Posted by: Wendy Schuchart
CIO, network security policy, rogue employees, security risk
Picture this scenario: Employee A leaves the company to take another position. Your network security policy demands that you kill his ids and passwords, right? What about if Employee B leaves the company in a way that isn’t entirely voluntary? You certainly kill his access, tout suite, but do you do anything else?
If you said no, you might want to revisit your network security policy. Case in point: The U.S. subsidiary of Japanese pharma company Shinogi laid off some of its IT staff. One rogue employee fought back and took advantage of a lax exit procedure — he was able to basically shut down the company’s operations for a “number of days,” as well as systematically delete its VMware host systems from a free McDonald’s hot spot in New Jersey. The actions of the ousted employee (who in November will be sentenced to up to 10 years in federal prison) cost the company almost a million dollars of hard cost, not to mention the immeasurable compounding loss of productivity and corporate reputation.
What I’m most curious about is whether the rogue IT worker used his own account or a commonly known group admin account? My guess is that he used the latter, if only to hold onto some level of plausible deniability and because I’d have to believe that Shinogi had the common sense to at least delete the employee’s own accounts.
Most exit procedures deal with the corporate employee’s personal accounts, but if your IT department is like most, you likely have admin accounts with a well-known password shared by numerous users. I could probably still log into my old IT admin account at my previous employer if I wanted to, and I’d bet you $10 that the password is still — are you ready for this? — password. What’s worse, in a previous role supporting users at hundreds of manufacturers around the country, I often was able to show the users how to hack into their own network and locked-down systems, either with the default of password or with a systems password that someone somewhere had noted in our client accounts years ago but was still working.
Are you breaking into a cold sweat right now? You should be.
We’re often fantastic at barring the doors against outside attackers but, historically, large and midmarket companies drop the ball when it comes to protecting themselves from their own workforces. What’s your exit procedure? Is it standard network security policy for admin accounts and entire teams to change their passwords whenever there is a staff change, whether voluntarily or not? What would stop a rogue IT worker from taking vengeance on your company in the event of a job separation? The comments are dying to discuss the problems you’ve faced with exiting employees.