This week a man in Arlington, TN – just around the corner from me in Memphis – was sentenced to 18 months in prison with two years of supervised release for accessing his former employer’s computer system, pilfering competitive information for his new employer. Court documents showed he accessed a compromised email account that allowed him to retrieve marketing proposals, client correspondence, and FTP passwords to the company server, along with 82 AutoCAD files. These files contained designs, bids and other proprietary content belonging to Allen & Hoshall, his former employer. The official conviction was for “…accessing a protected computer without permission as prohibited by federal law.” (Complete story from WMC News, Memphis)
Several years ago, my partner Mark and I helped local securities firm Duncan-Williams win $6 million in an arbitration case against a competing firm when several employees quit Duncan-Williams, taking customer lists, email, program disks, and in-process deals to their new firm, deleting the corresponding files from Duncan’s computer systems as they left. (Complete story from Memphis Business Journal)
Late last year a fired IT employee at a private university changed an administrative password controlling email and course material for over 2000 students and then held it for ransom for $200,000. (IndyStar report)
What You Can Do?
As an IT worker or manager, what can you do to keep incidents like these from happening to your small business? Here are some best practices to help you protect your business’ computer systems, information and reputation.
Make Expectations Known On Day 1
A lot of companies we work with play it wild and loose with their IT assets. A new employee comes on board and immediately gets a username and password, with email and unrestricted access to data. Often there is no explanation of the expectations of that privilege. At the bare minimum, you should have these policies in place:
- A signed policy that spells out who owns IT hardware, software, and company data. For some reason, many employees believe that the workstation they’re assigned to is “their computer”; there’s implied ownership, and a belief that whatever happens on the computer belongs to the employee. Not so. Any activity that occurs using workplace equipment, including computers, laptops, mobile devices, email and networks belongs to the company. Nothing, especially data, belongs to the employee unless otherwise stated.
- If you have the infrastructure in place, or plan to do so, there should be a policy that lets your employees know that their activity may be monitored. Unless you notify your employees that you’re peeking inside their network traffic, you could be breaking federal wiretapping statutes. There are reasons why you would sniff network traffic (see “Log and Monitor Access to data”, below). Make sure your employees know.
Have A Process In Place for D Day
“D Day”, or the day an employee quits or is fired, is the day you’re preparing for. You want to make sure that an employee can’t do anything to damage the reputation of the company, destroy or restrict access to data, or steal data that harms your business. To that end, a couple of things needs to happen. First, you must have a relationship with your company’s owner or the human resources department that keeps you in the front of their mind when termination time comes. A lot of times those outside of IT don’t realize how much is involved in removing or restricting access to accounts and data. The more lead time you have before termination, the more success you’ll have.
Second, which we’ll go into more depth about, below, you have to know where all the bodies are buried. What does the employee have access to, both inside and outside of the organization? Besides company owned equipment, does the employee have credentials for web sites and social media sites? The more you know, the less you have to worry about.
Inventory Hardware and Mobile Devices
It’s been my experience that small businesses often have a less organized way of keeping up with the equipment that’s been issued to employees. Because the organization is small, they feel that they can rely on memory to recall workstations, laptops, mobile phones, tablets, etc. But many times, especially in cases where employees have had a long tenure at a company, devices will get retired or upgraded, but never fully decommissioned. Tablets and laptops with company data stored on board are left in the possession of the employee. Or, in the emotional rush of a termination, equipment is forgotten, allowing the equipment – and therefore proprietary company data – to walk out the door along with the employee.
Establish a formal equipment inventory. If you need to, use an inventory package like we described in our recent post “What You Don’t Know CAN Hurt You: Find Out What’s On Your Network“.
Have Solid Backups In Place
We say this all the time here at Shoestring Networks, but this is another time when a good backup can save you. We’ve helped in several incidents where disgruntled employees decided to delete all their data before they left. If you have a good onsite and off site backup in place, they can delete to their heart’s content. No permanent damage will be done.
Apply and Audit Data Permissions
In many small networks we encounter, there is no such thing as “permissions”. Access to the network means access to everything. In my house, with my five kids, the mantra is “you’re on a need to know basis, and you don’t need to know”. This is how your company’s data should be. If you only give an employee access to data critical to his job, then when the time comes for him to be destructive, he’ll have less opportunity to do widespread damage.
However, as a person’s job responsibilities or job roles changes within a company, the access he has to corporate data changes or expands. In addition, as he changes roles, the data he once needed access to is no longer relevant. Most of the time, however, his permissions aren’t removed, they’re just expanded. Periodically coordinate an audit with your HR department to find out what employees need access to, so that you can protect data outside their realm of responsibility.
Log and Monitor Access to Data
Finally, have a system in place that allows you to monitor access to your data. Lots of times you’ll know an employee is getting ready to leave your company if you see contact lists, spreadsheets and other competitive data leaving your network in large amounts. We use several tools that alert us when data leaves the network via email, Dropbox or other means. A good network intrusion detection system should show you when and what type of data leaves your network. Email logs can show you large attachments. Firewall logs show unusual outgoing activity tied to specific workstations. Put some tools in place that give you a “heads up” when someone is taking your valuable data out the door. It could be a hacker. Or it could simply be an unhappy employee.
One last note: as I’ve noted, some of these procedures should be coordinated with your H.R. department. Not only because timing is important, but because there are legal constraints to what kind of monitoring you can do, and how your policies should be worded. You probably also want to run these by your company’s lawyer. You can find plenty of sample policies by using Google, but state, federal, local and international laws may differ on what is legal in your area.
Did I miss anything? What else would you recommend? Let us know in the comments, below, or on our Facebook page.