Employees Admit They'd Walk Out With Stolen Data If Fired

Gunkerty Jeb writes "In a recent survey of IT managers and executives, nearly half of respondents admitted that if they were fired tomorrow they would walk out with proprietary data such as privileged password lists, company databases, R&D plans and financial reports — even though they know they are not entitled to it. So, it's no surprise that 71 percent believe the insider threat is the priority security concern and poses the most significant business risk. Despite growing awareness of the need to better monitor privileged accounts, only 57 percent say they actively do so. The other 43 percent weren't sure or knew they didn't. And of those that monitored, more than half said they could get around the current controls."

Best Pratices

[Mafiasecurity]

I remember reading long time ago in security 101 best practices to remove employee's network privileges a week before they receive the notice. I also know of a big company which had ITSEC work all weekend to remove and change creds so when workers came to work Monday they found themselves now jobless.

Re:Best Pratices

[Joe_Dragon]

I told those fudge-packers I liked Michael Bolton's music.

Re:Best Pratices

[black6host]

The best practice here is to remove their access at the moment they're notified and escorted off premises if the data is that important.

That was SOP at a client I did work with. Nobody in house could handle the changes required to disable access to the systems so when someone was being fired, they let me know and I disabled access early in the morning of the day of their termination.

One time they asked me to do that for a person in a key position and I asked them repeatedly if they were going to terminate the person as soon as they walked in the door the next morning. They assured me, repeatedly, that they would be waiting at the door to take them into the owners office. Of course I had explained the consequences if they didn't (The employee would know before being told, which is a bit rude in my opinion, not to mention if the employee wanted to create a scene before being escorted out the door they'd have time to do it.)

Of course, I get a call first thing in the morning from the person being terminated: "I can't log into the system..." Idiots......

Re:Best Pratices

And that's why, in turn, employees seem to be developing a "best practice" of keeping the tools to screw over facist companies. Distrust goes both ways, here's the results of treating employees like shit, enjoy.

Re:Best Pratices

The real question is "Why?" What purpose does stealing that info have? You could "potentially" sell it to a competitor just like you could "potentially" be thrown in jail. The risk vs. reward without having a pre-existing deal to steal data for another company is not worth it. It's like quitting your job before you've even handed in a resume to another company that has no idea who you are.

here's the results of treating employees like shit, enjoy.

As opposed to the results of shitty employees trying to screw over the company? These people who would steal the data just because they're fired are EXACTLY the people that should be fired. They are the shitty employees that get what they deserve.

Re:Best Pratices

[butalearner]

Revenge isn't rational. When I was first laid off, I stole the department's best set of pliars. Not because they were worth much, but because they were really nice pliars and I just felt really annoyed. Me and a coworker were exactly equal in qualifications, skill and productivity, so it was fairly clear that the decision over who to fire came down to him being the one willing to go down the pub with the boss and play the occasional game of football.

And there's the problem with this survey: you ask a bunch of people with reasonably good-paying jobs if they'd take some revenge if they got fired, in this economy, when most of them don't deserve it? But it should come as no surprise when the survey was conducted by Cyber-Ark, who sells three products:

• Privileged Identity Management Suite
• Privileged Session Management Suite
• Sensitive Information Management Suite

...and what would you do with it?

[Penguinisto]

I recall distinctly during my time with a certain F50 company that they would not only refuse to buy any of the secrets, but that they would be the first to call the FBI on you for trying. The last thing they wanted or needed was to have those secrets unearthed years later, potentially costing them billions of dollars.

Now the gray/black market? Maybe... but that's as much of a jail risk as carrying around an open box full of kiddy porn in front of a police station.

If anything, the things I can see IT employees walking out with are software licenses, images (even hardware!) and crap like that - things they would find useful to themselves later on.

Re:...and what would you do with it?

[Cow+Jones]

You're right, that's the most important question. What do you do once you've got their crown jewels? Me, I'm a self-employed contractor. Half of the time, I get called in to work on fairly large projects where nobody expects me - or even wants me - to be on location all of the time. So I work from my office or from home. And sure enough, I've got their code, their passwords, and usually (if it fits on my laptop) their database. As an external contractor, I don't get fired. My contract just ends. This occurs far more frequently than employees get fired (I hope). Do I delete all of the data after I complete phase 8 of project X, while I wait if/when they'll call me back for phase 9? No, I don't. I keep it all. The only thing I worry about is that it's stored safely (meaning full disk encryption, at the least, and disconnected encrypted drives for old projects).

