The employment picture makes everyone feel horrible. Those being laid off must re-create their lives, while those who remain must grapple with losing friends and colleagues. And unfortunately, IT personnel must reckon with potential security threats from disgruntled former employees.
Because whether we admit it or not, 70 per cent of computer attacks come from inside enterprises, according to the U.S. Federal Bureau of Investigation. The estimated cost last year to U.S. businesses for these cybercrimes was US$265 million.
Last March, Verizon Communications Inc. disclosed that one dismissed worker who pleaded guilty to damaging a network service support centre caused US$200,000 in damage.
So, no matter how much you may wish to ignore the risks, your IT systems must have effective means to guard against malicious activity from former users.
As a prerequisite to any technology solution, such as automated passwords or account management controls, you must have direct dialogue between IT security and the business managers who are responsible for layoffs. If you don’t know who is being laid off until human resources has processed paperwork and the payroll department has issued the last check, you’re exposed to days, if not weeks, of potential attacks.
IT security departments must also communicate ID and password deletions to their help desks in a timely fashion. Treating the help desk as a second-class citizen in the information loop leaves you vulnerable to smart mischief makers.
In more practical terms, IT security must tackle the human errors when network and application access involves a human interaction.
For example, most password changes are done via a help desk over the telephone. There must be a way to maintain logs of where frequent requests for new passwords are coming from. Also, you must have a way to alert the help desk to potential security risks, such as a nasty termination.
At the back end of your enterprise, you must design systems so as not to put valuable information in places where ex-employees can help themselves. Corporate directories or enterprise databases must be encrypted.
A strong password policy can also thwart former co-workers who know the mothers’ maiden names of several employees a popular password. After all, passwords to networks and databases are often shared within a work group. Remove group passwords and make sure passwords for critical platforms are changed every 30 days, contain at least 12 characters and aren’t proper names or words found in a dictionary.
But, of course, the best way to reduce the risk of a technical maelstrom is to handle layoffs in a humane and compassionate manner. That can go a long way toward preventing a vengeful network attack.
Pimm Fox is Computerworld’s West Coast bureau chief. He can be reached at [email protected].