Slashdot Mirror
Before You Fire the Company Geek
An anonymous reader writes "A new 'insider threat' survey by the US Secret Service and Carnegie Mellon University finds that 82 percent of people who hack their company 'exhibited unusual behavior in the workplace prior to carrying out their activities.' A somewhat amusing writeup at washingtonpost.com points to a bunch of more interesting gems hidden deep in the study, including: 'Almost all - 96 pecent - of the insiders were men, and 30 percent of them had previously been arrested, including arrests for violent offenses (18 percent), alcohol or drug-related offenses (11 percent), and non-financial-fraud related theft offenses (11 percent).' The blog post also notes that 86 percent held technical positions at the companies: '...if you're going to fire someone (particularly company geeks who have the motive, means and access to inflict pain on your computer systems) make double sure you cut off their e-mail and network access at the same time you hand them their walking papers.'
The survey went on to say that the remaining 18 percent of people 'exhibited unusual behavior in the workplace while carrying out their normal daily activities.'
Don't cha know...
The NSA: The only part of the US government that actually listens.
Seriously, though, sabotaging your former or current network is just a plain dumb idea, especially if it is/was your job to keep this sort of thing from happening. In the final analysis, the only real thing an I.T. professional possesses is their reputation. Trash that, and you'll find it difficult to secure further employment.
____
~ |rip/\/\aster /\/\onkey
They're assuming we already haven't taken control of everything else... who needs email when you control the elevators and doors... :)
Don't anthropomorphize computers, they don't like it.
'exhibited unusual behavior in the workplace prior to carrying out their activities.'
Refering to management?
Kiss my bass.
- 96 pecent - of the insiders were men
:)
- The insiders ranged in age from 17 to 60 years (mean age = 32 years)
OSTG user statistics (Including Slashdot).
- 97% of OSTG readers are men
- average age is 29
Too bad OSTG doesn't have crime statstics for Slashdot readers
I think we should have this for our next poll!
Worst arrest of your lifetime:
1. Never. I'm a law abiding citizen.
2. Never. I run away.
3. A few misdemenors
4. Violent offense
5. Alcohol or drug-related offenses
6. Non-financial-fraud related theft offenses
7. I'm writing this from death row.
8. I stole the money, burned down the office and now live on a beach in Fiji with my red stapler.
94% of Repubs and 21% of Dems voted to renew the Patriot Act
.. remember to give him a wedgie, for old times sake.
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
Also, if you're going to fire an accountant, it's a good idea to audit the accounts they dealt with particularly carefully, and if you're going to fire a security guard it's a good idea to collect their pass and master keys as they leave.
Of course, not screwing staff so badly that they are prepared to risk retaliation is also a good move.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Hmm, statistics. I wonder how those numbers compare to people who simply work in IT and don't hack? I'd say 96% being men isn't all that unusual, and I would not be surprised if 11% of the general population has alcohol/drug offences already.
The problem with stats is that they generally never give you a baseline. Without that they are meaningless.
...you don't even have to be capable of hacking anymore. Act strangely enough and you can subtlely extort your company for continued employment. What a great idea!
This is, after all, almost an order of magnitude more effective than screening for alcohol, drugs, or felony convictions.
-+-+-+-+-
Don't blame me for posting like a PHB. This is how they think, and the fact that it gives them a business excuse to play Charlie with his IT Angels probably won't hurt either.
Lacking <sarcasm> tags,
Now the good news: almost all of them got caught.
Well, no... almost all of the ones they know about got caught. How many incidents were simply covered up? How many of the really good ones made it look like a typical software-gone-bad-and-erased-the-data?
We all know that crime statistics are highly skewed by the reporting process...
500GB of disk, 5TB of transfer, $5.95/mo
I guess I get it as far as policy goes, but I experienced this a year ago from a large corporation when I got laid off... My manager came to my desk and did the perp walk with me to the office. Told me that in the interest of cutting cough costs the company was willing to offer me a one year severance package and let me go.