I have no idea how much all of that data would be worth to the right (wrong) people. I never really thought about it. When somebody _gives_ me their passwords and/or their data, that implies a level of trust I just couldn't violate (unless forced, but that's not what we're talking about here). I enjoy cracking passwords and finding exploits as much as the next guy, but once somebody trusts me, they're off limits.

I don't know. In the last 15 years I've gotten along fine with each and every customer I've had. Some were more difficult than others, but there has never been a situation where I was even remotely tempted to betray them or sell them out. Might be a different story if I were working for organized crime, or some other organization whose morals I deeply object to, but as an external contractor I get to choose my customers. If I ever get sucked into something like that.. I have no idea what I'd do. I probably wouldn't pull a Bradley Manning, but who knows... Whistleblowing is one thing, blackmail is quite the opposite.

CJ

how stupid are people?

[SoupGuru]

I honestly don't understand. IT people need to be trusted with very important data. Each time one of these surveys come out they demonstrate that they can't be trusted with data.

As an IT guy, I wouldn't consider for a second walking out with data that's not mine. What the hell is wrong with the rest of you?

Simple Solution

[sir-gold]

The solution to "insider theft" is simple:
Don't hire from the bottom of the barrel just to save a buck, and you won't have to fire people.
Treat your employees like valuable assets and not just cogs, and your people won't quit.

And how much data ACTUALLY walks out?

[el_tedward]

Everyone preaches about the insider threat, even though less than 4% of all incidents come from insiders.. If you count by the number of breached records, insiders make up less than 1% of all breached records (though, arguably, they may be breaching records that are more valuable)

http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf

When I fire someone...

When I fire someone, there is a significant amount of planning that goes into it, and the whole process takes about 4 weeks.

When I decide it's time for someone to go, I have HR stage a company-wide reaffirmation of adherence to company policy. Employees are reminded that they are not allowed to bring any company data home on thumb drives (which technically they aren't allowed to bring in from home or leave the office with anyway), personal laptops, phones, and so on. During this initiative, they are asked to bring in any thumb drives they have with company data, and make sure they erase company date from their personal devices. I instruct the IT department to assist any employee who asks for help with locating and purging company data.

We are certain to remind them that this is to protect the company from security issues and corporate theft, reduce legal costs, and so on.

After about a week of that, we install a keystroke logger and screenshot collector on the employees PC, and collect all of their passwords to local resources, databases, servers, and so on. We monitor their computer activity 24/7 to make sure it will be a clean break. This is also useful for creating justification for violations of IT policy, since most employees violate it by using their company-owned computer for personal endeavors (email, non work-related web browsing, etc), which is against IT policy and subject to disciplinary action up to and including termination.

After a week or two of monitoring, I get the ball rolling with HR and IT. I submit the necessary termination documentation to HR, and IT generates a script that instantly locks them out and changes all of their passwords so that they cannot access any company resources.

We usually try to execute a firing when the terminated employee is in a meeting or other place where s/he will not have immediate physical access to items at their desk or lab. I usually just pop my head in the door and say "Hey XYZ, I need your help for a second." We walk back to my office, where HR is waiting with the termination paperwork, while IT removes their laptop from their desk and locks all of their drawers and cabinets.

To communicate the firing, I actually read from a script, because the lawyers are very particular about the language and what is said. Security escorts the employee to their work area and supervises and thoroughly documents any personal effects they take with them. They are not allowed to take any memory devices with them, including those in picture frames, without first having them checked by IT for company information. Picture frames are also disassembled and other items searched as thoroughly as possible.

Terminated employees are also searched/wanded on their way out to ensure they are not hiding things like USB keys or hard drives on their person.

It's an arduous process, but it's my job to protect the company from thieves.

Employer could always be nice

[BrokenHalo]

This survey seems (admittedly without having read TFA) to be skewed by the "if fired" clause. Now, I would have thought most admins would have their privileges revoked if they were being sacked, but here's a question:

How many of us, if on the receiving end of unjust treatment, would honestly not at least entertain the fantasy of "getting back" at that company? Be honest, now.

Thought so.

Since the company invests a lot of trust in its sysadmins, it should at least treat them respectfully, since trust has to work both ways.

Re:Employer could always be nice

[houstonbofh]

Been laid off a few times. Most of the time I stayed on and had full access for the two weeks they paid me to stay and do knowledge transfer. I guess it depends on the person...

Re:Employer could always be nice

Posting as AC for good reasons.
A few years backs, I was one of the top dogs in the IT dept of a small but VERY profitable company. I had a good reputation and I held myself to high standards as we all like to think of ourselves. But during a particularly bitter shareholder war I found myself a the crossroads. I was asked to do some very unethical tasks for one side of the belligerent parties and I refused knowing full well it could spell the end of me if that particular faction ever came on top.

