You're mid-way through an important slideshow presentation in front of a VIP audience. The presentation is running smoothly. All of a sudden, you click slide 10, and a pornographic image is displayed on the 64in projection screen. Awkward? You bet. But this sort of thing happens, particularly when disgruntled IT workers are seeking revenge on former employers.
To ensure that this sort of thing doesn't happen at your company, we've come up with some guidelines for protecting yourself from the damage angry (and sometimes disturbed) IT workers can do.
Businesses give a lot of responsibility to and place a lot of trust in the people responsible for running their IT infrastructures. While the majority of those in the IT field are dependable people who want nothing more than to solve problems and keep the company's computer operations running smoothly, let's face it – IT people can go bad, just like anyone else.
What makes rogue IT so much more potentially dangerous is that they have the knowledge, passwords, and necessary information to delete data, lock users out of systems, introduce malware, and generally wreak all kinds of havoc.
Of course, larger companies have compliance and security officers who can maintain a "checks-and-balances" system in which everyone with access to sensitive data keeps an eye on the others, abiding by carefully structured corporate policies. These companies usually go through regular auditing – often performed by off-site third parties to retain neutrality. Large businesses can also afford to implement complex security devices that automatically send daily reports and alerts to senior management whenever any data is removed from the network or tampered with.
Small business vulnerability
Smaller businesses don’t always have these resources. Many small-to-midsize businesses are dependent on a handful of IT staff or, more typically, on consultants or solution providers who manage their technology. It's a challenge, but regardless of their resources, small business owners must make necessary provisions and take precautions when it comes to the people responsible for their business technology. But owners often hire IT people because they are not tech savvy themselves or simply don't want to deal with technology – they want to run their business.
Still, there are some strategies that small business owners can pursue. It's not necessary to be Draconian with IT workers, but business owners can keep secure reins on those responsible for managing their technology by following the suggestions below.
1. Password management
IT workers, of course, need access to the systems – they are managing them, after all. But business owners should still play an active role in the password management of their SMB’s technology. Whether for servers, user accounts, databases, routers, or switches, business owners should work with IT in determining password requirements. Owners can also insist that passwords are changed on a regular basis, and that they are to be notified and made aware of all updated passwords. By having the ultimate say about password policy, knowing the passwords to every single piece of technology on your network, and by requiring that you are informed whenever passwords are updated, there's less likelihood an angry IT worker will be able to hold your network hostage in a retaliatory act.
2. Immediately deactivate the accounts of those who have left your company
Once an employee has left the company or been terminated, or you no longer do business with that consultant, ensure that person's user account(s) and email are deactivated. Don't assume IT staffers will deactivate their own accounts. Also, make sure user accounts and access are revoked across the board, not just for the initial computer login, but access to databases, networking devices and all other systems deployed.
As a business owner, you don't want to get bogged down in performing IT tasks, but if you are running a technology-dependent small business, make it your business to learn how to deactivate accounts and revoke privileges throughout your network. Often this will take just a few simple clicks – have your IT staff or consultant show you how. One of the most common openings for disgruntled former IT workers to damage their employers’ data or networks is for the employer to neglect to immediately revoke that employee’s full access and privileges upon termination.
3. Demand regular reports
You wouldn't run your business without checking your financial ledgers on a regular basis, right? Then why not do the same with the status of your technology and data? Ask your IT support staff for regular reports documenting who is accessing your network (keep a careful eye on remote users' access), and also reports on any data changes, system upgrades, or additions/deletions of user accounts. In most cases, this information can easily be generated from Windows domains and from most business software applications.
In lieu of hard copy reports, hold regular meetings with your IT people to keep abreast of what's happening with your technology systems. Not only does this give you the appearance of keeping on top of the technology in your company (which alone may make an upset IT worker think twice about messing with your network), but you are staying on top of what's happening with your company's computer systems. It’s hard to know if something’s been changed if you don’t know what the status quo is, after all.
4. Vet IT consultants
Many small businesses rely on IT consultants to deploy and manage their IT infrastructure. There's no shortage of people who, particularly in the midst of a fragile economy, will happily declare themselves to be an "IT Consultant" of some form. It's certainly easy to find consultants, but you only want those with a proven track record. Ask all prospective IT consultants for customer references, and mine for info about them on the Internet. Ask about any certifications they may hold.
Consultants often partner with large vendors. The person you hire to deploy an Exchange email server for your company is most likely a member of Microsoft's partner community. When you hire consultants who are members of partner programs of large companies like Microsoft, Cisco, Trend Micro, and so on, it gives you a little more extra insurance that you are dealing with a consultant who's reliable and knowledgeable. Partners are representatives of these large tech companies, who are accountable if anything goes wrong. Of course, being a vendor partner is no guarantee that an IT consultant won't turn out to be shady, but it's a safer bet for a hire.
5. Have a documented, signed policy
Verbal agreements are often more binding, and adhered to, when they are documented. Take the suggestions outlined above and write them into a company-wide policy – policies aren't just for large businesses. Co-sign the policy with your IT workers so there is clear evidence that everyone understands the company's policy. In the policy document, detail your password requirements, required regular reports, and meetings you want IT to attend. Assert your needs in that policy and use it to gain better control of what's happening with your SMB’s technology. Having such documentation clarifies what IT's expectations and limits are – knowledge that may help IT staff and prevent them from getting upset with you in the first place.