I said, "You're offering me a one year severance package???" He looked confused, but said, "yes".
I said, "Well then I respectfully decline your offer.... I would like to continue working for this company."
He said, "It's not optional."
I said, "Then you're not offering anything to me, you are doing something to me."
A couple of notes about the treatment therein:
In my career at this company I had received the highest award given by the company and was flown to a special ceremony to present my project and receive that award.
Bottom line here: you don't have to be a criminal, act like a criminal, or even be suspected of being a criminal to be treated like one....
"30 percent of them had previously been arrested, including arrests for violent offenses (18 percent), alcohol or drug-related offenses (11 percent), and non-financial-fraud related theft offenses (11 percent)."
These numbers also represent the population of the United states as a whole. Yes 30 percent of the US population has been arrested before. more than 20% have a felony on their record and so on. So to paint these people as anything other than ordinary citizens is silly. They simply represent the whole equally as the whole represents itself. Nothing unusual here.
So 41.16 were acting wierd, 41.65 had grievances?
And 100% researchers show signs of random rounding up or down based on mood even within a single study.
If programs would be read like poetry, most programmers would be Vogons.
Short of a felony conviction, that's hard to do. We're a migratory culture and the fact is that no ex-employer wants to do a competitor a favor by giving them information about a candidate -- especially when any negative comments could result in a lawsuit.
Lacking <sarcasm> tags,
Here's what the survey doesn't say. That sometimes employers decide to retaliate against employees who point out problems or cause what management thinks is trouble. These employees often find themselves the targets of investigations.
All surveys like this do is give ammunition to corporate management to investigate who they want, when they want, expect even less privacy and create conditions of employment so egregrious that the IT worker becomes chattel.
As it is, there are systems to monitor web surfing, chat conversations, phone conversations, VOIP decoders for phone conversations that aren't analog, cameras, keystroke loggers, mail server agents that look for keywords, policies against the use of encryption, etc etc.
With blood tests and mandatory screenings for crime history, blood history, pretty soon genetic history of family disease (company insurance is expensive you know they don't need any cancer heads) there will be no part of a worker's life that isn't controlled by the corporation that employs them.
Surveys like this one cull fear in IT shops, fear of insider attacks, of competitive disadvantage brought about by unscrupulous employees. When, in fact, it's employers for the most part who engage in espionage and frame workers. It's easy and efficient. Want to get rid of that guy nearing his pension? Put some kiddie porn on his hard drive.
We don't need any more tools to spy. We need some fucking national legislation to curb the uncontrolled police state that exists inside the corporations of the world.
'Uh, Ted, as our only IT guy, could you go ahead and disable your own e-mail and network access; we're firing you this afternoon.'
The steps beyond walking him out should be done by another techie, and not just an MCSE.
ALL passwords should be obtained before he leaves, and ALL should be changed immediately to randomized strings.
All user accounts should be audited.. if its not supposed to be there, remove it or change its passwd.
Audit all incoming ports.
Force EVERYONE at the company to change their passwords to newer better ones. Any techie at a company remembers many others' passwords, especially if its like their last name etc.
Take immediate backups of important servers and keep em seperate.
Or you could simply give him a fat severance package.
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
Huh. The trouble with that is, machine-gunning the HR department just kills a bunch of line employees and middle managers - it just makes your downsizing decisions easier. Sabotage actually hurts the bottom line.
-Hentai [in vita non pacem est]
I think it's really important to differentiate "fire" -- hey, this guy is really bad for us and we need to get rid of him ASAP due to some actionable offense -- and "lay off" -- hey, we have a redundancy, or something.
When firing geeks (having had to do this once), I think you need to do so with extreme prejudice -- take away access while they're talking to HR, lock down, etc.
When laying off geeks, I prefer for the rules to be different. The person has done nothing wrong, we don't think they're an active threat and, until about five minutes ago, we trusted this person with our data -- because, presumably, we believed them to be honourable people. They've not stopped being honourable people because we've laid them off, and we shouldn't treat them as such.
