Forgot your password?
typodupeerror
Businesses Security IT

Employees Admit They'd Walk Out With Stolen Data If Fired 380

Posted by samzenpus
from the take-this-data-and-shove-it dept.
Gunkerty Jeb writes "In a recent survey of IT managers and executives, nearly half of respondents admitted that if they were fired tomorrow they would walk out with proprietary data such as privileged password lists, company databases, R&D plans and financial reports — even though they know they are not entitled to it. So, it's no surprise that 71 percent believe the insider threat is the priority security concern and poses the most significant business risk. Despite growing awareness of the need to better monitor privileged accounts, only 57 percent say they actively do so. The other 43 percent weren't sure or knew they didn't. And of those that monitored, more than half said they could get around the current controls."
This discussion has been archived. No new comments can be posted.

Employees Admit They'd Walk Out With Stolen Data If Fired

Comments Filter:
  • Best Pratices (Score:5, Interesting)

    by Mafiasecurity (2561885) on Wednesday June 13, 2012 @08:15PM (#40316885) Homepage
    I remember reading long time ago in security 101 best practices to remove employee's network privileges a week before they receive the notice. I also know of a big company which had ITSEC work all weekend to remove and change creds so when workers came to work Monday they found themselves now jobless.
    • Re:Best Pratices (Score:4, Insightful)

      by Anonymous Coward on Wednesday June 13, 2012 @08:17PM (#40316925)

      I'm not sure that's really a best practice. Rather than dealing with the risk of data theft, you end up with the risk of them shooting up the building or engaging in non-network sabotage while they still have their access cards.

      The best practice here is to remove their access at the moment they're notified and escorted off premises if the data is that important.

      • Re:Best Pratices (Score:5, Interesting)

        by black6host (469985) on Wednesday June 13, 2012 @09:33PM (#40317701)

        The best practice here is to remove their access at the moment they're notified and escorted off premises if the data is that important.

        That was SOP at a client I did work with. Nobody in house could handle the changes required to disable access to the systems so when someone was being fired, they let me know and I disabled access early in the morning of the day of their termination.

        One time they asked me to do that for a person in a key position and I asked them repeatedly if they were going to terminate the person as soon as they walked in the door the next morning. They assured me, repeatedly, that they would be waiting at the door to take them into the owners office. Of course I had explained the consequences if they didn't (The employee would know before being told, which is a bit rude in my opinion, not to mention if the employee wanted to create a scene before being escorted out the door they'd have time to do it.)

        Of course, I get a call first thing in the morning from the person being terminated: "I can't log into the system..." Idiots......

        • Re: (Score:3, Insightful)

          by Anonymous Coward

          >Of course, I get a call first thing in the morning from the person being terminated: "I can't log into the system..." Idiots......

          No, they are not idiots. They just left the job of explaining the situation to you.

          You are the idiot for not realizing this.

        • by khallow (566160)

          Of course I had explained the consequences if they didn't (The employee would know before being told, which is a bit rude in my opinion, not to mention if the employee wanted to create a scene before being escorted out the door they'd have time to do it.)

          Next time, maybe emphasize the damage the ex-employee can do. Say he hacks into the system using his boss's password or sets a fire in the break room.

        • They did that at a company that I used to work at as they went through a series of layoffs. It was strange because many people didn't know what was going on. I know when I was finally laid off from that company I ended up talking to the IT guys and got my email turned back on and then about a half hour later I got called in to be told the news that I was laid off. So even the all of the IT guys didn't know what was happening.

          I could have taken all of the software that we worked on with me but I can't see t

        • by jmerlin (1010641)
          When I worked in IT, the last week of my employment was filled with me building as much documentation as possible about things I did (that weren't obvious or were one-offs that didn't merit documentation at the time) so that someone else could do those things. On the last day, I removed my own access from every account I owned and we went through every generic admin-level account and my coworkers changed those passwords (especially those used in tools I wrote), including any global admin passwords we had.
      • Re:Best Pratices (Score:5, Insightful)

        by Anonymous Coward on Wednesday June 13, 2012 @09:49PM (#40317825)
        And that's why, in turn, employees seem to be developing a "best practice" of keeping the tools to screw over facist companies. Distrust goes both ways, here's the results of treating employees like shit, enjoy.
        • Re:Best Pratices (Score:5, Insightful)

          by Anonymous Coward on Wednesday June 13, 2012 @10:32PM (#40318119)

          The real question is "Why?" What purpose does stealing that info have? You could "potentially" sell it to a competitor just like you could "potentially" be thrown in jail. The risk vs. reward without having a pre-existing deal to steal data for another company is not worth it. It's like quitting your job before you've even handed in a resume to another company that has no idea who you are.

          here's the results of treating employees like shit, enjoy.

          As opposed to the results of shitty employees trying to screw over the company? These people who would steal the data just because they're fired are EXACTLY the people that should be fired. They are the shitty employees that get what they deserve.

          • Re:Best Pratices (Score:4, Insightful)

            by lightknight (213164) on Thursday June 14, 2012 @02:59AM (#40319763) Homepage

            Here's a question for you -> if you're in the Sales group for a company, and have spent years cultivating relationships with various clients. You're given a pink slip. A week later, you're working at a new company. Is it screwing over your old company if you contact those clients? What if you kept a copy of the Goldmine database from your former company?

