Slashdot Mirror
Before You Fire the Company Geek
An anonymous reader writes "A new 'insider threat' survey by the US Secret Service and Carnegie Mellon University finds that 82 percent of people who hack their company 'exhibited unusual behavior in the workplace prior to carrying out their activities.' A somewhat amusing writeup at washingtonpost.com points to a bunch of more interesting gems hidden deep in the study, including: 'Almost all - 96 pecent - of the insiders were men, and 30 percent of them had previously been arrested, including arrests for violent offenses (18 percent), alcohol or drug-related offenses (11 percent), and non-financial-fraud related theft offenses (11 percent).' The blog post also notes that 86 percent held technical positions at the companies: '...if you're going to fire someone (particularly company geeks who have the motive, means and access to inflict pain on your computer systems) make double sure you cut off their e-mail and network access at the same time you hand them their walking papers.'
Seriously, though, sabotaging your former or current network is just a plain dumb idea, especially if it is/was your job to keep this sort of thing from happening. In the final analysis, the only real thing an I.T. professional possesses is their reputation. Trash that, and you'll find it difficult to secure further employment.
____
~ |rip/\/\aster /\/\onkey
make sure they don't run the email system first.
The revolution will NOT be televised.
Also, if you're going to fire an accountant, it's a good idea to audit the accounts they dealt with particularly carefully, and if you're going to fire a security guard it's a good idea to collect their pass and master keys as they leave.
Of course, not screwing staff so badly that they are prepared to risk retaliation is also a good move.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Hmm, statistics. I wonder how those numbers compare to people who simply work in IT and don't hack? I'd say 96% being men isn't all that unusual, and I would not be surprised if 11% of the general population has alcohol/drug offences already.
The problem with stats is that they generally never give you a baseline. Without that they are meaningless.
So you're saying that many of the people stupid enough to get caught, thus contributing to this survey's statistics, had been caught before doing other things? Can you say "self-selecting group"?
Nerd Rock In Progress
Now the good news: almost all of them got caught.
Well, no... almost all of the ones they know about got caught. How many incidents were simply covered up? How many of the really good ones made it look like a typical software-gone-bad-and-erased-the-data?
We all know that crime statistics are highly skewed by the reporting process...
500GB of disk, 5TB of transfer, $5.95/mo
"30 percent of them had previously been arrested, including arrests for violent offenses (18 percent), alcohol or drug-related offenses (11 percent), and non-financial-fraud related theft offenses (11 percent)."
These numbers also represent the population of the United states as a whole. Yes 30 percent of the US population has been arrested before. more than 20% have a felony on their record and so on. So to paint these people as anything other than ordinary citizens is silly. They simply represent the whole equally as the whole represents itself. Nothing unusual here.
Short of a felony conviction, that's hard to do. We're a migratory culture and the fact is that no ex-employer wants to do a competitor a favor by giving them information about a candidate -- especially when any negative comments could result in a lawsuit.
Lacking <sarcasm> tags,
When I was let go from AOL-TimeWarner they cut me out of my email and server access before the phone call (I had a feeling more than just a server crashed that day) - then they wanted to have a security guard escort me out and watch me as I pack my box of belongings - thank g-d my cow-orker offered to watch, rather than a guard. Sure take precautions but don't make people feel like criminals!
Here's what the survey doesn't say. That sometimes employers decide to retaliate against employees who point out problems or cause what management thinks is trouble. These employees often find themselves the targets of investigations.
All surveys like this do is give ammunition to corporate management to investigate who they want, when they want, expect even less privacy and create conditions of employment so egregrious that the IT worker becomes chattel.
As it is, there are systems to monitor web surfing, chat conversations, phone conversations, VOIP decoders for phone conversations that aren't analog, cameras, keystroke loggers, mail server agents that look for keywords, policies against the use of encryption, etc etc.
With blood tests and mandatory screenings for crime history, blood history, pretty soon genetic history of family disease (company insurance is expensive you know they don't need any cancer heads) there will be no part of a worker's life that isn't controlled by the corporation that employs them.
Surveys like this one cull fear in IT shops, fear of insider attacks, of competitive disadvantage brought about by unscrupulous employees. When, in fact, it's employers for the most part who engage in espionage and frame workers. It's easy and efficient. Want to get rid of that guy nearing his pension? Put some kiddie porn on his hard drive.
We don't need any more tools to spy. We need some fucking national legislation to curb the uncontrolled police state that exists inside the corporations of the world.
Higher capacity (more than ten) clips are now more available due to a recent law change. Hollow points aimed at chest and head should achieve a good kill count, while the limbs will just result in a lot of injuries. Ideally you should finish your spree with a suicide. Aim the barrel into your mouth pointing upwards. Obliterate the brainstem.
Using ear protection and even body armor is recommended. You don't want any discomfort before you kill yourself.
Transcend Humanity. Please.
What if you are the ONLY one that controls the access to system?