Been laid off twice in my life:
First time was while I was responsible for a large group of geeks. We merged with another company and on the last day of the merger activities, I had the conversation with HR. New CIO had his own person and figured (accurately) we wouldn't get along. HR wanted to walk me out, I wanted to stay the evening because we were concluding a month of activity connecting the two companies. Ended up going up to the President of the company and saying "hey, I was responsible for this, I want to see this finished." He said "hey, no problem. Nothing personal." I stayed, we finished the connections, and then we went out and got stinking drunk.
Second time was at a financial services company which was, by far, the most paranoid, employee-hostile company I've ever worked in. Thankfully, the CIO was far more sane. When he was forced to let me go, and I packed my stuff, I offered him the opportunity to look through what I was taking to make sure nothing was inappropriately taken (they didn't watch me pack). he declined, for the "hey, we trusted you until ten minutes ago" reason above.
They collected the data but then jumped to a very wrong conclusion and issued a prescription that, IMHO, will cause MORE harm to companies than it will prevent.
The "geek" who has been a major player in running the show will be able to break in and do harm if he wants to. If he's of a criminal or revenge-prone he may already have installed a bunch of stuff - and if he's just doing his job he probably has emergency backdoors and the like in case the normal paths break.
And while ordinary users may not have this sort of access, many of them WILL have been able to accumulate other users' passwords and the like. They too can get in and do damage.
IF you motivate them.
The decision is between giving them notice and an opportunity to gracefully disengage from the company, versus pulling the plug and THEN telling them they're fired. The gentle departure versus the knife in the back.
As someone who has been in the business for decades, I have been laid off from time to time. The usuall procedure has been to give notice and allow the soon-to-be-ex employee to gracefully shut down or redirect his correspondence, clean out his virtual desk, and take advantage of the company email for the first phase of his job hunt. Doing this creates warm fuzzies all around - the social net is intact, mutual recommendations will be forthcoming at all opportunites, if the company ever had need for me again (eventually it did) I'd hire on with no qualms.
Exactly ONCE I've had the no-notice shutdown. By a PHB who did it that way "because that's how it's done". (No doubt he'd seen trade journal articles like the one above.)
I was furious.
I COULD have done major damage to the company's IT infrastructure - but for my scrupulous honesty in business dealings (even with scumbags).
As it was, when the PHB in question later did a startup and found himself in need of my talents, I didn't even bother to reply to his offer. How can you trust someone like that? You can imagine how I advised anyone considering hiring him or going to work for him.
Now imagine doing that to someone who is not just able, but willing, to take revenge for any slight. These people are NOT rare - if you have a hundred employees, chances are you have at LEAST one.
As a friend who was a union organizer once said to me: "The workers will give you what you ask them for. Ask for quantity and you get quantity. Ask for quality and you get quality. Ask for trouble and you get trouble."
The surprise plug-pull is asking for trouble.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
My wife works for [insert biggest pharma company in the world here], and has for about 6 years. I used to work for them as well for 5-6 years myself. They were good when I was in, then things got "International", and I resigned quick before the walls started coming down.
In my wife's department (Cancer Biology), there are people who have been there for literally decades. They're so entrenched, they know every system, process, procedure ever made there. If you want to know an answer to some complicated question, these people will know it... and if they don't, they definately know who WILL know.
One person in particular had been there for 34 years, 11 months.. and they were going around looking for ways to "cut costs" in her department.
When you retire at 35-years or more into $PHARMA, you get a nice fat severance. Something like $100k/year for every year there + your stock earnings and benefits cashed out, which amounted to over $1M for this person. That's $100k * 35 + $1M (that's over $4.5M total to retire upon).
They fired him...
...30 days before his 35-year anniversary with the company. He got $60k total as a severance. They didn't want to have to pay out his retirement and severance, so they let him go 4 weeks before he would have earned it. If he had known, he probably could have used up 4 weeks of his vacation to eat up the time instead, but he never saw it coming. Nobody did.
