Employees Admit They'd Walk Out With Stolen Data If Fired

← Back to Stories (view on slashdot.org)

Employees Admit They'd Walk Out With Stolen Data If Fired

Posted by samzenpus on Wednesday June 13, 2012 @12:12PM from the take-this-data-and-shove-it dept.

Gunkerty Jeb writes "In a recent survey of IT managers and executives, nearly half of respondents admitted that if they were fired tomorrow they would walk out with proprietary data such as privileged password lists, company databases, R&D plans and financial reports — even though they know they are not entitled to it. So, it's no surprise that 71 percent believe the insider threat is the priority security concern and poses the most significant business risk. Despite growing awareness of the need to better monitor privileged accounts, only 57 percent say they actively do so. The other 43 percent weren't sure or knew they didn't. And of those that monitored, more than half said they could get around the current controls."

106 of 380 comments (clear)

Min score:

Reason:

Sort:

Best Pratices by Mafiasecurity · 2012-06-13 12:15 · Score: 5, Interesting

I remember reading long time ago in security 101 best practices to remove employee's network privileges a week before they receive the notice. I also know of a big company which had ITSEC work all weekend to remove and change creds so when workers came to work Monday they found themselves now jobless.

--
http://www.mafiasecurity.com maf
1. Re:Best Pratices by Anonymous Coward · 2012-06-13 12:17 · Score: 4, Insightful
  
  I'm not sure that's really a best practice. Rather than dealing with the risk of data theft, you end up with the risk of them shooting up the building or engaging in non-network sabotage while they still have their access cards.
  The best practice here is to remove their access at the moment they're notified and escorted off premises if the data is that important.
2. Re:Best Pratices by Penguinisto · 2012-06-13 12:19 · Score: 4, Insightful
  
  It would depend on the employee, I suspect. As a sr. sysadmin, if my access was cut off, I'd know immediately what was up (since I'd need it for my job), and if I were unscrupulous, I'd have alternate backdoor accounts and backups already in place to suck out all the data that I really wanted. *shrug*.
  
  --
  Quo usque tandem abutere, Nimbus, patientia nostra?
3. Re:Best Pratices by Joe_Dragon · 2012-06-13 12:44 · Score: 5, Funny
  
  I told those fudge-packers I liked Michael Bolton's music.
4. Re:Best Pratices by epyT-R · 2012-06-13 12:59 · Score: 4, Insightful
  
  This is the kind of treatment that makes workers angry enough to do the things your 'big company' doesn't want happening in the first place.
5. Re:Best Pratices by black6host · 2012-06-13 13:33 · Score: 5, Interesting
  
  The best practice here is to remove their access at the moment they're notified and escorted off premises if the data is that important.
  That was SOP at a client I did work with. Nobody in house could handle the changes required to disable access to the systems so when someone was being fired, they let me know and I disabled access early in the morning of the day of their termination.
  One time they asked me to do that for a person in a key position and I asked them repeatedly if they were going to terminate the person as soon as they walked in the door the next morning. They assured me, repeatedly, that they would be waiting at the door to take them into the owners office. Of course I had explained the consequences if they didn't (The employee would know before being told, which is a bit rude in my opinion, not to mention if the employee wanted to create a scene before being escorted out the door they'd have time to do it.)
  Of course, I get a call first thing in the morning from the person being terminated: "I can't log into the system..." Idiots......
6. Re:Best Pratices by siddesu · 2012-06-13 13:43 · Score: 4, Informative
  
  This is not a "best practice", as it is completely worthless.
  There is a best practice on the opposite side that is capable to defeat your "best practice" on any day of the week and twice during the weekend, and all smart employees have figured it out long ago. It is for the employee to collect the data while they have access, and do not depend on the benevolence of the company policies after the termination decision.
  Just so I am not entirely abstract, this is exactly what a certain Bradley Manning allegedly did while in employment of a certain large military organization.
7. Re:Best Pratices by wisnoskij · 2012-06-13 13:46 · Score: 2
  
  The problem with these types of practices is that you give these ex employees a legitimated reason to actively try and hurt the company. And they would still have friends there and know the building and network. If they really wanted to they should still be able to cause massive damage, and they have far more reason to do it now.
  And how in hell is best practices to allow an employee to come in to work and receive a pay-check for a week after they would have a good chance of guessing that they are already fired. Best security is not to remove a network account, but to not allow them in the building.
  
  --
  Troll is not a replacement for I disagree.
8. Re:Best Pratices by Anonymous Coward · 2012-06-13 13:49 · Score: 5, Insightful
  
  And that's why, in turn, employees seem to be developing a "best practice" of keeping the tools to screw over facist companies. Distrust goes both ways, here's the results of treating employees like shit, enjoy.
9. Re:Best Pratices by Anonymous Coward · 2012-06-13 13:49 · Score: 2
  
  So what happened next?
10. Re:Best Pratices by Anonymous Coward · 2012-06-13 14:32 · Score: 5, Insightful
  
  The real question is "Why?" What purpose does stealing that info have? You could "potentially" sell it to a competitor just like you could "potentially" be thrown in jail. The risk vs. reward without having a pre-existing deal to steal data for another company is not worth it. It's like quitting your job before you've even handed in a resume to another company that has no idea who you are.
  
  here's the results of treating employees like shit, enjoy.
  As opposed to the results of shitty employees trying to screw over the company? These people who would steal the data just because they're fired are EXACTLY the people that should be fired. They are the shitty employees that get what they deserve.
11. Re:Best Pratices by Austerity+Empowers · 2012-06-13 14:32 · Score: 3, Insightful
  
  In reality, you always have a clue that your job is in jeopardy, and you're hoarding whatever information you want to take ahead of time. Some people I know do this as a practice regardless of their job security. They have what they consider their "IP" (regardless of how their employment contract defined IP sharing/ownership), and constantly back it up. I'm not sure you can really stop them unless you want to go to the paranoid level of some banks, and remove all USB ports, seal away the hard drive and disconnect them from the internet...all the time.
  In reality I think there is somewhat less danger of an employee walking away with vast company secrets for personal profit, most of the time its stuff they simply worked on, which they have some sort of emotional investment in. Spending a single cent trying to stop this is both fruitless and a poor use of money that could otherwise be invested in the company for more profit.
12. Re:Best Pratices by EdIII · 2012-06-13 14:32 · Score: 4, Funny
  
  Actually.... you all got it wrong.
  Best practices are to just lose his paycheck, promise to look into it, keep moving him into smaller and more cramped cubicles, then eventually the basement, and finally steal his stapler that he brought from home . He should just leave quietly.
13. Re:Best Pratices by Anonymous Coward · 2012-06-13 18:42 · Score: 3, Insightful
  
  >Of course, I get a call first thing in the morning from the person being terminated: "I can't log into the system..." Idiots......
  No, they are not idiots. They just left the job of explaining the situation to you.
  You are the idiot for not realizing this.
14. Re:Best Pratices by lightknight · 2012-06-13 18:59 · Score: 3, Insightful
  
  Here's a question for you -> if you're in the Sales group for a company, and have spent years cultivating relationships with various clients. You're given a pink slip. A week later, you're working at a new company. Is it screwing over your old company if you contact those clients? What if you kept a copy of the Goldmine database from your former company?
  And there in lies the problem. If I develop code, on my own time, that I reuse at the workplace, whose code is it? If I work for a new company, and the old company brings charges against me for the code I developed on my own time, with my own equipment, who wins? See, these kinds of polls are...inexact, to say the least. If someone has a pet interest in tarring IT, and drumming up a 'need' for security services to watch IT, for instance, could a poll, with vague phrasing, not confirm the need for said services if read one way, instead of another?
  