            And there in lies the problem. If I develop code, on my own time, that I reuse at the workplace, whose code is it? If I work for a new company, and the old company brings charges against me for the code I developed on my own time, with my own equipment, who wins? See, these kinds of polls are...inexact, to say the least. If someone has a pet interest in tarring IT, and drumming up a 'need' for security services to watch IT, for instance, could a poll, with vague phrasing, not confirm the need for said services if read one way, instead of another?

               

            • Re:Best Pratices (Score:5, Informative)

              by Neil_Brown (1568845) on Thursday June 14, 2012 @03:29AM (#40319885) Homepage

              If I develop code, on my own time, that I reuse at the workplace, whose code is it?

              Just my thoughts but, if your contact is not clear, I'd suggest getting this agreed in writing before you use it, particularly if, despite being developed on your own time, it was developed to solve a particular problem at that company. At the very least, make sure it has a licence attached, and use it in compliance with the licensing requirements, as if the company was any other third party recipient of the code — I'd aim to separate your two roles as (a) copyright owner and licensor of the code, and (b) employee of a company making use of third party code — if this means internal policy compliance of getting the licence checked out, the code use validated etc., then put the code through it..

              (I'm not a developer, although this is a question I've been asked several times by developers, but I work for my employer four days and week, and spend my fifth day pursuing my own academic interests. There's a clear cross-over, since I'm fortunate to be paid to do something which interests me, and so, in reusing work I've done in my academic life, I try to be as clear as possible what is created in the course of my employment, and what is not... Any other thoughts / suggestions would be very interesting to me!)

              • Re:Best Pratices (Score:5, Informative)

                by YttriumOxide (837412) <yttriumox.gmail@com> on Thursday June 14, 2012 @04:36AM (#40320135) Homepage Journal

                As a developer, I was very sure to get very clear rules for this in my employment contract.

                Any code that I develop in my own time belongs to me. If I choose to use that code in a project at work, the company is given a royalty-free and warranty-free licence to use that code as they see fit. They may not however sub-license it, claim it as their own, or prevent me from using it in any way. All such code must be specifically marked as such, or it is assumed I created it on company time.

                My contract does however also specify that I can not compete with my employer while working here, and as such most of the code I do in private has little re-use value at work and vice-versa.

                Also, I've been with the same company for 10 years and will likely stay here for the rest of my working life, so I don't actually spend too much time thinking about it - it's just a safety precaution in case something does happen.

                • Any code that I develop in my own time belongs to me.

                  Fair enough. Anything else is just getting you screwed.

                  If I choose to use that code in a project at work, the company is given a royalty-free and warranty-free licence to use that code as they see fit.

                  Sounds reasonable until this...

                  They may not however sub-license it,

                  Unless you go through proper channels to license the code to the company, then you're inviting trouble. Unless the company is happy for you to pull in external code which prevents sub-lice

            • And there in lies the problem. If I develop code, on my own time, that I reuse at the workplace, whose code is it?

              Yours, but only if you take proper steps to make sure that they know it is yours. I would suggest offering the code to the company to use in perpetuity for the golden license fee of $.01 if you really have some re-usable code you want to give them. They won't balk at the price, and you can whip out a simple little contract that says you own the code but they can do whatever they like with it
            • by tlhIngan (30335)

              Here's a question for you -> if you're in the Sales group for a company, and have spent years cultivating relationships with various clients. You're given a pink slip. A week later, you're working at a new company. Is it screwing over your old company if you contact those clients? What if you kept a copy of the Goldmine database from your former company?

              The answer is "it depends". It's a common scenario, actually, and the court decisions are all over the place.

              In general though, taking the database is de

          • Revenge isn't rational. When I was first laid off, I stole the department's best set of pliars. Not because they were worth much, but because they were really nice pliars and I just felt really annoyed. Me and a coworker were exactly equal in qualifications, skill and productivity, so it was fairly clear that the decision over who to fire came down to him being the one willing to go down the pub with the boss and play the occasional game of football.
            • Re:Best Pratices (Score:5, Interesting)

              by butalearner (1235200) on Thursday June 14, 2012 @09:16AM (#40321579)

              Revenge isn't rational. When I was first laid off, I stole the department's best set of pliars. Not because they were worth much, but because they were really nice pliars and I just felt really annoyed. Me and a coworker were exactly equal in qualifications, skill and productivity, so it was fairly clear that the decision over who to fire came down to him being the one willing to go down the pub with the boss and play the occasional game of football.

              And there's the problem with this survey: you ask a bunch of people with reasonably good-paying jobs if they'd take some revenge if they got fired, in this economy, when most of them don't deserve it? But it should come as no surprise when the survey was conducted by Cyber-Ark, who sells three products:

              • Privileged Identity Management Suite
              • Privileged Session Management Suite
              • Sensitive Information Management Suite
            • Re:Best Pratices (Score:4, Insightful)

              by hackula (2596247) on Thursday June 14, 2012 @10:04AM (#40322091)
              ...and you being the one to occasionally steal pliers.
          • by nospam007 (722110) *

            "You could "potentially" sell it to a competitor ..."

