When IT Goes Rogue: 5 Ways To Protect Your Firm.
You’re mid-way through an important slideshow presentation in front of a VIP audience. The presentation is running smoothly. All of a sudden, you click slide 10, and displayed on the 64-inch projection screen is a pornographic image. Awkward? You bet. But this actually happened at Baltimore Substance Abuse Systems, during a presentation to the board of directors that included city officials and foundation heads. A disgruntled IT worker had sought revenge on his former employer.
So that this doesn’t happen at your company, we’ve come up with some guidelines for protecting yourself from the damage angry (and sometimes disturbed) IT workers can do. The case mentioned above is hardly unique. We’ve witnessed a rash of security breaches by brazen and disgruntled IT employees against their employers over the past few months. IT workers are not only the gatekeeper of a business’ data, but they control who has access to the resources on a company’s network.
Businesses give a lot of responsibility to and place a lot of trust in the people responsible for running their IT infrastructures. While the majority of those in the IT field are dependable people who want nothing more than to solve problems and keep the company’s computer operations running smoothly, let’s face it—IT people can go bad, just like anyone else. What makes rogue IT so much more potentially dangerous, is that they have the knowledge, passwords, and necessary information to delete data, lock users out of systems, introduce malware, and generally wreak all kinds of havoc.
Of course, larger companies have compliance and security officers who can maintain a “checks-and-balances” system in which everyone with access to sensitive data keeps an eye on the others, abiding by carefully structured corporate policies. These companies usually go through regular auditing—often performed by off-site third parties to retain neutrality. Large businesses can also afford to implement complex security devices that automatically send daily reports and alerts to senior management whenever any data is removed from the network or tampered with.
Small Business Vulnerability
Smaller businesses don’t always have these resources. Many small-to-midsize businesses are dependent on a handful of IT staff or, more typically, on consultants or solutions providers who manage their technology. It’s a challenge, but, regardless of their resources, small business owners must make necessary provisions and take precautions when it comes to the people responsible for the business’s technology. But owners often hire IT people because they are not tech savvy themselves or simply don’t want to deal with technology—they want to run their business.
Still, there are some strategies that small business owners can take. It’s not necessary to be Draconian with IT workers, but business owners can keep secure reins on those responsible for managing their technology by following the suggestions below.
1. Password Management: IT workers, of course, need access to the systems—they are managing them, after all. But business owners should still play an active role in password management of their businesses’ technology. Whether for servers, user accounts, databases, routers, or switches, business owners should work with IT in determining password requirements. Owners can also insist that passwords are changed on a regular basis, and that they are to be notified and made aware of all updated passwords. By having the ultimate say about password policy, knowing the passwords to every single piece of technology on your network, and by requiring that you be informed whenever passwords are updated, there’s less likelihood an angry IT worker will be able to hold your network hostage in a retaliatory act.
2. Immediately Deactivate Accounts of Employees or Consultants No Longer Working for You:Once an employee has left the company or been terminated or you no longer do business with that consultant, ensure that person’s user account(s) and e-mail are deactivated. Don’t assume IT staffers will deactivate their own accounts. Also, make sure user accounts and access are revoked across the board, not just for the initial computer login, but access to databases, networking devices and all other systems deployed.
As a business owner, you don’t want to get bogged down on performing IT tasks, but if you are running a technology-dependent small business, make it your business to learn how to deactivate accounts and revoke privileges throughout your network. Often this will take just a few simple clicks—have your IT staff or consultant show you how. One of the most common openings for disgruntled former IT workers to damage their employers’ data or networks is for the employer to neglect to immediately revoke that employee’s full access and privileges upon termination.
3. Demand Regular Reports: You wouldn’t run your business without checking your financial ledgers on a regular basis, right? Then why not do the same with the status of your technology and data? Ask your IT support staff for regular reports documenting who is accessing your network (keep a careful eye on remote users’ access) about any data changes, system upgrades, or additions or deletions of user accounts. This information in most cases can easily be generated from Windows domains and from most business software applications. In lieu of hard copy reports, hold regular meetings with your IT people to keep abreast of what’s happening with your technology systems. Not only does this give you the appearance of keeping on top of the technology in your company (which alone may make an upset IT worker think twice about messing with your network) but you are staying on top of what’s happening with your company’s computer systems. It’s hard to know if something’s been changed if you don’t know what the status quo is, after all.
4. Vet IT Consultants: Many small businesses rely on IT consultants to deploy and manage their IT infrastructure. There’s no shortage of people who, particularly in the midst of a fragile economy, will hang a shingle declaring themselves “IT Consultants.” It’s certainly easy to find consultants, but you only want those with a proven track record. Ask all prospective IT consultants for customer references, mine for them on the Internet. Ask about any certifications they may hold.
Consultants often partner with large vendors. The person you hire to deploy an Exchange email server for your company is most likely a member of Microsoft’s partner community. When you hire consultants who are members of partner programs of large companies like Microsoft, Cisco, Trend Micro, and so on, it gives you a little more extra insurance that you are dealing with a consultant who’s reliable and knowledgeable. Partners are representatives of these large tech companies, who are accountable if anything goes wrong. Of course, being a vendor partner is no guarantee that an IT consultant won’t turn out to be shady, but it’s a safer bet for a hire.
5. Have a Documented, Signed Policy: Verbal agreements are often more binding and adhered to when they are documented. Take the suggestions outlined above and write them into a company-wide policy—policies aren’t just for large businesses. Co-sign the policy with your IT workers so there is clear evidence that everyone understands the company’s policy. In the policy document, detail your password requirements, required regular reports, and meetings you want IT to attend. Assert your needs in that policy and use it to gain better control of what’s happening with your business’ technology. Having such documentation clarifies what IT’s expectations and limits are—knowledge that may help IT staff from getting upset with you in the first place. Source: Samara Lynn, PC Magazine.