:)
Scrap that. What if you are the ONLY one who knows how the system works? Ah, it feels great to be non-expendable
The one year package turned out to be 60 days pay (required by the federal WARN law), then one month's pay for every year I'd put in.... with a 10 month maximum. I had 21 years, so I got ten months pay plus the sixty days... I consider that a ten month package
I'm not disputing that you were treated badly, but why do you call 12 months of pay a ten-month severance package? If all you got was the legally-required two months of pay, would you say you got no severance?
The government's mandate of two months pay doesn't make it any easier for the company to give it to you.
Hell, if the government required five years of severance pay, would you still say you got nothing if the company gave you nothing beyond the legal minimum?
This space intentionally left blank.
In business, loyalty has a dollar value. Mention that to your management at least once a year.
Deleted
The steps beyond walking him out should be done by another techie, and not just an MCSE.
ALL passwords should be obtained before he leaves, and ALL should be changed immediately to randomized strings.
All user accounts should be audited.. if its not supposed to be there, remove it or change its passwd.
Audit all incoming ports.
Force EVERYONE at the company to change their passwords to newer better ones. Any techie at a company remembers many others' passwords, especially if its like their last name etc.
Take immediate backups of important servers and keep em seperate.
Or you could simply give him a fat severance package.
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
...if you're going to fire someone (particularly company geeks who have the motive, means and access to inflict pain on your computer systems) make double sure you cut off their e-mail and network access at the same time you hand them their walking papers.'
It seems to me the real way to address the problem is to do a background check when you hire these people.
If a company is above board and decent dealing with employees, it will seldom encounter insider attacks and will be fully justified prosecuting them. Notify an employee of an impending layoff when the decision is made. Don't give bogus performance reviews just so that you can fire someone without giving them the severance package. Don't expect people to work overtime training their overseas replacements.
:-)
On the other hand, companies that use underhanded tactics should be barred from suing ex-employees that are doing things just comparable in sleaziness. Don't expect to get back those nice gadgets that he took home
The original article states
"that 82 percent of people who hack their company 'exhibited unusual behavior in the workplace prior to carrying out their activities.'"
This does not mean that 82 percent of the people who exhibit unusual behavior are going to hack their company.
That's like some racist bastard saying that because 50% of all homicides in the United States are committed by African-Americans (which is true), 50% of African-Americans are murderers (which is not true).
Or some leftist bigot claiming that becuase 65% of all homicides in the United States are committed by someone with a firearm (which is true), that 65% of gun owners are murderers (which is not true).
I'm sure there's a name for this common type of logical fallacy, but I don't have time to look it up.
I think it's really important to differentiate "fire" -- hey, this guy is really bad for us and we need to get rid of him ASAP due to some actionable offense -- and "lay off" -- hey, we have a redundancy, or something.
When firing geeks (having had to do this once), I think you need to do so with extreme prejudice -- take away access while they're talking to HR, lock down, etc.
When laying off geeks, I prefer for the rules to be different. The person has done nothing wrong, we don't think they're an active threat and, until about five minutes ago, we trusted this person with our data -- because, presumably, we believed them to be honourable people. They've not stopped being honourable people because we've laid them off, and we shouldn't treat them as such.
Been laid off twice in my life:
First time was while I was responsible for a large group of geeks. We merged with another company and on the last day of the merger activities, I had the conversation with HR. New CIO had his own person and figured (accurately) we wouldn't get along. HR wanted to walk me out, I wanted to stay the evening because we were concluding a month of activity connecting the two companies. Ended up going up to the President of the company and saying "hey, I was responsible for this, I want to see this finished." He said "hey, no problem. Nothing personal." I stayed, we finished the connections, and then we went out and got stinking drunk.
Second time was at a financial services company which was, by far, the most paranoid, employee-hostile company I've ever worked in. Thankfully, the CIO was far more sane. When he was forced to let me go, and I packed my stuff, I offered him the opportunity to look through what I was taking to make sure nothing was inappropriately taken (they didn't watch me pack). he declined, for the "hey, we trusted you until ten minutes ago" reason above.
How does this classify as being treated like a criminal? I always get a kick out of employees who constantly complain about no loyality left in the work place, and how bad they are always treated.
Were you in handcuffs and a orange jump suit? Put in to a police car with lights and sirens running? C'mon.
Put yourself in the companies shoes for once.
1. Companies are required BY LAW to give severance pay and/or notice when laying off employees. Employees can just up and leave any minute they choose for the most part. Not only that, a lot of employees that at least have the decency to give notice are usually an order of magnitude less productive in those last couple weeks. In the companies eyes it would have been less expensive to just leave and not give any notice.
2. If a company is getting rid of an employee, don't you think its in their best interest to not take ANY chances? It doesn't matter if you've worked there 50 years or not, they owe it to their customers and other employees to remove your access and get you out of the building ASAP, "just in case". It only takes one bad apple to cause major havoc.
