Alan Wlasuk, managing partner of 403 Web Security, spent some time last week telling me how to fire or lay off your IT subordinates without creating situations like this embarrassing one the City of San Francisco managed to get itself into. And the basis of his advice was that the time to start preparing security measures for an employee you need to terminate is when you hire them — if not sooner.
Trust No One
Alan admits his “trust no one” attitude comes from his New Jersey upbringing and is not common among his Indianapolis neighbors and coworkers. But the essence of computer security is forethought mixed with paranoia. Rather than protecting against what miscreants have done in the past, you must think about what they might do in the future.
Realize, too, that all good things must come to an end. The person you hire today will sooner or later move to another job or retire or even die in the saddle, leaving all his home office desk and all the papers in it (including your corporate passwords) to his nephew who has felony convictions in five states. Or your company may suffer business reverses one day and be forced to let your new hire go.
Think pre-nup. Everything is lovey-dovey today, but will everything be lovey-dovey 10 years from now? We have no way of knowing.
What we do know, however, is that by having security access policies in place, and following them, we can minimize the risk of disgruntled ex-employees sabotaging our IT infrastructure. And rule number one for doing this is to give people only as much access as they need to do their jobs. Alan says he’s not just talking about passwords, but that “key code access to server rooms and external access to IT systems should be limited only to those who absolutely need these privileges.”
He also says:
- There should be well-established, written policies in place for when new employees start as well as for the time of their departure.
- Established policies that are carried out for all employees avoid the chance of missing a critical step.
- Fixed policies do not allow a disgruntled employee the chance to claim unfair polices were directed at him or her.
- Consistent policies also prevent the company from skipping processes because the employee was deemed trustworthy.
Fast-forward nine years
Why nine years? Why not? Anyway, a good long time after hiring, your no-longer-new person may starting coming back from lunch with the smell of liquor on his breath. At the same time, changes in your business make his skills less valuable than they once were, and he has made no effort to learn new ones.
It’s time to say, “Hit the road, Jack.”
But before you say that (or even start humming the famous Ray Charles song), you need to alert IT personnel — especially management — about the impending departure. In confidence. And, Alan says, you need to review “all of the company systems the employee has access to. Make a check list of the affected systems and require a confirmation of action once the employee leaves.”
The check list is important, because forgetting one key or a single obscure password can ruin the rest of your careful security preservation work. And your termination checklist should cover all employees in order to protect yourself from termination-based lawsuits — which might be frivolous, but can still be expensive and should be avoided whenever and however possible. “Consistent policies,” right?
Here’s Alan’s basic “time of departure” checklist:
- Collect all company IT hardware –- computers, keys, fobs, SecureID tokens, and cancel access to any company systems that the employee had access to. This would be internal systems as well as external (i.e., VPN access)
- Inform IT vendors of the employee’s departure –- they might be the target of a social engineering attack if they are not aware the employee has left the company
- Change the passwords on all company email accounts used by the employee. (Alan also suggests redirecting the employee’s email to a manager for a short period of time to detect any suspicious behavior.)
- Don’t forget to change passwords not only to obvious systems but also on seemingly benign Internet applications that the employee might have access to (i.e., company website, Facebook, LinkedIn).
- Consider the employee’s company computer and all computers the employee had access to as possible sources of malware. A key logger or malware might send information from the ex-employee’s former computer to an external hacker when that machine is given to or used by another employee. If possible, have these computers checked.
Alan says that if you learn nothing else from what he’s said here, you should remember two main points:
- Treat departing IT employees with respect — and be consistent, with firm, well-established processes that protect the company.
- Operate your company on a need-to-access policy, not on freedom of information. Most companies do a really poor job of this.