            Sell? This is revenge business, there's not much money to earn there, you have to get a job with Vizzini to pay the bills.

          • by nurb432 (527695)

            Often times its just data to help back your claims up if something hits the fan after you were gone and you get blamed/sued. Or if you plan on suing them.

            I have personally seen data 'disappear' that was critical to supporting an ex-employees claim of wrong doing. Once you are gone, you have no leverage to get the truth.

        • Re:Best Pratices (Score:4, Insightful)

          by coastwalker (307620) <acoastwalker@NOspAm.hotmail.com> on Thursday June 14, 2012 @07:50AM (#40320943) Homepage

          If you treat people as enemies then expect them to treat you as an enemy. Thats both game theory and free market economics in action. Its also the reason why IT systems are a pain in the arse to use and cost twice as much as they should. Its a free choice.

      • by ArsenneLupin (766289) on Thursday June 14, 2012 @04:54AM (#40320191)

        engaging in non-network sabotage

        such as hiding shrimps or French cheese in false ceilings or raised floors...

      • Re:Best Pratices (Score:5, Interesting)

        by characterZer0 (138196) on Thursday June 14, 2012 @07:11AM (#40320815)

        Unless you are firing your employee for doing something horrible, best pratice when terminating white collar employees who have been trusted with access is to cut off access Friday evening, give notice Monday morning, and pay them for another 2-4 weeks at full salary to work half time writing documentation (and be free to spend the rest of their time looking for another job or golfing). The company avoids sabatoge and burning bridges, gets documetnation, and has remaning employees who know they will be treated respectfully.

        • Re: (Score:3, Informative)

          by Reschekle (2661565)
          To write proper documentation, I need to have access to the systems that you propose I should be shut off from. I don't have memory of the exact syntax of commands and etc. Further, if you don't trust employees with system access why do you trust them to be in the office to not do something untoward?
    • Re:Best Pratices (Score:5, Insightful)

      by Penguinisto (415985) on Wednesday June 13, 2012 @08:19PM (#40316949) Journal

      It would depend on the employee, I suspect. As a sr. sysadmin, if my access was cut off, I'd know immediately what was up (since I'd need it for my job), and if I were unscrupulous, I'd have alternate backdoor accounts and backups already in place to suck out all the data that I really wanted. *shrug*.

      • by BrokenHalo (565198) on Wednesday June 13, 2012 @08:47PM (#40317263)
        This survey seems (admittedly without having read TFA) to be skewed by the "if fired" clause. Now, I would have thought most admins would have their privileges revoked if they were being sacked, but here's a question:

        How many of us, if on the receiving end of unjust treatment, would honestly not at least entertain the fantasy of "getting back" at that company? Be honest, now.

        Thought so.

        Since the company invests a lot of trust in its sysadmins, it should at least treat them respectfully, since trust has to work both ways.
        • by houstonbofh (602064) on Wednesday June 13, 2012 @09:06PM (#40317455)
          Been laid off a few times. Most of the time I stayed on and had full access for the two weeks they paid me to stay and do knowledge transfer. I guess it depends on the person...
          • by EdIII (1114411) on Wednesday June 13, 2012 @10:21PM (#40318023)

            It does depend on the person. I would never even remotely consider it for a second, even if I was owed money. That's what lawsuits are for.

            When you do sensitive work like working with customer databases and sysadmin work that takes you everywhere inside a company, you need to be trusted. Your actions could get around to other companies.

            As for still having access, I wouldn't know. That would require testing for it.

            I know it is tempting to get revenge, but in the end I would rather have my integrity and knowing that I was the better person and professional.

            • by Fnord666 (889225) on Wednesday June 13, 2012 @10:46PM (#40318255) Journal

              Your actions will get around to other companies.

              FTFY

              • by doston (2372830) on Wednesday June 13, 2012 @11:02PM (#40318375)

                Your actions will get around to other companies.

                FTFY

                Not necessarily. A lot of companies are too concerned about lawsuits to say anything other than job title and start/end dates. They blacklist you at their company, of course, but there's not a lot of interest in informing other companies; just risk with no real upside, prudent policy generally shun references.

                • Not necessarily. A lot of companies are too concerned about lawsuits to say anything other than job title and start/end dates. They blacklist you at their company, of course, but there's not a lot of interest in informing other companies; just risk with no real upside, prudent policy generally shun references.

                  I don't know about the industry you're in but in my field there is a lot of personal networking going on. (That's why Facebook and LinkedIn actually are important to me.) If I sabotaged a workplace and any of my buddies found out about it, I would have a verrrrrrrry difficult time finding work because they'd speak up. I personally have a couple of names I know I'll speak up against over release of confidential data.

                  This may not be a factor in your field, but you should consider how every year more and mor

                • Your actions will get around to other companies.

                  Not necessarily. A lot of companies are too concerned about lawsuits to say anything other than job title and start/end dates. They blacklist you at their company, of course, but there's not a lot of interest in informing other companies; just risk with no real upside, prudent policy generally shun references.