Of course in the end they did and I was sacked promptly exactly like you mentionned -just as I entered the building I was nearly cattle prodded into the HR office and given my walking papers after eight years of above reproach work. I was left high and dry and no severance package whatsoever even though it was spelled out in my hiring contract.

Bitter and angry- yes you bet. However I had wisely created a "emergercy care package" for myself in the form of various pieces of informations and when I went to court, some of that information was used by my lawyer to very deadly effect.

In the end all my good conduct and proper attitude did not save my job. Doing the right thing usually does not assures you that somehow you will get not get screwed if it makes cash sense to someone. So yes, its not nice to walk out with some info but then most employers see you as cattle, so you might as well grow some horns.

Re:Employer could always be nice

[hey!]

As for still having access, I wouldn't know. That would require testing for it.

I've never been fired, but I have left jobs where I had access to sensitive information. What I did was write an distribute memo which listed everything I could think of that I needed to be locked out of, then sat down on my last day with the person who was supposed to do it and made sure it happened.

Protection is a two-way street. Not only does it protect my former employer from me, if anything happens after I leave it makes it less likely suspicion will fall on me. Besides that revenge is a juvenile act. It feels better to do the right thing and move on than to gloat over the power you wield over the people you left behind.

Rule of Thumb for Employee Theft

As someone who has been laid off from a job (and forced to wipe the hard drive of my personal laptop before I could leave the building), and who has had to hire and fire dozens of employees over the last 10 years, I can offer a bit of insight:

10% of your employees would never steal from you. Ever. It wouldn't occur to them to do it.

10% of your employees are determined to steal from you. It's why they applied for the job!

The other 80% are swayed by circumstance and opportunity. If you treat them like crap (when they're employed or when you fire them) or make it clear that you're lax on security (often as simple as not paying attention), they're going to steal from you. Treat them well (as employees and as ex-employees... don't just toss them overboard... give them a severance package... give them a nice letter of recommendation... make some genuine effort to ease this life-altering transition and show them that you care about what happens to them after they leave) and maintain good security practices and you will drastically cut down on the number of people who steal from you.

Re:What, you don't have backups at home?

Once upon a time I had two personal laptops I brought to work. One I had been using for a year, the other I had just purchased and had just reached the point where I was leaving the old one at home. Then one day they herded about 50 of us into a conference room. My manager tried to get me to leave my laptop at my desk, but I always took it with me to meetings, so I kept it with me. The CEO announced that our services were no longer required and that most of us would be walked directly to the exit.

My boss steered me to her boss's office and some "security" guy who had been hired a week earlier proceeded to tell me I couldn't leave until I gave him my laptop and the password to get in. I pointed out that it was my laptop and pulled my receipt out of the bag. He said it didn't matter whose laptop it was, I had to give it to him because it might contain company data. I refused, informing him that it contains confidential personal data that the company has no right to. He then threatened to call the police if I didn't turn it over. I pulled out my cell phone and offered to call them myself. The guy actually took the phone out of my hand and shut it off.

At this point I told him, "when I get outside, I'm driving to the police and reporting that you just assaulted me and stole my phone. If you take my laptop by force, now you're looking at assault and grand theft. I don't know how much they're paying you, and I suspect you don't either because you haven't gotten your first paycheck yet, but you really need to think about whether this is worth it." He got uncomfortable and slid my phone back across the table to me, reiterating that he couldn't let me leave with the laptop.

"I know you've only been here for a week, but I just started using this laptop a week ago. Ask my boss. What are you going to do about the laptop I've been using for the last year that's sitting at home right now? Are you going to break into my house tonight?" He looked at my boss, who nodded, and told me I could go.

The point is this: unless you've been enforcing strict security policies all along, trying to get stuff from the employee is like closing the barn door after the horse has bolted. And if you screw with them enough, you're just going to make things worse. To spite them for this, I took some non-confidential company documents I had, uploaded them to a file sharing site and emailed them a link to it: "Here are the files you wanted so badly. I wouldn't have bothered if you had treated me like a human being. Just something to think about the next time you fire someone." I'm sure they just about had a heart attack until they realized I hadn't uploaded anything sensitive.

The article title is wrong.

[sconeu]

That's why you don't understand.

The title should read: " MANAGEMENT Admits They'd Walk Out With Stolen Data If Fired"

TFS says they surveyed managers and executives, not rank and file.