It had to happen. With layoffs threatening to replace baseball as our national pastime, my colleagues in the computer trade press are worrying about the security threat posed by disgruntled ex-or soon-to-be-ex-employees, especially those on the IT staff. According to the more lurid stories afloat, the only question in the minds of your castoffs is whether to do their evil before or after the pink slip arrives.
I have a problem with this approach. Of course there’s always going to be pilfering, especially when a business is shutting down for good and no one is left to notice what’s missing. It’s theft of course, but it’s also human nature. So treating all outgoing employees as though they’re felons is only going to make matters worse. It’s especially rank to play this trick when you’ve spent months and years building up a culture of trust, or in its most nauseating form, a “family feeling.” For crying out loud, it’s hard enough already on the people you’re laying off without adding insult to injury.
There are things you must do when personnel in sensitive positions leave. Changing passwords, deleting accounts, and reviewing access controls is just the beginning. I’ve shuffled phone numbers in my modem pool or changed them outright. I enjoyed hearing that at least one company changes its internal network numbering when key employees depart, just to be safe. I wondered if perhaps the company’s network manager keeps a trio of dice in his or her desk drawer for assigning the new number, or if another randomizing factor is involved.
Handling departures correctly involves more than just figuring out how to re-number your network or phone lines. You must be up front with departing staff. Tell them what you’re going to do before you cut them off from systems they access on a daily basis. I once gave an employer whose network I managed two months’ notice before leaving – yes, months, although I’ll never make that mistake again – and a month later went away for my dad’s funeral. When I returned, I discovered that my replacement had been hired, and he’d cleaned out my desk and locked me out of the network. As you might imagine, I’ve bad-mouthed that company ever since.
Why is this a security issue and not a human resources issue? Well, there were a couple of back doors left in the system, and you can bet your bippy that the treatment I received almost encouraged me to commit sabotage. I understand that some people blamed me for a couple of system crashes after I left, so it’s not like I had a reputation to lose. Fortunately, I found other things to do instead of monkey-wrenching.
But it never had to happen in the first place. If you treat your employees with respect, their consciences are likely to get the best of them, too.
Connolly covers groupware, messaging, networking, operating systems and security for the InfoWorld (US) Test Center and can be reached at [email protected]