                  If you're worried about what previous employers are saying about you to prospective employers...there are companies who will make calls like they are looking at hiring you. If any of these companies do the stupid thing...which can and will happen...you have a transcript of what they were told. Myself...after some of the scumbags I've worked for...would have been well worth the cost.

                • by kaladorn (514293)
                  HR people at a lot of companies move around between those companies and have HR contacts elsewhere.

                  There's the official statement a company you used to work for might make ("yes, X was employed here." "what were they like as an employee?" "yes, X was employed here." "I see....") and then there's what happens when the HR people talk to each other and you don't get the job, but for other reasons than the ones that were the actual reason (that they talked to a friend and found out you are a problematic person
            • by hey! (33014) on Thursday June 14, 2012 @02:06AM (#40319547) Homepage Journal

              As for still having access, I wouldn't know. That would require testing for it.

              I've never been fired, but I have left jobs where I had access to sensitive information. What I did was write an distribute memo which listed everything I could think of that I needed to be locked out of, then sat down on my last day with the person who was supposed to do it and made sure it happened.

              Protection is a two-way street. Not only does it protect my former employer from me, if anything happens after I leave it makes it less likely suspicion will fall on me. Besides that revenge is a juvenile act. It feels better to do the right thing and move on than to gloat over the power you wield over the people you left behind.

              • by kaladorn (514293) on Thursday June 14, 2012 @04:16AM (#40320065) Homepage Journal
                The last sentence is the real secret.

                If an employer doesn't want me, I don't want to be there. If they want me but can't keep me due to overall economics (it happens in contracting regularly), then you just smile, thank them, and move on and you may well be back working there again later sometime.

                Revenge is not only infantile, its often criminal. Is it really worth getting your @$$ kicked and fined or jailed? Don't think so.

                Never burn your bridges, even if the other side are unmitigated jerks. You can be the bigger man. Even if you get the short end of the stick, somebody will probably notice your conduct and recognize it for the right way to behave. Sometimes you might end up working for them 5 years down the line.

                Case in point:

                Final year of college (software engineering) in city A, I did a project with well known embedded POSIX compliant OS vendor in city B. I met some of their staff.

                After completing the year, I had a bunch of interviews in city B at a different company. On arriving, I recognized one of the guys I'd be working with/for. It took us most of the time there to twig to what it was. I'd met him in City C at COMDEX working for the POSIX OS company from city B. He was now working for another company (whom I went to work for as well).

                I'd met him months before at a computer show in another city entirely and only coincidentally happened to be doing a project for the company he worked for, then we met at an interview for the company I was actually interested in working for and there he was.

                If I'd been a jerk beforehand, he'd have remembered. As it was, he remembered me favourably. The interview was good enough I got hung with a fun nickname even before I was officially hired!

                Beware the bridge you burn, it might be the one you need to advance across later.
                • "You can be the bigger man. Even if you get the short end of the stick, somebody will probably notice your conduct and recognize it for the right way to behave. Sometimes you might end up working for them 5 years down the line."

                  In addition to being good business practise, this is good advice for pretty much everything in life in my experience including but not limited to driving, relationships, friendships.
          • by Anonymous Coward on Wednesday June 13, 2012 @10:27PM (#40318073)

            Posting as AC for good reasons.
            A few years backs, I was one of the top dogs in the IT dept of a small but VERY profitable company. I had a good reputation and I held myself to high standards as we all like to think of ourselves. But during a particularly bitter shareholder war I found myself a the crossroads. I was asked to do some very unethical tasks for one side of the belligerent parties and I refused knowing full well it could spell the end of me if that particular faction ever came on top.

            Of course in the end they did and I was sacked promptly exactly like you mentionned -just as I entered the building I was nearly cattle prodded into the HR office and given my walking papers after eight years of above reproach work. I was left high and dry and no severance package whatsoever even though it was spelled out in my hiring contract.

            Bitter and angry- yes you bet. However I had wisely created a "emergercy care package" for myself in the form of various pieces of informations and when I went to court, some of that information was used by my lawyer to very deadly effect.

            In the end all my good conduct and proper attitude did not save my job. Doing the right thing usually does not assures you that somehow you will get not get screwed if it makes cash sense to someone. So yes, its not nice to walk out with some info but then most employers see you as cattle, so you might as well grow some horns.

            • by Phoobarnvaz (1030274) on Thursday June 14, 2012 @12:55AM (#40319199)

              In the end all my good conduct and proper attitude did not save my job. Doing the right thing usually does not assures you that somehow you will get not get screwed if it makes cash sense to someone. So yes, its not nice to walk out with some info but then most employers see you as cattle, so you might as well grow some horns.

              I worked at a job years ago which was going through a merger. Because of this...during the weekly meeting it was mentioned the IT department didn't want to face another $250,000 fine from the BSA that year for pirated software. Of course...all the contractors they had working were running tons of pirated software...as well as some of the employees. When I was handed my walking papers two weeks after this...my first call was to the BSA. Don't know what happened to these employees or company...but I ended up with a better paying contract job I loved three days later...even though my contract wasn't renewed six months later because of the economy.