  --
  I am John Hurt.
15. Re:Best Pratices by Neil_Brown · 2012-06-13 19:29 · Score: 4, Informative
  
  If I develop code, on my own time, that I reuse at the workplace, whose code is it?
  Just my thoughts but, if your contact is not clear, I'd suggest getting this agreed in writing before you use it, particularly if, despite being developed on your own time, it was developed to solve a particular problem at that company. At the very least, make sure it has a licence attached, and use it in compliance with the licensing requirements, as if the company was any other third party recipient of the code — I'd aim to separate your two roles as (a) copyright owner and licensor of the code, and (b) employee of a company making use of third party code — if this means internal policy compliance of getting the licence checked out, the code use validated etc., then put the code through it..
  (I'm not a developer, although this is a question I've been asked several times by developers, but I work for my employer four days and week, and spend my fifth day pursuing my own academic interests. There's a clear cross-over, since I'm fortunate to be paid to do something which interests me, and so, in reusing work I've done in my academic life, I try to be as clear as possible what is created in the course of my employment, and what is not... Any other thoughts / suggestions would be very interesting to me!)
16. Re:Best Pratices by rhook · 2012-06-13 20:15 · Score: 2
  
  And I said, I don't care if they lay me off either, because I told, I told Bill that if they move my desk one more time, then, then I'm, I'm quitting, I'm going to quit. And, and I told Don too, because they've moved my desk four times already this year, and I used to be over by the window, and I could see the squirrels, and they were married, but then, they switched from the Swingline to the Boston stapler, but I kept my Swingline stapler because it didn't bind up as much, and I kept the staples for the Swingline stapler and it's not okay because if they take my stapler then I'll set the building on fire...
17. Re:Best Pratices by YttriumOxide · 2012-06-13 20:36 · Score: 4, Informative
  
  As a developer, I was very sure to get very clear rules for this in my employment contract.
  Any code that I develop in my own time belongs to me. If I choose to use that code in a project at work, the company is given a royalty-free and warranty-free licence to use that code as they see fit. They may not however sub-license it, claim it as their own, or prevent me from using it in any way. All such code must be specifically marked as such, or it is assumed I created it on company time.
  My contract does however also specify that I can not compete with my employer while working here, and as such most of the code I do in private has little re-use value at work and vice-versa.
  Also, I've been with the same company for 10 years and will likely stay here for the rest of my working life, so I don't actually spend too much time thinking about it - it's just a safety precaution in case something does happen.
  
  --
  My book about LSD and Self-Discovery
  Also on facebook as: DroppingAcidDaleBewan
18. Re:Best Pratices by ArsenneLupin · 2012-06-13 20:54 · Score: 4, Funny
  
  engaging in non-network sabotage
  such as hiding shrimps or French cheese in false ceilings or raised floors...
19. Re:Best Pratices by SuricouRaven · 2012-06-13 22:01 · Score: 2
  
  Revenge isn't rational. When I was first laid off, I stole the department's best set of pliars. Not because they were worth much, but because they were really nice pliars and I just felt really annoyed. Me and a coworker were exactly equal in qualifications, skill and productivity, so it was fairly clear that the decision over who to fire came down to him being the one willing to go down the pub with the boss and play the occasional game of football.
20. Re:Best Pratices by nospam007 · 2012-06-13 22:31 · Score: 2
  
  "You could "potentially" sell it to a competitor ..."
  Sell? This is revenge business, there's not much money to earn there, you have to get a job with Vizzini to pay the bills.
21. Re:Best Pratices by characterZer0 · 2012-06-13 23:11 · Score: 4, Interesting
  
  Unless you are firing your employee for doing something horrible, best pratice when terminating white collar employees who have been trusted with access is to cut off access Friday evening, give notice Monday morning, and pay them for another 2-4 weeks at full salary to work half time writing documentation (and be free to spend the rest of their time looking for another job or golfing). The company avoids sabatoge and burning bridges, gets documetnation, and has remaning employees who know they will be treated respectfully.
  
  --
  Go green: turn off your refrigerator.
22. Re:Best Pratices by serviscope_minor · 2012-06-13 23:37 · Score: 2
  
  Any code that I develop in my own time belongs to me.
  Fair enough. Anything else is just getting you screwed.
  If I choose to use that code in a project at work, the company is given a royalty-free and warranty-free licence to use that code as they see fit.
  Sounds reasonable until this...
  They may not however sub-license it,
  Unless you go through proper channels to license the code to the company, then you're inviting trouble. Unless the company is happy for you to pull in external code which prevents sub-licensing then you're screwing the company.
  If they're paying you to develop code, unless they have specifically said you can license external code which doesn't allow sublicensing then you are potentially doing something wrong. If they have an "any open source, even non-free code is fine if we can legally use it" policy, which they might do for internal projects, then it's OK.
  
  --
  SJW n. One who posts facts.
23. Re:Best Pratices by coastwalker · 2012-06-13 23:50 · Score: 3, Insightful
  
  If you treat people as enemies then expect them to treat you as an enemy. Thats both game theory and free market economics in action. Its also the reason why IT systems are a pain in the arse to use and cost twice as much as they should. Its a free choice.
  
  --
  Facts are history now plebs have politics for religion on social media.
24. Re:Best Pratices by khallow · 2012-06-14 00:30 · Score: 2
  
  Of course I had explained the consequences if they didn't (The employee would know before being told, which is a bit rude in my opinion, not to mention if the employee wanted to create a scene before being escorted out the door they'd have time to do it.)
  Next time, maybe emphasize the damage the ex-employee can do. Say he hacks into the system using his boss's password or sets a fire in the break room.
25. Re:Best Pratices by nanoflower · 2012-06-14 00:53 · Score: 2
  
  They did that at a company that I used to work at as they went through a series of layoffs. It was strange because many people didn't know what was going on. I know when I was finally laid off from that company I ended up talking to the IT guys and got my email turned back on and then about a half hour later I got called in to be told the news that I was laid off. So even the all of the IT guys didn't know what was happening.
  I could have taken all of the software that we worked on with me but I can't see the point in doing that. No reputable company would take a risk on using that code, nor do I think they would want to hire an employee that they knew stole data/code from a former employer.
  What I can see happening is employees that deal in sales taking contact data with them. That's suitably murky in terms of whether it should be truly proprietary or not in the eyes of employees that I can see many justifying it. After all they still have to make the contact and make the sale for their new company
26. Re:Best Pratices by butalearner · 2012-06-14 01:16 · Score: 5, Interesting
  Revenge isn't rational. When I was first laid off, I stole the department's best set of pliars. Not because they were worth much, but because they were really nice pliars and I just felt really annoyed. Me and a coworker were exactly equal in qualifications, skill and productivity, so it was fairly clear that the decision over who to fire came down to him being the one willing to go down the pub with the boss and play the occasional game of football.
  And there's the problem with this survey: you ask a bunch of people with reasonably good-paying jobs if they'd take some revenge if they got fired, in this economy, when most of them don't deserve it? But it should come as no surprise when the survey was conducted by Cyber-Ark, who sells three products:
  
  Privileged Identity Management Suite
  Privileged Session Management Suite
  Sensitive Information Management Suite
27. Re:Best Pratices by nurb432 · 2012-06-14 01:37 · Score: 2
  
  Often times its just data to help back your claims up if something hits the fan after you were gone and you get blamed/sued. Or if you plan on suing them.
  I have personally seen data 'disappear' that was critical to supporting an ex-employees claim of wrong doing. Once you are gone, you have no leverage to get the truth.
  
  --
  ---- Booth was a patriot ----
28. Re:Best Pratices by Reschekle · 2012-06-14 01:44 · Score: 3, Informative
  
  To write proper documentation, I need to have access to the systems that you propose I should be shut off from. I don't have memory of the exact syntax of commands and etc. Further, if you don't trust employees with system access why do you trust them to be in the office to not do something untoward?
29. Re:Best Pratices by hackula · 2012-06-14 02:04 · Score: 3, Insightful
  
  ...and you being the one to occasionally steal pliers.
30. Re:Best Pratices by tlhIngan · 2012-06-14 03:27 · Score: 2
  
  Here's a question for you -> if you're in the Sales group for a company, and have spent years cultivating relationships with various clients. You're given a pink slip. A week later, you're working at a new company. Is it screwing over your old company if you contact those clients? What if you kept a copy of the Goldmine database from your former company?
  The answer is "it depends". It's a common scenario, actually, and the court decisions are all over the place.
  In general though, taking the database is definitely illegal, as is taking your contacts file with you when you leave. If you instead carry the information in your head when you leave, the company can't do anything about it. Basically the general guidance is if it involves taking anything (data or physical object (address book, say)), it's not allowed. But if you walk off with it (carrying nothing else) it's fair game since they can't scrub your mind.
  It also applies to corporate secrets - there's an amazing amount stored in one's head, and other than a confidentiality agreement, not much else to protect it. If you leave, what you have in your head is fair game (other than confidentiality agreements).
  A good salesperson can keep a number of their contacts in memory (it helps if they don't rely on contact lists and dial manually), and since they contact those clients a lot, they are probably the good customers as well. Just something to keep in mind.
31. Re:Best Pratices by jmerlin · 2012-06-14 06:58 · Score: 2
  
  When I worked in IT, the last week of my employment was filled with me building as much documentation as possible about things I did (that weren't obvious or were one-offs that didn't merit documentation at the time) so that someone else could do those things. On the last day, I removed my own access from every account I owned and we went through every generic admin-level account and my coworkers changed those passwords (especially those used in tools I wrote), including any global admin passwords we had. It wasn't much of a "pull his plug," and in fact it was quite pleasant, even a relief. I walked away in a completely amicably fashion, even though I disliked the politics that occurred there, likely because I already had a much better job lined up.
  