3. Companies have a lot of people to keep in mind when they do business. Share holders, employees, customers. If a company is experiencing hard financial times, in a lot of cases (not all of course) it makes sense to get rid of the highest paid people. If you've been there for 10 years, not only are you normally get paid more then other people, you also get more time off, and require more severance pay. Since getting rid of one high paid employee can in a lot of cases fund two lower paid ones, it also doesn't look as bad to the public. Also because of the severance pay requirements, sometimes companies have to think years in advance, especially in your case. If you have to pay out 12months worth of wages to get rid of someone, you better make sure you do it at the right time and not wait until its too late.
Yes, some companies are evil, but put yourself in their shoes sometimes.
Open Source Time and Attendance, Job Costing a
They collected the data but then jumped to a very wrong conclusion and issued a prescription that, IMHO, will cause MORE harm to companies than it will prevent.
The "geek" who has been a major player in running the show will be able to break in and do harm if he wants to. If he's of a criminal or revenge-prone he may already have installed a bunch of stuff - and if he's just doing his job he probably has emergency backdoors and the like in case the normal paths break.
And while ordinary users may not have this sort of access, many of them WILL have been able to accumulate other users' passwords and the like. They too can get in and do damage.
IF you motivate them.
The decision is between giving them notice and an opportunity to gracefully disengage from the company, versus pulling the plug and THEN telling them they're fired. The gentle departure versus the knife in the back.
As someone who has been in the business for decades, I have been laid off from time to time. The usuall procedure has been to give notice and allow the soon-to-be-ex employee to gracefully shut down or redirect his correspondence, clean out his virtual desk, and take advantage of the company email for the first phase of his job hunt. Doing this creates warm fuzzies all around - the social net is intact, mutual recommendations will be forthcoming at all opportunites, if the company ever had need for me again (eventually it did) I'd hire on with no qualms.
Exactly ONCE I've had the no-notice shutdown. By a PHB who did it that way "because that's how it's done". (No doubt he'd seen trade journal articles like the one above.)
I was furious.
I COULD have done major damage to the company's IT infrastructure - but for my scrupulous honesty in business dealings (even with scumbags).
As it was, when the PHB in question later did a startup and found himself in need of my talents, I didn't even bother to reply to his offer. How can you trust someone like that? You can imagine how I advised anyone considering hiring him or going to work for him.
Now imagine doing that to someone who is not just able, but willing, to take revenge for any slight. These people are NOT rare - if you have a hundred employees, chances are you have at LEAST one.
As a friend who was a union organizer once said to me: "The workers will give you what you ask them for. Ask for quantity and you get quantity. Ask for quality and you get quality. Ask for trouble and you get trouble."
The surprise plug-pull is asking for trouble.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Indeed, just like intelligent design is referred to as "science".
-mkb
Someone mod this +1 Bitter.
If you got 12 months severance (I'm sorry, 10 months + 60 days) then you got off a lot better then some people.
-- dR.fuZZo
Yes, some companies are evil, but put yourself in their shoes sometimes.
That sounds like you want to see a company as a person, what it isn't.
Although I also personally don't like people who always complain about this and that (which IMHO isn't the case here), I think I can't in any case have sympathy with an entity that is only there to produces things in the most efficient way.
How does this classify as being treated like a criminal?
Not a criminal perhaps, but certainly a suspect.
Put yourself in the companies shoes for once.
If you think this is a wise approach to treating employees who've been working there for years, go ask the remaining employees how they feel about their jobs after they've just watched their respected peers escorted out the building.
Don't fall in love with something that can't love you back.
I think your employer treated you OK, all things considered. They could have denied you access to your desk afterward, for example.
In my two layoffs, I got no severance at all (due to bankruptcy), but in both cases we did get to clean out our desks an commiserate with our co-workers, etc. I think the year of severance pay is worth quite a bit more, actually; you can buy all your friends dinner and cry about it there, and still have a few tens of thousands of dollars left as consolation.
There is a sabotage that actualy works. It is legit, and it also helps your friends:
1)Go to a better place (in the same city if possible)
2) Hire away all productive people remaining in your former company.
There are 2 categories of employees. The sugary HR will eventualy find out that they now have only one.
I doubt that we will ever figure out - and I suspect that even if we did figure out we couldn't do much about it
OK, I was about to make a wise-ass remark along the lines of...
So you'd no doubt prefer to see:
83.673469387755102040816326530612% were acting weird.
85.714285714285714285714285714286% had documented grievances.
But then I realized that you had a point (other than just bitching about imprecise percentage figures). If 41 people is 84% of the total (I'm cool with that rounding), then wouldn't 42 people have to be 86%?!
The only other possible explaination (other than illnumeracy) is that 85% of the 84% that acted weird had documented grievances (i.e. 35 of them).
Wanted: witty unique signature. Must be willing to relocate.