              The funniest part was this company I was fired from didn't lock me out for several days...so I could have done some damage...but didn't. Companies don't take due diligence...they deserve whatever happens to them.

            • by CAIMLAS (41445) on Thursday June 14, 2012 @03:10AM (#40319803) Homepage

              However I had wisely created a "emergercy care package" for myself in the form of various pieces of informations and when I went to court, some of that information was used by my lawyer to very deadly effect.

              As someone who's going through something very similar now, let me ask: what was in your care package?

          • by lightknight (213164) on Thursday June 14, 2012 @03:06AM (#40319789) Homepage

            Hmm. In my case, I drop what I'm doing, and leave.

            So far as I cam concerned, if I'm fired, the network / users are officially no longer my problem, as of that exact moment. I don't plot revenge; if I've been doing my job, and the firing is unjust, my absence will slowly deteriorate the network / machines into an unusable state (let the users solve their own driver installation problems, and good luck with the servers if / when the RAID goes down). If it is just, then I'm sure someone equally or more capable has / will be hired to maintain things.

            You'd be surprised what happens when things are left to their natural tendencies (it usually takes 3 months before things have gotten bad enough to warrant a phone call).

          • by CAIMLAS (41445)

            That's what I did at my previous position.

            Then, he shorts my check by the majority, apparently claiming I didn't show up for anything more than the next two days...

            As for the topic of this thread? Look. It doesn't quite work the way the sodding article wants you to think it does. They word these things for sensationalism to scare the people doing the hiring.

            privileged password lists

            Oh, you mean the one associated with my myriad systems accounts, on my personal laptop, which I was expected to use - after hours - in support of the co

      • Re:Best Pratices (Score:4, Insightful)

        by Austerity Empowers (669817) on Wednesday June 13, 2012 @10:32PM (#40318123)

        In reality, you always have a clue that your job is in jeopardy, and you're hoarding whatever information you want to take ahead of time. Some people I know do this as a practice regardless of their job security. They have what they consider their "IP" (regardless of how their employment contract defined IP sharing/ownership), and constantly back it up. I'm not sure you can really stop them unless you want to go to the paranoid level of some banks, and remove all USB ports, seal away the hard drive and disconnect them from the internet...all the time.

        In reality I think there is somewhat less danger of an employee walking away with vast company secrets for personal profit, most of the time its stuff they simply worked on, which they have some sort of emotional investment in. Spending a single cent trying to stop this is both fruitless and a poor use of money that could otherwise be invested in the company for more profit.

    • by Joe_Dragon (2206452) on Wednesday June 13, 2012 @08:44PM (#40317217)

      I told those fudge-packers I liked Michael Bolton's music.

    • Re:Best Pratices (Score:5, Insightful)

      by epyT-R (613989) on Wednesday June 13, 2012 @08:59PM (#40317389)

      This is the kind of treatment that makes workers angry enough to do the things your 'big company' doesn't want happening in the first place.

    • Re:Best Pratices (Score:5, Informative)

      by siddesu (698447) on Wednesday June 13, 2012 @09:43PM (#40317775)

      This is not a "best practice", as it is completely worthless.

      There is a best practice on the opposite side that is capable to defeat your "best practice" on any day of the week and twice during the weekend, and all smart employees have figured it out long ago. It is for the employee to collect the data while they have access, and do not depend on the benevolence of the company policies after the termination decision.

      Just so I am not entirely abstract, this is exactly what a certain Bradley Manning allegedly did while in employment of a certain large military organization.

    • The problem with these types of practices is that you give these ex employees a legitimated reason to actively try and hurt the company. And they would still have friends there and know the building and network. If they really wanted to they should still be able to cause massive damage, and they have far more reason to do it now.

      And how in hell is best practices to allow an employee to come in to work and receive a pay-check for a week after they would have a good chance of guessing that they are already fi

      • by EdIII (1114411) on Wednesday June 13, 2012 @10:32PM (#40318125)

        Actually.... you all got it wrong.

        Best practices are to just lose his paycheck, promise to look into it, keep moving him into smaller and more cramped cubicles, then eventually the basement, and finally steal his stapler that he brought from home . He should just leave quietly.

        • by rhook (943951)

          And I said, I don't care if they lay me off either, because I told, I told Bill that if they move my desk one more time, then, then I'm, I'm quitting, I'm going to quit. And, and I told Don too, because they've moved my desk four times already this year, and I used to be over by the window, and I could see the squirrels, and they were married, but then, they switched from the Swingline to the Boston stapler, but I kept my Swingline stapler because it didn't bind up as much, and I kept the staples for the Sw

  • sad news is that we can only see this survey because some schmuck got fired.

  • by Penguinisto (415985) on Wednesday June 13, 2012 @08:17PM (#40316911) Journal

    I recall distinctly during my time with a certain F50 company that they would not only refuse to buy any of the secrets, but that they would be the first to call the FBI on you for trying. The last thing they wanted or needed was to have those secrets unearthed years later, potentially costing them billions of dollars.

    Now the gray/black market? Maybe... but that's as much of a jail risk as carrying around an open box full of kiddy porn in front of a police station.