  As to "data theft" -- I kept a copy of some of the projects/code I developed as tools while working there. For one, as a record of something I did for myself, and two as a thing to look back on later in my software engineering career and laugh at (and maybe submit to TDWTF). Nothing of importance, no data from any databases, no log files, no compromising information. Most of it is HTML/CSS/JS, some of it is basic PHP that generates HTML from templates and does some really basic LDAP stuff, and a little that connects to a MySQL db to pull down configuration or store basic data, nothing really fancy. I would never take data that would be clearly "the company's" in any proprietary fashion, or that contained information to any person's identity or any such other personal information. Both because it's wrong but because I'm quite sure it's illegal, and I'm not a complete idiot.
...and what would you do with it? by Penguinisto · 2012-06-13 12:17 · Score: 5, Insightful

I recall distinctly during my time with a certain F50 company that they would not only refuse to buy any of the secrets, but that they would be the first to call the FBI on you for trying. The last thing they wanted or needed was to have those secrets unearthed years later, potentially costing them billions of dollars.
Now the gray/black market? Maybe... but that's as much of a jail risk as carrying around an open box full of kiddy porn in front of a police station.
If anything, the things I can see IT employees walking out with are software licenses, images (even hardware!) and crap like that - things they would find useful to themselves later on.

--
Quo usque tandem abutere, Nimbus, patientia nostra?
1. Re:...and what would you do with it? by Billly+Gates · 2012-06-13 12:32 · Score: 2
  
  Hospitals or financial institutions can be a little different. You can hold the hospital hostage with HIPA as if they did call the FBI they would have to pay millions in fines after I release the data.
  With a financial institutions the Russian Mobfia will pay quite handsomly and do the dirty criminal work for you for bank account numbers, passwords, and credit card number.s
  
  --
  http://saveie6.com/
2. Re:...and what would you do with it? by mysidia · 2012-06-13 13:39 · Score: 2
  
  If anything, the things I can see IT employees walking out with are software licenses
  I assume you mean copies of serial numbers / license keys. The actual license/right to use software still belongs to the company in that case; the employee that makes unauthorized use of a serial number to reuse software for production purposes elsewhere would just be pirating software, plain and simple, they don't actually get a license just because they misappropriated a copy of the key; they might have done that at any time for "educational purposes", but they lose their rights to the sw at the time of termination.
  The software vendor might have even encouraged that at times by issuing companies demo keys to be used for test labs and staff training purposes.
  A sysadmin may have actually needed such a copy of the software licensed to learn the product, before deploying software in the organization.
  IT staff definitely need access to software license keys to maintain, install, update software, so while they are at risk of being used improperly, there's really no fix to that.
  If there were a fix, it would be the very sort of IT staff you are trying to regulate/monitor who would have to be very diligent in the implementation of any key protection scheme.
3. Re:...and what would you do with it? by Cow+Jones · 2012-06-13 14:29 · Score: 5, Interesting
  
  You're right, that's the most important question. What do you do once you've got their crown jewels? Me, I'm a self-employed contractor. Half of the time, I get called in to work on fairly large projects where nobody expects me - or even wants me - to be on location all of the time. So I work from my office or from home. And sure enough, I've got their code, their passwords, and usually (if it fits on my laptop) their database. As an external contractor, I don't get fired. My contract just ends. This occurs far more frequently than employees get fired (I hope). Do I delete all of the data after I complete phase 8 of project X, while I wait if/when they'll call me back for phase 9? No, I don't. I keep it all. The only thing I worry about is that it's stored safely (meaning full disk encryption, at the least, and disconnected encrypted drives for old projects).
  I have no idea how much all of that data would be worth to the right (wrong) people. I never really thought about it. When somebody _gives_ me their passwords and/or their data, that implies a level of trust I just couldn't violate (unless forced, but that's not what we're talking about here). I enjoy cracking passwords and finding exploits as much as the next guy, but once somebody trusts me, they're off limits.
  I don't know. In the last 15 years I've gotten along fine with each and every customer I've had. Some were more difficult than others, but there has never been a situation where I was even remotely tempted to betray them or sell them out. Might be a different story if I were working for organized crime, or some other organization whose morals I deeply object to, but as an external contractor I get to choose my customers. If I ever get sucked into something like that.. I have no idea what I'd do. I probably wouldn't pull a Bradley Manning, but who knows... Whistleblowing is one thing, blackmail is quite the opposite.
  CJ
  
  --
  
  Ah, arrogance and stupidity, all in the same package. How efficient of you. -- Londo Mollari
4. Re:...and what would you do with it? by girlintraining · 2012-06-13 16:03 · Score: 4, Interesting
  
  You're right, that's the most important question. What do you do once you've got their crown jewels?
  Even if they handed you the keys to the kingdom, don't tell them you have the keys to the kingdom. I have also been that contractor with 'god level' access to everything. And then one day it was pointed out to management that all of this nonsense about using IDS and scanners to detect whether a USB drive had been plugged in or not would really only serve to get in the way of people trying to do their job; anyone with even 3 working neurons in their brain could figure out how to get around it (as one example, printing a binary file, and then going over to the printer, plugging in an SD card, and copying it. Windows group policies don't work on printers. It was pointed out that the entire IT department had the necessary rights on the network and technical know-how to do it. So, naturally management nuked everything from orbit. They fired over 50 people in the span of a few months in a political fiat between infosecurity and the rest of IT (Little known fact: many people who work in info security have no previous background in IT. They usually can't tell a router from a switch) So you know, security must have improved after that, eh? Well, actually it didn't; They were robbed of a significant chunk their customer's credit card and billing data six months later because when you fire a significant chunk of your IT staff in one go, minor things like security patches tend to get put on the backburner while everyone goes into crisis mode.
  Anyway, people talk about employees walking off with confidential data, but for every person that does that, at least a hundred others got fired because management got paranoid... probably more. Usually the value of the data they're protecting is worth less than the cost of hiring and training new employees, because management got spooked about the old ones.
  
  --
  #fuckbeta #iamslashdot #dicemustdie
5. Re:...and what would you do with it? by ArsenneLupin · 2012-06-13 21:08 · Score: 4, Insightful
  
  when you fire a significant chunk of your IT staff in one go, minor things like security patches tend to get put on the backburner while everyone goes into crisis mode.
  That, and if you fire more than one IT guy at once, each of them now has plausible deniability...
how stupid are people? by SoupGuru · 2012-06-13 12:17 · Score: 5, Interesting

I honestly don't understand. IT people need to be trusted with very important data. Each time one of these surveys come out they demonstrate that they can't be trusted with data.
As an IT guy, I wouldn't consider for a second walking out with data that's not mine. What the hell is wrong with the rest of you?

--
What doesn't kill you only delays the inevitable
1. Re:how stupid are people? by cheater512 · 2012-06-13 12:26 · Score: 2
  
  I'm not sure if this includes knowledge.
  If I got fired today there is an awful lot of knowledge which is in my brain which could be damaging to the company depending who got it.
2. Re:how stupid are people? by Jah-Wren+Ryel · 2012-06-13 12:29 · Score: 4, Interesting
  
  As an IT guy, I wouldn't consider for a second walking out with data that's not mine. What the hell is wrong with the rest of you?
  The summary, at least, says it is not "IT guys" it is IT management that has ethical problems here. Not too surprising given that full-blown psycopathy is 4x more common in senior managers than in the general population. Since psycopathy is really a continuum with only the really extreme types qualifying for the label, you don't have to be a full-fledged pyscopath to rationalze walking out with stolen data either.
  
  --
  When information is power, privacy is freedom.
3. Re:how stupid are people? by Billly+Gates · 2012-06-13 12:30 · Score: 2
  
  Boy, wouldn't it be great if that problem went. Like if there is some managed solution provider out there who can do data backups, saves money, never have to see them etc.
  It smells like a cloud advertisement. Why have data hosted locally if you they are going to steal it anyways ... etc.
  
