security."
Contact Josh Solomon at email@example.com or (813) 909-4613. Follow @ByJoshSolomon.