    If anything, the things I can see IT employees walking out with are software licenses, images (even hardware!) and crap like that - things they would find useful to themselves later on.

    • Hospitals or financial institutions can be a little different. You can hold the hospital hostage with HIPA as if they did call the FBI they would have to pay millions in fines after I release the data.

      With a financial institutions the Russian Mobfia will pay quite handsomly and do the dirty criminal work for you for bank account numbers, passwords, and credit card number.s

    • by mysidia (191772)

      If anything, the things I can see IT employees walking out with are software licenses

      I assume you mean copies of serial numbers / license keys. The actual license/right to use software still belongs to the company in that case; the employee that makes unauthorized use of a serial number to reuse software for production purposes elsewhere would just be pirating software, plain and simple, they don't actually get a license just because they misappropriated a copy of the key; they might have done that at an

    • by Cow Jones (615566) on Wednesday June 13, 2012 @10:29PM (#40318099)

      You're right, that's the most important question. What do you do once you've got their crown jewels? Me, I'm a self-employed contractor. Half of the time, I get called in to work on fairly large projects where nobody expects me - or even wants me - to be on location all of the time. So I work from my office or from home. And sure enough, I've got their code, their passwords, and usually (if it fits on my laptop) their database. As an external contractor, I don't get fired. My contract just ends. This occurs far more frequently than employees get fired (I hope). Do I delete all of the data after I complete phase 8 of project X, while I wait if/when they'll call me back for phase 9? No, I don't. I keep it all. The only thing I worry about is that it's stored safely (meaning full disk encryption, at the least, and disconnected encrypted drives for old projects).

      I have no idea how much all of that data would be worth to the right (wrong) people. I never really thought about it. When somebody _gives_ me their passwords and/or their data, that implies a level of trust I just couldn't violate (unless forced, but that's not what we're talking about here). I enjoy cracking passwords and finding exploits as much as the next guy, but once somebody trusts me, they're off limits.

      I don't know. In the last 15 years I've gotten along fine with each and every customer I've had. Some were more difficult than others, but there has never been a situation where I was even remotely tempted to betray them or sell them out. Might be a different story if I were working for organized crime, or some other organization whose morals I deeply object to, but as an external contractor I get to choose my customers. If I ever get sucked into something like that.. I have no idea what I'd do. I probably wouldn't pull a Bradley Manning, but who knows... Whistleblowing is one thing, blackmail is quite the opposite.

      CJ

      • by girlintraining (1395911) on Thursday June 14, 2012 @12:03AM (#40318851)

        You're right, that's the most important question. What do you do once you've got their crown jewels?

        Even if they handed you the keys to the kingdom, don't tell them you have the keys to the kingdom. I have also been that contractor with 'god level' access to everything. And then one day it was pointed out to management that all of this nonsense about using IDS and scanners to detect whether a USB drive had been plugged in or not would really only serve to get in the way of people trying to do their job; anyone with even 3 working neurons in their brain could figure out how to get around it (as one example, printing a binary file, and then going over to the printer, plugging in an SD card, and copying it. Windows group policies don't work on printers. It was pointed out that the entire IT department had the necessary rights on the network and technical know-how to do it. So, naturally management nuked everything from orbit. They fired over 50 people in the span of a few months in a political fiat between infosecurity and the rest of IT (Little known fact: many people who work in info security have no previous background in IT. They usually can't tell a router from a switch) So you know, security must have improved after that, eh? Well, actually it didn't; They were robbed of a significant chunk their customer's credit card and billing data six months later because when you fire a significant chunk of your IT staff in one go, minor things like security patches tend to get put on the backburner while everyone goes into crisis mode.

        Anyway, people talk about employees walking off with confidential data, but for every person that does that, at least a hundred others got fired because management got paranoid... probably more. Usually the value of the data they're protecting is worth less than the cost of hiring and training new employees, because management got spooked about the old ones.

  • by SoupGuru (723634) on Wednesday June 13, 2012 @08:17PM (#40316921)

    I honestly don't understand. IT people need to be trusted with very important data. Each time one of these surveys come out they demonstrate that they can't be trusted with data.

    As an IT guy, I wouldn't consider for a second walking out with data that's not mine. What the hell is wrong with the rest of you?

    • I'm not sure if this includes knowledge.

      If I got fired today there is an awful lot of knowledge which is in my brain which could be damaging to the company depending who got it.

    • by Jah-Wren Ryel (80510) on Wednesday June 13, 2012 @08:29PM (#40317071)

      As an IT guy, I wouldn't consider for a second walking out with data that's not mine. What the hell is wrong with the rest of you?

      The summary, at least, says it is not "IT guys" it is IT management that has ethical problems here. Not too surprising given that full-blown psycopathy is 4x more common in senior managers than in the general population. [cnn.com] Since psycopathy is really a continuum with only the really extreme types qualifying for the label, you don't have to be a full-fledged pyscopath to rationalze walking out with stolen data either.

    • Boy, wouldn't it be great if that problem went. Like if there is some managed solution provider out there who can do data backups, saves money, never have to see them etc.