  --
  http://saveie6.com/
4. Re:how stupid are people? by Gaygirlie · 2012-06-13 12:33 · Score: 4, Insightful
  
  As an IT guy, I wouldn't consider for a second walking out with data that's not mine. What the hell is wrong with the rest of you?
  I agree with you here. I would never even dream of copying sensitive data, installing backdoor access or stealing actual physical hardware, that's hideously selfish and if I knew of someone having done that I'd be the first to report that person to authorities, even if it was one of my own family members. But alas, as disgusting as I find such behaviour I also am not surprised in the least; majority of people are willing to screw over anyone and anything -- even their own morals and ethics! -- in order to gain something and even more so if the gain could be monetary. Mankind in general is not to be trusted.
5. Re:how stupid are people? by LordLucless · 2012-06-13 12:57 · Score: 4, Informative
  
  What the hell is wrong with the rest of you?
  Nothing. We wouldn't either. But our execs and senior management apparently would. Read the summary.
  
  --
  Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
6. Re:how stupid are people? by Johann+Lau · 2012-06-13 13:09 · Score: 2
  
  Stealing passwords? Really? Sounds like an excuse someone would come up with to justify what they would do anyway.
  Especially when those who you're stealing from are insured against it, and the actual damage is done to people who have done zero to you. I'm not against revenge, but there's revenge and there's being silly. And as always, the best revenge is not having time for it because you're too busy enjoying the new opportunities that opened up for you. It sure is horrible to be mistreated and powerless; but at the same time, being able to "make them feel sorry", and not doing it, is great. So strive for that always, it sure beats being petty.
7. Re:how stupid are people? by houstonbofh · 2012-06-13 13:12 · Score: 4, Informative
  
  It could never have been cached passwords in the tools at home that tried to connect when they first open the app... Nope. That never happens. When I left, I had to start my soft phone app to delete the account in it. It don't know if it still worked or not...
8. Re:how stupid are people? by Stewie241 · 2012-06-13 13:58 · Score: 3, Interesting
  
  I don't work in IT but I could see myself doing that out of curiosity.
9. Re:how stupid are people? by CAIMLAS · 2012-06-13 19:37 · Score: 2
  
  You need to pay attention to what's actually being said (or not being said) here. It's a study done by a fucking ID management company. It's like Symantec writing a paper on how Windows malware infections are on the rise (as their stock markets drop).
  Imagine, someone answers a question like:
  * Do you keep customer contact information on your personal phone? (This question ignores that you get to expense the use of your phone, but whatever.)
  If you answered "yes" to that, chances are you're guilty of somethign like "proprietary information theft", according to your company's lawyers (should you ever be fired grievously).
  How about:
  * Do you work from home?
  Bam! They've got you right there regardless. You're working from home and so you've obviously got to have company passwords (which you probably didn't turn over - they're talking about your personal account credentials). They're either written on a sticky by your desk, in a small bound book, or in your head, but it doesn't matter. You've got them.
  Financial reports? I got one of those this past winter. It said, paraphrased and then with a follow-up personal email, "we weren't profitable enough to give you your promised bonus" - even though I know it to be a patent lie. But it's still a financial report which I printed and kept.
  I'm sure there are many, many other weasel questions which would and could be asked to reach the study results they found. They're an "ID management" firm. You know what that means, right? So-called experts who come in and claim your in-house staff is doing everything wrong, push a massive bill of sale for snake oil software, and then disappear into the night. Or, at the very least, make a hefty profit. They do, after all, have a product which just happens to fix the problems they've diagnosed as existing...
  I don't buy it for one minute. IT people are, bar a few, some of the most ethical professionals. And if they're not professional, they're at least smart enough to realize that, short of working for the DoD or a similar organization. They work in one of the few fields where improper handling of what is tentatively 'petty' information (regardless of whether they can use it) can land them in prison for a very, very long time, or have them blacklisted from ever working in the field again.
  
  --
  ~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
10. Re:how stupid are people? by lightknight · 2012-06-13 20:03 · Score: 2
  
  I'll save you some effort. My IP address is 127.0.0.1. Come and get me! ;-)
  
  --
  I am John Hurt.
What, you don't have backups at home? by rrohbeck · 2012-06-13 12:22 · Score: 3, Funny

I thought that's data protection 101.

--
thegodmovie.com - watch it
1. Re:What, you don't have backups at home? by Anonymous Coward · 2012-06-13 13:27 · Score: 5, Interesting
  
  Once upon a time I had two personal laptops I brought to work. One I had been using for a year, the other I had just purchased and had just reached the point where I was leaving the old one at home. Then one day they herded about 50 of us into a conference room. My manager tried to get me to leave my laptop at my desk, but I always took it with me to meetings, so I kept it with me. The CEO announced that our services were no longer required and that most of us would be walked directly to the exit.
  
  My boss steered me to her boss's office and some "security" guy who had been hired a week earlier proceeded to tell me I couldn't leave until I gave him my laptop and the password to get in. I pointed out that it was my laptop and pulled my receipt out of the bag. He said it didn't matter whose laptop it was, I had to give it to him because it might contain company data. I refused, informing him that it contains confidential personal data that the company has no right to. He then threatened to call the police if I didn't turn it over. I pulled out my cell phone and offered to call them myself. The guy actually took the phone out of my hand and shut it off.
  
  At this point I told him, "when I get outside, I'm driving to the police and reporting that you just assaulted me and stole my phone. If you take my laptop by force, now you're looking at assault and grand theft. I don't know how much they're paying you, and I suspect you don't either because you haven't gotten your first paycheck yet, but you really need to think about whether this is worth it." He got uncomfortable and slid my phone back across the table to me, reiterating that he couldn't let me leave with the laptop.
  
  "I know you've only been here for a week, but I just started using this laptop a week ago. Ask my boss. What are you going to do about the laptop I've been using for the last year that's sitting at home right now? Are you going to break into my house tonight?" He looked at my boss, who nodded, and told me I could go.
  
  The point is this: unless you've been enforcing strict security policies all along, trying to get stuff from the employee is like closing the barn door after the horse has bolted. And if you screw with them enough, you're just going to make things worse. To spite them for this, I took some non-confidential company documents I had, uploaded them to a file sharing site and emailed them a link to it: "Here are the files you wanted so badly. I wouldn't have bothered if you had treated me like a human being. Just something to think about the next time you fire someone." I'm sure they just about had a heart attack until they realized I hadn't uploaded anything sensitive.
Simple Solution by sir-gold · 2012-06-13 12:27 · Score: 5, Insightful

The solution to "insider theft" is simple:
Don't hire from the bottom of the barrel just to save a buck, and you won't have to fire people.
Treat your employees like valuable assets and not just cogs, and your people won't quit.
1. Re:Simple Solution by LordLucless · 2012-06-13 12:55 · Score: 4, Insightful
  
  This article, despite the headline, isn't about "IT Employees". It's about IT executives and senior management. These are the employees that are treated like valuable assets. It's the low-paid one which are honest - which is probably why they're still low-paid.
  
  --
  Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
2. Re:Simple Solution by TranquilVoid · 2012-06-13 14:00 · Score: 3, Informative
  
  It's the low-paid one which are honest
  The summary isn't quite accurate. The article states that the survey was mostly IT managers and executives, and the actual report PDF mentions that about 25% were "business/admin/technical staff" (i.e. regular workers), but there is no breakdown as to which group was less honest.
  Still, while I'd grant that managers might be more sociopathic, humans in general are quite corrupt. This sort of white-collar unethical behaviour is all too common as, unlike physical violence, it's very indirect as to the effects. This is why so many people cheat on their taxes, pirate software, take stationary etc. etc.
  The survey was also done by a company that sells data security products, for what it's worth.
And how much data ACTUALLY walks out? by el_tedward · 2012-06-13 12:33 · Score: 5, Informative

Everyone preaches about the insider threat, even though less than 4% of all incidents come from insiders.. If you count by the number of breached records, insiders make up less than 1% of all breached records (though, arguably, they may be breaching records that are more valuable)
http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf
1. Re:And how much data ACTUALLY walks out? by serutan · 2012-06-13 14:30 · Score: 2
  
  Exactly. In other news, 4 out of 5 IT people admit they'd like to be time-traveling superheroes and save the universe.
Re:More outrageous termination reasions by Billly+Gates · 2012-06-13 12:35 · Score: 2

Try telling that to the MBA's. They are obsessed over metrics and the things you talk about are hidden costs that do not show up in a nice spreadsheet. Simply wait there is Bob's resume go terminate him still screw Bob over even if he is an IT pro. His reputation is ruined and a new employer will wonder why is not currently employed? Hmm
These same companies also have policies that they can't hire unemployed people too.