... after putting in 35 years with the company .
This kind of stuff sickens me.
At a previous job, I was the only tech staff member who knew how to clear the transaction logs on MS SQL Server. It's not hard to do, but the network admin couldn't even be bothered to do backups more than once or twice a year, which was part of the SQL Transaction log problem.
When users started getting "transaction log is full" errors and they turned to me to have it fixed.
Once the error occurred while I was on vacation, and the server remained down for three days and a weekend until I got back. I was accused of hacking the system. I pointed out that I was in the Middle of New Mexico at the time, about a mile underground. Accusations of setting up a logic bomb (Not the phrases they used, but I'll skip the 20 minutes they needed to describe the concept) flew around for a while.
In the end, the company owner grudgingly admitted that it was probably a maintenance issue, and them reprimanded me for not "trunting the trees" before I left on vacation.
So for the remainder of my time there I just made sure to do a full backup and shrink the transaction logs every Friday. Automated backups were not an option, as there was never enough drive space for more than one or two backups, so I had to move the old ones to a USB 1.1 drive first.
And no, system level automation of such rudimentary tasks was not an option. Don't ask. It's a whole other story.
So I had no reason to hack the system. All I had to do was leave. Of course I documented everything, but I knew no one would bother reading any of it. This is the company that described programmers as "Glorified Typists."
I made sure to not even visit their web site after I quit.
I did however have social contact with a few of the non-it staff members. Seems there were a slew of problems with the servers, specifically with a cryptic error about a transaction log that no one in the company could understand.
In the end they paid a consulting firm to come in and fix the problem, which I'm assuming meant finally automating the backup process and transaction log shrinking.
"Live Free or Die." Don't like it? Then keep out of the USA
There is a sabotage that actualy works. It is legit, and it also helps your friends:
1)Go to a better place (in the same city if possible)
2) Hire away all productive people remaining in your former company.
There are 2 categories of employees. The sugary HR will eventualy find out that they now have only one.
I doubt that we will ever figure out - and I suspect that even if we did figure out we couldn't do much about it
Any IT professional should expect this type of treatment. It is not discourteous, it is professional and appropriate. People who get their feathers ruffled because of this type of thing should check their egos.
Since when is expecting courtesy having an ego?
Sure, if somebody threatens a coworker they should be escorted out by armed guards. Everybody expects that, and it is should be done for the safety of everybody else if for no other reason.
Otherwise, treating employees as if you don't trust them tells them that you don't trust them. It speaks volumes.
"Professional" does not mean impersonal, or treating employees as if they are nothing more than capital.
The funny thing is that companies could accomplish most of the security-related goals without destroying the morale of everybody who is left. How about this scenario:
1. Employee is called to his boss's office.
2. Boss explains that he has to be let go. Boss has HR present, but HR is presented as being present in case employee has questions, and generally lets the boss (who has a personal relationship) do the talking.
3. Boss takes employee back to desk for "emotional support" and to help him with anything he needs to carry out. Rest of group gets to say goodbye. It is a sad day, but there is some sense of closure. Everybody gets to say goodbye.
4. Atmosphere is designed to communicate that employee is not persona-non-grata, and that his coworkers shoud feel free to pass on job openings, and generally feel free to maintain contact. Boss can be a part of this as well.
5. Employee is walked to the gate, and helped with boxes to the car by boss for emotional support.
6. Boss tells employee to call him if he needs anything before waving goodbye.
The employee has been supervised the whole time, and doesn't have an opportunity to cause mischeif. Yet, the entire time he is treated personably, and would be somewhat inclined to accept an offer to rejoin the company.
Companies often underestimate the impacts that terminations have on the people who remain behind. Seeing their coworkers treated with dignity will go a long way towards discouraging people from jumping off the sinking ship.
Nobody expects to have free reign inside a company they have just been terminated from. On the other hand, you can at least be nice about it...