      It smells like a cloud advertisement. Why have data hosted locally if you they are going to steal it anyways ... etc.

      • by khasim (1285)

        Why have data hosted locally if you they are going to steal it anyways ... etc.

        That is awesome!

        Instead of losing a copy of your data when you fire an employee, you lose complete access to your data when you "fire" the cloud provider.

        Or when they fire you by jacking up the rates so much that your company profits go to their company.

        I love it!

    • by Gaygirlie (1657131) <(moc.liamtoh) (ta) (eilrigyag)> on Wednesday June 13, 2012 @08:33PM (#40317111) Homepage

      As an IT guy, I wouldn't consider for a second walking out with data that's not mine. What the hell is wrong with the rest of you?

      I agree with you here. I would never even dream of copying sensitive data, installing backdoor access or stealing actual physical hardware, that's hideously selfish and if I knew of someone having done that I'd be the first to report that person to authorities, even if it was one of my own family members. But alas, as disgusting as I find such behaviour I also am not surprised in the least; majority of people are willing to screw over anyone and anything -- even their own morals and ethics! -- in order to gain something and even more so if the gain could be monetary. Mankind in general is not to be trusted.

    • by LordLucless (582312) on Wednesday June 13, 2012 @08:57PM (#40317369)

      What the hell is wrong with the rest of you?

      Nothing. We wouldn't either. But our execs and senior management apparently would. Read the summary.

    • by sconeu (64226) on Wednesday June 13, 2012 @09:41PM (#40317757) Homepage Journal

      That's why you don't understand.

      The title should read: " MANAGEMENT Admits They'd Walk Out With Stolen Data If Fired"

      TFS says they surveyed managers and executives, not rank and file.

    • by CAIMLAS (41445)

      You need to pay attention to what's actually being said (or not being said) here. It's a study done by a fucking ID management company. It's like Symantec writing a paper on how Windows malware infections are on the rise (as their stock markets drop).

      Imagine, someone answers a question like:

      * Do you keep customer contact information on your personal phone? (This question ignores that you get to expense the use of your phone, but whatever.)

      If you answered "yes" to that, chances are you're guilty of somethign

  • by rrohbeck (944847) on Wednesday June 13, 2012 @08:22PM (#40316987)

    I thought that's data protection 101.

    • by Anonymous Coward on Wednesday June 13, 2012 @09:27PM (#40317659)
      Once upon a time I had two personal laptops I brought to work. One I had been using for a year, the other I had just purchased and had just reached the point where I was leaving the old one at home. Then one day they herded about 50 of us into a conference room. My manager tried to get me to leave my laptop at my desk, but I always took it with me to meetings, so I kept it with me. The CEO announced that our services were no longer required and that most of us would be walked directly to the exit.

      My boss steered me to her boss's office and some "security" guy who had been hired a week earlier proceeded to tell me I couldn't leave until I gave him my laptop and the password to get in. I pointed out that it was my laptop and pulled my receipt out of the bag. He said it didn't matter whose laptop it was, I had to give it to him because it might contain company data. I refused, informing him that it contains confidential personal data that the company has no right to. He then threatened to call the police if I didn't turn it over. I pulled out my cell phone and offered to call them myself. The guy actually took the phone out of my hand and shut it off.

      At this point I told him, "when I get outside, I'm driving to the police and reporting that you just assaulted me and stole my phone. If you take my laptop by force, now you're looking at assault and grand theft. I don't know how much they're paying you, and I suspect you don't either because you haven't gotten your first paycheck yet, but you really need to think about whether this is worth it." He got uncomfortable and slid my phone back across the table to me, reiterating that he couldn't let me leave with the laptop.

      "I know you've only been here for a week, but I just started using this laptop a week ago. Ask my boss. What are you going to do about the laptop I've been using for the last year that's sitting at home right now? Are you going to break into my house tonight?" He looked at my boss, who nodded, and told me I could go.

      The point is this: unless you've been enforcing strict security policies all along, trying to get stuff from the employee is like closing the barn door after the horse has bolted. And if you screw with them enough, you're just going to make things worse. To spite them for this, I took some non-confidential company documents I had, uploaded them to a file sharing site and emailed them a link to it: "Here are the files you wanted so badly. I wouldn't have bothered if you had treated me like a human being. Just something to think about the next time you fire someone." I'm sure they just about had a heart attack until they realized I hadn't uploaded anything sensitive.
  • Similarly to all the above ban account, remove keyboard stories. From working weekends at a highstreet clothes store when employees were leaving it is company policy that the employees weren't allowed to use tills for their last day/week. Although given the recent recession and constant staff shortages this is now usually seen as impractical and ignored by the managers supposed to implement it (They also never seemed to actually remove the till accounts of ex-employees within due time).
  • Simple Solution (Score:5, Insightful)

    by sir-gold (949031) on Wednesday June 13, 2012 @08:27PM (#40317057)

    The solution to "insider theft" is simple:
    Don't hire from the bottom of the barrel just to save a buck, and you won't have to fire people.
    Treat your employees like valuable assets and not just cogs, and your people won't quit.