--
http://saveie6.com/
Not Even Fired by TranquilVoid · 2012-06-13 12:42 · Score: 2

At my last job it was common practice to take a copy of the source code even if you were just leaving for greener pastures.
I considered it myself - not for the trade secrets or to sell, but because it functioned as a programming reference guide ("How do I do that again? That's right, I did it before in library X"). In the end I took the high road and consoled myself that anything I had figured out before I could figure out again.
When I fire someone... by Anonymous Coward · 2012-06-13 12:43 · Score: 5, Funny

When I fire someone, there is a significant amount of planning that goes into it, and the whole process takes about 4 weeks.
When I decide it's time for someone to go, I have HR stage a company-wide reaffirmation of adherence to company policy. Employees are reminded that they are not allowed to bring any company data home on thumb drives (which technically they aren't allowed to bring in from home or leave the office with anyway), personal laptops, phones, and so on. During this initiative, they are asked to bring in any thumb drives they have with company data, and make sure they erase company date from their personal devices. I instruct the IT department to assist any employee who asks for help with locating and purging company data.
We are certain to remind them that this is to protect the company from security issues and corporate theft, reduce legal costs, and so on.
After about a week of that, we install a keystroke logger and screenshot collector on the employees PC, and collect all of their passwords to local resources, databases, servers, and so on. We monitor their computer activity 24/7 to make sure it will be a clean break. This is also useful for creating justification for violations of IT policy, since most employees violate it by using their company-owned computer for personal endeavors (email, non work-related web browsing, etc), which is against IT policy and subject to disciplinary action up to and including termination.
After a week or two of monitoring, I get the ball rolling with HR and IT. I submit the necessary termination documentation to HR, and IT generates a script that instantly locks them out and changes all of their passwords so that they cannot access any company resources.
We usually try to execute a firing when the terminated employee is in a meeting or other place where s/he will not have immediate physical access to items at their desk or lab. I usually just pop my head in the door and say "Hey XYZ, I need your help for a second." We walk back to my office, where HR is waiting with the termination paperwork, while IT removes their laptop from their desk and locks all of their drawers and cabinets.
To communicate the firing, I actually read from a script, because the lawyers are very particular about the language and what is said. Security escorts the employee to their work area and supervises and thoroughly documents any personal effects they take with them. They are not allowed to take any memory devices with them, including those in picture frames, without first having them checked by IT for company information. Picture frames are also disassembled and other items searched as thoroughly as possible.
Terminated employees are also searched/wanded on their way out to ensure they are not hiding things like USB keys or hard drives on their person.
It's an arduous process, but it's my job to protect the company from thieves.
1. Re:When I fire someone... by erp_consultant · 2012-06-13 13:00 · Score: 4, Insightful
  
  Jesus...why don't you just tar and feather the guy for good measure? I came close to working in a place like that one time but thankfully it didn't last long. Keyboard loggers? Screenshot collectors? Big brother anyone? I don't see how anyone can be productive under those kinds of conditions. What do you do for an encore? Slash the guys tires before he leaves the parking lot?
2. Re:When I fire someone... by cusco · 2012-06-13 13:04 · Score: 4, Insightful
  
  You, sir, are a frelling scumbag. Sorry, there's no way to sugar-coat it, you get far too much enjoyment from fucking over someone's life to be considered a decent human being. Fortunately people like you are so aggressive during the initial interview process that I don't have to worry about being stuck working with you.
  
  It's management attitudes like this that breeds disgruntled employees that will steal company data. Treat people decently and 1) you will very rarely have to fire employees, and 2) when employees leave they aren't going to be inclined to take the customer database with them.
  
  --
  "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
3. Re:When I fire someone... by cusco · 2012-06-13 13:23 · Score: 3, Insightful
  
  By the way, scumbag, your admins are snooping the keylogger for the employee's password, and stealing data logged in as them. Or is that you doing that?
  
  --
  "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
4. Re:When I fire someone... by Billly+Gates · 2012-06-13 14:37 · Score: 2
  
  This is every place I worked with the exception of working in an amusement park for minimum wage years ago.
  I wish I were a consultant so I could be treated as good as you, but HR and the legal department dictate these policies, to protect their asses and make it look like their jobs are important so they never get canned etc.
  Lawsuit and legal liability dictate this and if you were ever sued for wrongful termination or for having a hostile work environment that favors sexual harasement, the basic fact that you refused to take these measures shows your guilty. Why would he try to hide it ... ?
  Another reason too why outsourcing is so still hot. Other countries do not have these liabilities and risks to do business.
  
  --
  http://saveie6.com/
5. Re:When I fire someone... by pclminion · 2012-06-13 15:56 · Score: 2
  
  If you fire people often enough that you have codified a rote procedure for it, then you are a fucking shitty manager. Apparently, you don't have any skill hiring decent workers in the first place. When you brag about canning people, you're really bragging about how awful a judge of character and skill you are. HR, of course, knows these procedures by heart (it's their job function). But if you are a decent manager in any sense, the termination of an employee should be a reason for you to quite literally shed tears. At the first company I ever worked for, the founder did terminate someone once. After taking care of this unpleasant task, he pulled me outside, shaking and in tears. He explained that it was the most difficult thing he had ever done, and he nearly begged me to go out for beers with him at the end of the day so he could drown his sorrow without feeling like an alcoholic.
Re:What about being a decent employers!!! by Lisias · 2012-06-13 12:45 · Score: 3, Insightful

No matter how hate the concept, the parent post is right.
Once the honest employee gets screwed no matter what, there's absolutely no incentive to the other employees to be honest!
You get what you promotes!

--
Lisias@Earth.SolarSystem.OrionArm.MilkyWay.Local.Virgo.Universe.org
Employer could always be nice by BrokenHalo · 2012-06-13 12:47 · Score: 5, Interesting

This survey seems (admittedly without having read TFA) to be skewed by the "if fired" clause. Now, I would have thought most admins would have their privileges revoked if they were being sacked, but here's a question:

How many of us, if on the receiving end of unjust treatment, would honestly not at least entertain the fantasy of "getting back" at that company? Be honest, now.

Thought so.

Since the company invests a lot of trust in its sysadmins, it should at least treat them respectfully, since trust has to work both ways.
1. Re:Employer could always be nice by houstonbofh · 2012-06-13 13:06 · Score: 5, Interesting
  
  Been laid off a few times. Most of the time I stayed on and had full access for the two weeks they paid me to stay and do knowledge transfer. I guess it depends on the person...
2. Re:Employer could always be nice by Anonymous Coward · 2012-06-13 14:13 · Score: 2, Insightful
  
  "How many of us, if on the receiving end of unjust treatment, would honestly not at least entertain the fantasy of "getting back" at that company? Be honest, now.
  Thought so."
  I can't really get upset with a business owner doing what he wants with his own property, even if I think it is a stupid self destructive choice in this hypothetical case of being fired or whatnot even while doing good work. Furthermore, revenge wouldn't make anything better, it would just add more misery to the mix. So no, this notion of lashing out seems absurd to me even as a simple fantasy. Perhaps my enlightened attitude would go out the window if such a thing ever did happen to me, but even then I could not imagine this being a good idea. Doing such a thing destroys the goodwill you have built up in your career and puts you in a worse position than someone who has no job experience at all. If HR is worried about bad hires coming from the untested, imagine how quickly they'd pass over a resume that returns from a background check with mention of malicious behavior.
  In isolation, these things sound scary, but for a person to actually go through with this sort of nonsense, they'd have to be pushed much closer to the edge of sanity than just being fired or having a shitty boss. I'd expect to find that in cases that this sort of thing does happen, additional variables are at work like mental instability or favorable opportunity to not get caught for example.
3. Re:Employer could always be nice by EdIII · 2012-06-13 14:21 · Score: 4, Insightful
  
