As dangerous as the Internet may be, as threatening as an insecure network is, and as scary as criminal hackers appear, none can compare to the havoc that can be wreaked on a business by a company insider. Most dangerous of all is the company employee who, either through ignorance, carelessness or malicious intent, leaks company secrets, invites viruses into the network or steals sensitive financial information.
Business security has always been a compromise, a balance between security and usability. You can make a business and its computer network so secure that nobody can get in – believe me, I’ve done it! Some employees need the keys to the front door, the alarm code and the computer passwords. It’s how those items are handled while in use and when withdrawn that makes the difference between a smooth-running operation and one that goes into a panic when faced with a malicious employee.
Most people are of a trusting nature, wishing to think the best of their employees and giving them the benefit of the doubt. This makes employees who deliberately decide to steal or cause damage particularly dangerous, as they often have already been handed the keys to the kingdom. With a smile on their face, they do their work, while secretly squirreling away company funds, setting up bogus accounts, changing passwords, engaging in corporate espionage and planting back-door remote-access network programs. Many companies have absolutely no controls in place to counter this sort of behavior, and, when it happens, are caught completely off guard.
Then there’s the situation of the “disgruntled ex-employee.” I’m currently working with two different clients that are in this predicament. One, the owner of a sign company, was forced to fire an employee who had the keys to everything: all of the passwords, the company credit card and bank accounts, financial reports, customer database, everything. Before the owner knew what was happening, the ex-employee had sent a nasty email to everyone in the customer database and changed all of the network passwords. The boss couldn’t even get into his own computer. It remains to be seen what other damage has occurred, but the credit and bank accounts have had to be flagged for “unusual activity.”
The other client, the manager of a professional association, had to terminate the company attorney. I was brought into the story amidst an executive-office panic, as nobody knew how to delete the ex-attorney’s email account or change the keypad entry codes to the front door. I was able to solve the email account problem, but not before the ex-employee had changed the password, deleted all of his email and volumes of information from his company-issued laptop. The incompetent tech-support “experts” at the alarm company were no help with the keypad entry code problem. I eventually figured it out myself, but, not being a burglar-alarm expert, it took me about two hours.
You have been warned: it’s not good enough to just protect your employees. You also need to protect yourself from your employees.