  It does depend on the person. I would never even remotely consider it for a second, even if I was owed money. That's what lawsuits are for.
  When you do sensitive work like working with customer databases and sysadmin work that takes you everywhere inside a company, you need to be trusted. Your actions could get around to other companies.
  As for still having access, I wouldn't know. That would require testing for it.
  I know it is tempting to get revenge, but in the end I would rather have my integrity and knowing that I was the better person and professional.
4. Re:Employer could always be nice by Anonymous Coward · 2012-06-13 14:27 · Score: 5, Interesting
  
  Posting as AC for good reasons.
  A few years backs, I was one of the top dogs in the IT dept of a small but VERY profitable company. I had a good reputation and I held myself to high standards as we all like to think of ourselves. But during a particularly bitter shareholder war I found myself a the crossroads. I was asked to do some very unethical tasks for one side of the belligerent parties and I refused knowing full well it could spell the end of me if that particular faction ever came on top.
  Of course in the end they did and I was sacked promptly exactly like you mentionned -just as I entered the building I was nearly cattle prodded into the HR office and given my walking papers after eight years of above reproach work. I was left high and dry and no severance package whatsoever even though it was spelled out in my hiring contract.
  Bitter and angry- yes you bet. However I had wisely created a "emergercy care package" for myself in the form of various pieces of informations and when I went to court, some of that information was used by my lawyer to very deadly effect.
  In the end all my good conduct and proper attitude did not save my job. Doing the right thing usually does not assures you that somehow you will get not get screwed if it makes cash sense to someone. So yes, its not nice to walk out with some info but then most employers see you as cattle, so you might as well grow some horns.
5. Re:Employer could always be nice by Fnord666 · 2012-06-13 14:46 · Score: 4, Insightful
  
  Your actions will get around to other companies.
  FTFY
  
  --
  'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
6. Re:Employer could always be nice by doston · 2012-06-13 15:02 · Score: 4, Insightful
  
  Your actions will get around to other companies.
  FTFY
  Not necessarily. A lot of companies are too concerned about lawsuits to say anything other than job title and start/end dates. They blacklist you at their company, of course, but there's not a lot of interest in informing other companies; just risk with no real upside, prudent policy generally shun references.
7. Re:Employer could always be nice by MobileTatsu-NJG · 2012-06-13 16:07 · Score: 2
  
  Not necessarily. A lot of companies are too concerned about lawsuits to say anything other than job title and start/end dates. They blacklist you at their company, of course, but there's not a lot of interest in informing other companies; just risk with no real upside, prudent policy generally shun references.
  I don't know about the industry you're in but in my field there is a lot of personal networking going on. (That's why Facebook and LinkedIn actually are important to me.) If I sabotaged a workplace and any of my buddies found out about it, I would have a verrrrrrrry difficult time finding work because they'd speak up. I personally have a couple of names I know I'll speak up against over release of confidential data.
  This may not be a factor in your field, but you should consider how every year more and more people get connected to social networking. The whole "what happened at the company stays at the company" philosophy is rapidly becoming a thing of the past.
  
  --
  
  "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
8. Re:Employer could always be nice by Reschekle · 2012-06-13 16:33 · Score: 2
  
  I don't dispute or disagree that word would get around or even think its a bad thing, but the employee may have grounds for a lawsuit if he finds out that there is some behind the scenes talking going on.
9. Re:Employer could always be nice by Phoobarnvaz · 2012-06-13 16:39 · Score: 2
  
  Your actions will get around to other companies.
  Not necessarily. A lot of companies are too concerned about lawsuits to say anything other than job title and start/end dates. They blacklist you at their company, of course, but there's not a lot of interest in informing other companies; just risk with no real upside, prudent policy generally shun references.
  If you're worried about what previous employers are saying about you to prospective employers...there are companies who will make calls like they are looking at hiring you. If any of these companies do the stupid thing...which can and will happen...you have a transcript of what they were told. Myself...after some of the scumbags I've worked for...would have been well worth the cost.
  
  --
  Don't worry about the world coming to an end today. It's already tomorrow in Australia. - Charles M. Schulz
10. Re:Employer could always be nice by Phoobarnvaz · 2012-06-13 16:55 · Score: 3, Insightful
  
  In the end all my good conduct and proper attitude did not save my job. Doing the right thing usually does not assures you that somehow you will get not get screwed if it makes cash sense to someone. So yes, its not nice to walk out with some info but then most employers see you as cattle, so you might as well grow some horns.
  I worked at a job years ago which was going through a merger. Because of this...during the weekly meeting it was mentioned the IT department didn't want to face another $250,000 fine from the BSA that year for pirated software. Of course...all the contractors they had working were running tons of pirated software...as well as some of the employees. When I was handed my walking papers two weeks after this...my first call was to the BSA. Don't know what happened to these employees or company...but I ended up with a better paying contract job I loved three days later...even though my contract wasn't renewed six months later because of the economy.
  
  The funniest part was this company I was fired from didn't lock me out for several days...so I could have done some damage...but didn't. Companies don't take due diligence...they deserve whatever happens to them.
  
  --
  Don't worry about the world coming to an end today. It's already tomorrow in Australia. - Charles M. Schulz
11. Re:Employer could always be nice by MobileTatsu-NJG · 2012-06-13 17:05 · Score: 3, Informative
  
  True, but you'd have to know that it happened. All the company has to do is say: "We're not interested at this time.", not: "We heard about what you did to the server, forget it."
  
  --
  
  "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
12. Re:Employer could always be nice by hey! · 2012-06-13 18:06 · Score: 5, Informative
  
  As for still having access, I wouldn't know. That would require testing for it.
  I've never been fired, but I have left jobs where I had access to sensitive information. What I did was write an distribute memo which listed everything I could think of that I needed to be locked out of, then sat down on my last day with the person who was supposed to do it and made sure it happened.
  Protection is a two-way street. Not only does it protect my former employer from me, if anything happens after I leave it makes it less likely suspicion will fall on me. Besides that revenge is a juvenile act. It feels better to do the right thing and move on than to gloat over the power you wield over the people you left behind.
  
  --
  Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
13. Re:Employer could always be nice by lightknight · 2012-06-13 19:06 · Score: 4, Interesting
  
  Hmm. In my case, I drop what I'm doing, and leave.
  So far as I cam concerned, if I'm fired, the network / users are officially no longer my problem, as of that exact moment. I don't plot revenge; if I've been doing my job, and the firing is unjust, my absence will slowly deteriorate the network / machines into an unusable state (let the users solve their own driver installation problems, and good luck with the servers if / when the RAID goes down). If it is just, then I'm sure someone equally or more capable has / will be hired to maintain things.
  You'd be surprised what happens when things are left to their natural tendencies (it usually takes 3 months before things have gotten bad enough to warrant a phone call).
  
  --
  I am John Hurt.
14. Re:Employer could always be nice by CAIMLAS · 2012-06-13 19:07 · Score: 2
  
  That's what I did at my previous position.
  Then, he shorts my check by the majority, apparently claiming I didn't show up for anything more than the next two days...
  As for the topic of this thread? Look. It doesn't quite work the way the sodding article wants you to think it does. They word these things for sensationalism to scare the people doing the hiring.
  
  privileged password lists
  Oh, you mean the one associated with my myriad systems accounts, on my personal laptop, which I was expected to use - after hours - in support of the company and/or the clients I'm to support? Yes, I walked out with that. The last time I heard, I am still entitled to at least my own personal property and not being legally obliged to divulge a non-essential account password. And in the case of system and service passwords (or keys) - yes, I or someone like me set them up. No, I don't remember them, and just because I set them up doesn't mean I've still got them.
  
  company databases
  You mean the client after-hours contact list I've got, or the phone numbers and email addresses of every client the company has which I or my group supports? Those 'company databases' which are on my phone for the purposes of after-hours support and notification? Or the ones in my personal address book, which were put there after I befriended the clients? Or how about the personal copy of the (technical) documentation and tools I wrote, personally (either on the clock or off), which I would like for the purposes of later reference and use?
  
  R&D plans and financial reports
  Believe it or not, but when you're working for an MSP, the client will ask the technicians (the people they trust), "does this look right?" when they don't trust the sales and marketing people.
  I will grant that willful theft can and does occur, and I have noticed how it is trivial to actually steal said information. What's amazing is that more people do not do so, and that this information does not go on to get used more often. It is, in my opinion, a testament to the generally high ethical nature of people in systems (vs. say, your average sales weasel).
  What's all the more amazing is that society has gotten so sick as to think it's not only reasonable but expected for a highly skilled professional to have nothing aside from what's in their head to show for their professional work. In IT, you're expected to have no contact with the clients or customers after leaving jobs; you're expected to have no trace of information indicating you worked for said company. I realize a lot of that is universal boiler plate, but from what I've noticed, it's only in IS/IT where abuse of these universal policies gets enforced.
  
  --
  ~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
15. Re:Employer could always be nice by CAIMLAS · 2012-06-13 19:10 · Score: 4, Interesting
  
  However I had wisely created a "emergercy care package" for myself in the form of various pieces of informations and when I went to court, some of that information was used by my lawyer to very deadly effect.
  As someone who's going through something very similar now, let me ask: what was in your care package?
  
  --
  ~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
16. Re:Employer could always be nice by kaladorn · 2012-06-13 20:08 · Score: 2
  
  HR people at a lot of companies move around between those companies and have HR contacts elsewhere.
  
  There's the official statement a company you used to work for might make ("yes, X was employed here." "what were they like as an employee?" "yes, X was employed here." "I see....") and then there's what happens when the HR people talk to each other and you don't get the job, but for other reasons than the ones that were the actual reason (that they talked to a friend and found out you are a problematic person to employ).
  
  Most people talk about how to deal with potentially disgruntled workers... I found the best way is to treat them reasonably (as a company). It cuts your odds of a problem a lot. You still have to be cautious and restrict access, but your odds of a nasty scenario are much lower that way. Some companies get this.
  
  There have been companies I worked for where I was billing overtime on the Friday night of my last day because I was still doing clean up and knowledge transfer. I've only once had the escorted out thing and that's because they were doing a mass dot-com-crash layoff and everyone had to be treated the same.
  
  Frankly, its usually to the company's benefit to let me do handover, code base cleanup, project wind down, etc. and they usually understand that.
  
  But really, if you have a volatile guy in a top slot who is likely to screw you over, the best HR process is a parking lot accident.... just sayin'.
  
  --
  -- Mal: "Well they tell you: never hit a man with a closed fist. But it is, on occasion, hilarious."
17. Re:Employer could always be nice by kaladorn · 2012-06-13 20:16 · Score: 4, Insightful
  
  The last sentence is the real secret.
  
  If an employer doesn't want me, I don't want to be there. If they want me but can't keep me due to overall economics (it happens in contracting regularly), then you just smile, thank them, and move on and you may well be back working there again later sometime.
  
  Revenge is not only infantile, its often criminal. Is it really worth getting your @$$ kicked and fined or jailed? Don't think so.
  
  Never burn your bridges, even if the other side are unmitigated jerks. You can be the bigger man. Even if you get the short end of the stick, somebody will probably notice your conduct and recognize it for the right way to behave. Sometimes you might end up working for them 5 years down the line.
  
  Case in point:
  
  Final year of college (software engineering) in city A, I did a project with well known embedded POSIX compliant OS vendor in city B. I met some of their staff.
  
  After completing the year, I had a bunch of interviews in city B at a different company. On arriving, I recognized one of the guys I'd be working with/for. It took us most of the time there to twig to what it was. I'd met him in City C at COMDEX working for the POSIX OS company from city B. He was now working for another company (whom I went to work for as well).
  
  I'd met him months before at a computer show in another city entirely and only coincidentally happened to be doing a project for the company he worked for, then we met at an interview for the company I was actually interested in working for and there he was.
  
  If I'd been a jerk beforehand, he'd have remembered. As it was, he remembered me favourably. The interview was good enough I got hung with a fun nickname even before I was officially hired!
  
  Beware the bridge you burn, it might be the one you need to advance across later.
  
  --
  -- Mal: "Well they tell you: never hit a man with a closed fist. But it is, on occasion, hilarious."
18. Re:Employer could always be nice by realxmp · 2012-06-13 22:16 · Score: 2
  
  A transcript doesn't count as a recording for the purposes of wiretap law, otherwise you'd probably run into first amendment issues.
19. Re:Employer could always be nice by ChipMonk · 2012-06-13 22:38 · Score: 2
  
  Twelve US states are all-party consent states:
  California
  Connecticut
  Florida
  Illinois
  Maryland
  Massachusetts
  Michigan
  Montana
  Nevada
  New Hampshire
  Pennsylvania
  Washington
20. Re:Employer could always be nice by SpooForBrains · 2012-06-13 22:51 · Score: 2
  
  "You can be the bigger man. Even if you get the short end of the stick, somebody will probably notice your conduct and recognize it for the right way to behave. Sometimes you might end up working for them 5 years down the line."
  
  In addition to being good business practise, this is good advice for pretty much everything in life in my experience including but not limited to driving, relationships, friendships.
  
  --
  "The dew has clearly fallen with a particularly sickening thud this morning"
But that assumes you don't have penny pinching nut by NotSoHeavyD3 · 2012-06-13 12:50 · Score: 2

jobs in accounting making decisions. You know, oh Jeff makes X money but we can hire jackie for X-Y dollars and then fire Jeff. We don't care that Jeff knows the business inside out and Jackie doesn't. We don't care it'll be a year before Jackie comes up to speed and all the evidence says he won't be as good. We'll save a couple bucks now which is good enough. (Even if it screws us in the end.)

--
Did you know 80 to 90% of the moderators on slashdot wouldn't recognize a troll even if one dragged them under a bridge.
Rule of Thumb for Employee Theft by Anonymous Coward · 2012-06-13 12:52 · Score: 5, Insightful

As someone who has been laid off from a job (and forced to wipe the hard drive of my personal laptop before I could leave the building), and who has had to hire and fire dozens of employees over the last 10 years, I can offer a bit of insight:

10% of your employees would never steal from you. Ever. It wouldn't occur to them to do it.

10% of your employees are determined to steal from you. It's why they applied for the job!

The other 80% are swayed by circumstance and opportunity. If you treat them like crap (when they're employed or when you fire them) or make it clear that you're lax on security (often as simple as not paying attention), they're going to steal from you. Treat them well (as employees and as ex-employees... don't just toss them overboard... give them a severance package... give them a nice letter of recommendation... make some genuine effort to ease this life-altering transition and show them that you care about what happens to them after they leave) and maintain good security practices and you will drastically cut down on the number of people who steal from you.
1. Re:Rule of Thumb for Employee Theft by Reschekle · 2012-06-13 13:59 · Score: 2
  
  How can you be forced to wipe your personal laptop? What if you refused? Unless the company is offering me a decent severance, they're not getting that level of cooperation out of me when I'm being shown the door.
also don't use personality tests for hireing by Joe_Dragon · 2012-06-13 12:56 · Score: 2

This is because these companies seem to be getting the opposit results from these tests that are intended. They are weeding out the good, honest, and hard working employees. The only people that can pass these things are liars, cheaters, and BSers. Is that the type of employee they really wan't.
It's all in the wording of the question by MobyDisk · 2012-06-13 12:59 · Score: 2

Be very careful when reading these surveys. The wording can be critical, and can mean something different than what the headline is implying. For example:

If you were told that you were going to be fired tomorrow, what, if anything would you take with you?
The answer would have to include things that you already have in your possession. So no malicious intent is required here! For example, 5% responded "R&D plans." That doesn't mean that they would steal R&D plans in response to being fired. It could be that they already had those plans on a flash drive on their key ring, perhaps because they gave a presentation on the topic recently. 8% responded "Privileged password list" which could mean that they keep an encrypted copy of vital passwords in case they need to remote into the servers from home. They might take the "Customer database" because they keep a copy on their laptop in case they are on call and need to contact a customer.
I think a lot of people would have issues by johnny+cashed · 2012-06-13 13:05 · Score: 4, Insightful

The problem I have with this is the hypothetical "if you were fired tomorrow" angle on the survey. Why would I be fired tomorrow? For cause? Due to downsizing? A lot of people would feel threatened if they were suddenly fired, especially if they can see their termination as unjustified. This doesn't justify their potential actions, but it really leaves out a lot. How many people, if they were fired tomorrow, would come back with a gun and start shooting people? Probably a lot less. Was that question on the survey?
Re:What if...? by cusco · 2012-06-13 13:09 · Score: 2

I actually had company backup tapes in my possession when I was let go once. Took them back a few days later, and they were so pleased that they told me to keep the 56k modem that I had used for remote access.

--
"Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
Love it! by khasim · 2012-06-13 13:09 · Score: 2

Why have data hosted locally if you they are going to steal it anyways ... etc.
That is awesome!
Instead of losing a copy of your data when you fire an employee, you lose complete access to your data when you "fire" the cloud provider.
Or when they fire you by jacking up the rates so much that your company profits go to their company.
I love it!
goals at odds by v1 · 2012-06-13 13:12 · Score: 2

You have two competing goals, company security BY the employees, vs company security FROM the employees.
IT are like the cops in town. In order for them to do their job you have to trust them with powers that can be abused. There is no perfect solution to this problem. The best thing you can do if you are a reasonable sized organization is to simply have the power spread out horizontally well, so the watchers can watch each other.
In small businesses, you may have a small IT staff tree that's composed of people that do jobs that have very little overlap, and that makes their position more abusable.
I've seen it work both ways on the way out. I've seen people get 6 weeks of advance notice, and I've personally been handed papers when I arrived in the parking lot. Paranoia varies, just as trust varies. If you're in an "at-will state" you can get the rug pulled out at any time, and many companies do this as a matter of policy. I consider it very double-standardish, that last place my manager told me he expected me to give two weeks notice if I was leaving, but when I asked how much notice he'd give me, well, that's different! IMHO, employers that think that's playing fair deserve zero day notice, and should consider that the tradeoff for having a zero-day notice for their employees.
Considering the present economy, the value of job security has gone up, and I would certainly find a job less attractive if I knew my employer had a "meet you at the door on Monday with a box of your stuff" policy. But what if I were going to be evil? Then I'd say you need to train your HR people to hire people with better character, good references, and thorough background and job-history checks. You need to be able to trust your IT staff, because of the nature of their position, just like the city needs to be able to trust the cops it hires. If you don't hire people you don't trust, you don't have to zero-day bomb them when layoffs are required. Promote from within instead of hiring off the street into positions of trust and power. If a new hire isn't trustworthy, thank him for his time and give him his two weeks and find someone else. Don't burn people that are in a position of power.
You think it's unfair when a semi-key staff walks on you? Try being that staff when he gets to go home and sit on the couch all day waiting for the wife to get off work, trying to figure out how to tell her he's unemployed as of now. It hits the employee a lot harder than it should hit the company. And in any reasonable sized company, no single person walking should be able to do great damage, nothing like your home income dropping 50 (or 100) percent overnight.
I also read from time to time about karma coming back and biting employers that zero-day a key IT. And I'm not talking about the cases where Joe Fired remotes in and makes a mess etc. I mean the "this broke again, oh crap, Joe usually fixes this, what do we do now?" sort of cases. Responsible employees try to prevent this sort of dependency but companies often don't give enough time or resources to accomplish it. (time to document, hours to crosstrain, etc) So you can't just blindly go blaming the employee. And so now you're left with missing key experience, and a burned bridge. I watched that happen twice at one company. They zero-day'd a key person, only to find that he was the best go-to man for certain things, and a company mass-mail went out to NOT call that person for help. (because they had made it clear they were going to charge for every support call they received a result of his departure) So that leaves us all fumbling around for hours at a tim trying to figure things out that a 10 second phonecall could have solved. Wonderful waste of resources, makes us look like bumbling idiots in front of the client, etc. "Why are you here? Where's Joe, he's always the one you send to work on our server? Really? Are you going to be able to fix this? (after a few hrs...) Can't we just call

--
I work for the Department of Redundancy Department.
Or, by Ralph+Spoilsport · 2012-06-13 13:14 · Score: 2, Interesting

Companies might build TRUST with their employees that they won't get fired at the drop of a hat, and Companies might develop an ecosystem of resilience with their workers, such that everyone feels responsible for the company and vice versa. How? Socialism. Democritise the work place. VOTE for your boss. You wouldn't accept totalitarian political solutions, why do you accept totalitarian economic solutions? If everyone felt like what they did mattered, and felt like their employment was a vital part of their existence (as opposed to something they do to make money) then people wouldn't dream of walking off with data when they get fired, because getting fired would be rare, and a mark of massive failure. CHANGE YOUR WORLD. For the better. it's not that hard. You just have to get off your ass and demand it.

--
Shoes for Industry. Shoes for the Dead.
Re:Solution: by epyT-R · 2012-06-13 13:32 · Score: 4, Insightful

This is the mentality that causes people to stick it to the holy churches of corporate psychopathy in the first place. subject employees to hostile working environments like slaves, and they'll act like slaves when they rebel.
The article title is wrong. by sconeu · 2012-06-13 13:41 · Score: 5, Insightful

That's why you don't understand.
The title should read: " MANAGEMENT Admits They'd Walk Out With Stolen Data If Fired"
TFS says they surveyed managers and executives, not rank and file.

--
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
Biased Survey? by ark1 · 2012-06-13 13:42 · Score: 4, Insightful

An ID management provider does a survey designed to promote identity management. Why should I trust them?
This figure seriously boggles my mind by serutan · 2012-06-13 14:26 · Score: 4, Interesting

In 30 years as a software dev I don't think I've known more than a couple computer geeks who might have the guts to steal data, let alone the personality to locate a buyer, negotiate a price and actually follow through on the deal. Sure we've all seen Office Space and talked trash about what we'd like to do to a company, but at the moment of truth, no way. And managers tend to be even more gutless -- something tells me the survey results were heavily skewed by false bravado.
Confidential data no w, wiki kb content...probably by mmmmmb · 2012-06-13 14:44 · Score: 2

I very much doubt I'd want or have any need for crm data, financials etc, and on moral grounds wouldn't consider it anyway. However, when it comes to my own knowledge that i've dumped on our wiki (linux tips and tricks, oracle installation/configuration notes, useful sql/scripts etc), hell yes. I've put that content there and use it quite often. If I can't put that kind of things there without being able to take it when I leave, why should I bother putting it there at all.
Offsite backup by Kim0 · 2012-06-13 15:56 · Score: 3, Insightful

"Stealing data" is another way of saying "offsite backup".
Don't burn bridges by Fencepost · 2012-06-13 16:04 · Score: 4, Insightful

The one time I was laid off (knowing it was coming for months - closing an entire facility, plus I got extended a couple times and had turned down an offer to move to Dayton, Ohio), I was working on wrapping up a project up to the very last day. The last parts were documenting, etc. but when I walked out the door I had my personal laptop that I'd been using for some development work and testing.

What did I do with the company information on that laptop? I zipped it all up, burned it to a CD along with an index/directory and notes on what might be of interest in case there was anything like homegrown test tools that wasn't on my main system, and mailed it to them. What did I get for all this? Thanks for being so great about everything, which kind of confused me - they'd offered to keep me on if I was willing to move and I refused, and I wasn't going to screw the people I'd been working with for years.

If you dislike the people you work with enough to screw them when you leave, you're in the wrong place (mentally, physically, whatever) already.

As it turned out, I ended up doing some fairly substantial hourly consulting for a different division of the same company a few years later, and I suspect that had I pouted my way out the door it wouldn't have happened. I didn't end up needing any of my old coworkers as references (jumped into freelance work with some other former employees), but I have no doubt that I'd have been able to get good references with no difficulties.

--
fencepost
just a little off
Another way by jandersen · 2012-06-13 17:23 · Score: 2

There is, believe it or not, another way - it consists in treating your employees as real people, with fairness, respect, dignity and honour. The fact is, you basically get what you ask for; if your whole attitude is that your coworkers are criminals, then for the most part that is exactly what they will choose to be.
I know this from personal experience - at one point I felt ostracised and treated with suspicion and contempt; and I wouldn't have hesitated with stripping the company of all valuables if I had got the chance. Then we got a new manager, who gave a fair chance to prove myself - and now I wouldn't dream of betraying the trust of my workplace. Of course, the problem is finding a manager who has the integrity and the guts.
If you fire them... by kikito · 2012-06-13 18:32 · Score: 2

... They are not "insiders" any more. You could call it "previously-insiders" threat.
Developers!Developers!Developers! by TiggertheMad · 2012-06-13 20:32 · Score: 2

And there in lies the problem. If I develop code, on my own time, that I reuse at the workplace, whose code is it?

Yours, but only if you take proper steps to make sure that they know it is yours. I would suggest offering the code to the company to use in perpetuity for the golden license fee of $.01 if you really have some re-usable code you want to give them. They won't balk at the price, and you can whip out a simple little contract that says you own the code but they can do whatever they like with it internally. Then there is never a legal question over who created it later.

--

HA! I just wasted some of your bandwidth with a frivolous sig!