    • jobs in accounting making decisions. You know, oh Jeff makes X money but we can hire jackie for X-Y dollars and then fire Jeff. We don't care that Jeff knows the business inside out and Jackie doesn't. We don't care it'll be a year before Jackie comes up to speed and all the evidence says he won't be as good. We'll save a couple bucks now which is good enough. (Even if it screws us in the end.)
    • Re:Simple Solution (Score:5, Insightful)

      by LordLucless (582312) on Wednesday June 13, 2012 @08:55PM (#40317349)

      This article, despite the headline, isn't about "IT Employees". It's about IT executives and senior management. These are the employees that are treated like valuable assets. It's the low-paid one which are honest - which is probably why they're still low-paid.

      • Re: (Score:3, Informative)

        by TranquilVoid (2444228)

        It's the low-paid one which are honest

        The summary isn't quite accurate. The article states that the survey was mostly IT managers and executives, and the actual report PDF mentions that about 25% were "business/admin/technical staff" (i.e. regular workers), but there is no breakdown as to which group was less honest.

        Still, while I'd grant that managers might be more sociopathic, humans in general are quite corrupt. This sort of white-collar unethical behaviour is all too common as, unlike physical violence, it's very indirect as to the effect

    • This is because these companies seem to be getting the opposit results from these tests that are intended. They are weeding out the good, honest, and hard working employees. The only people that can pass these things are liars, cheaters, and BSers. Is that the type of employee they really wan't.

  • by el_tedward (1612093) on Wednesday June 13, 2012 @08:33PM (#40317107)

    Everyone preaches about the insider threat, even though less than 4% of all incidents come from insiders.. If you count by the number of breached records, insiders make up less than 1% of all breached records (though, arguably, they may be breaching records that are more valuable)

    http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf [verizonbusiness.com]

    • by serutan (259622)

      Exactly. In other news, 4 out of 5 IT people admit they'd like to be time-traveling superheroes and save the universe.

  • by Anonymous Coward on Wednesday June 13, 2012 @08:43PM (#40317213)

    When I fire someone, there is a significant amount of planning that goes into it, and the whole process takes about 4 weeks.

    When I decide it's time for someone to go, I have HR stage a company-wide reaffirmation of adherence to company policy. Employees are reminded that they are not allowed to bring any company data home on thumb drives (which technically they aren't allowed to bring in from home or leave the office with anyway), personal laptops, phones, and so on. During this initiative, they are asked to bring in any thumb drives they have with company data, and make sure they erase company date from their personal devices. I instruct the IT department to assist any employee who asks for help with locating and purging company data.

    We are certain to remind them that this is to protect the company from security issues and corporate theft, reduce legal costs, and so on.

    After about a week of that, we install a keystroke logger and screenshot collector on the employees PC, and collect all of their passwords to local resources, databases, servers, and so on. We monitor their computer activity 24/7 to make sure it will be a clean break. This is also useful for creating justification for violations of IT policy, since most employees violate it by using their company-owned computer for personal endeavors (email, non work-related web browsing, etc), which is against IT policy and subject to disciplinary action up to and including termination.

    After a week or two of monitoring, I get the ball rolling with HR and IT. I submit the necessary termination documentation to HR, and IT generates a script that instantly locks them out and changes all of their passwords so that they cannot access any company resources.

    We usually try to execute a firing when the terminated employee is in a meeting or other place where s/he will not have immediate physical access to items at their desk or lab. I usually just pop my head in the door and say "Hey XYZ, I need your help for a second." We walk back to my office, where HR is waiting with the termination paperwork, while IT removes their laptop from their desk and locks all of their drawers and cabinets.

    To communicate the firing, I actually read from a script, because the lawyers are very particular about the language and what is said. Security escorts the employee to their work area and supervises and thoroughly documents any personal effects they take with them. They are not allowed to take any memory devices with them, including those in picture frames, without first having them checked by IT for company information. Picture frames are also disassembled and other items searched as thoroughly as possible.

    Terminated employees are also searched/wanded on their way out to ensure they are not hiding things like USB keys or hard drives on their person.

    It's an arduous process, but it's my job to protect the company from thieves.

    • by erp_consultant (2614861) on Wednesday June 13, 2012 @09:00PM (#40317401)
      Jesus...why don't you just tar and feather the guy for good measure? I came close to working in a place like that one time but thankfully it didn't last long. Keyboard loggers? Screenshot collectors? Big brother anyone? I don't see how anyone can be productive under those kinds of conditions. What do you do for an encore? Slash the guys tires before he leaves the parking lot?
    • by cusco (717999) <brian.bixby@COWgmail.com minus herbivore> on Wednesday June 13, 2012 @09:04PM (#40317443)
      You, sir, are a frelling scumbag. Sorry, there's no way to sugar-coat it, you get far too much enjoyment from fucking over someone's life to be considered a decent human being. Fortunately people like you are so aggressive during the initial interview process that I don't have to worry about being stuck working with you.

      It's management attitudes like this that breeds disgruntled employees that will steal company data. Treat people decently and 1) you will very rarely have to fire employees, and 2) when employees leave they aren't going to be inclined to take the customer database with them.
    • by pclminion (145572)
      If you fire people often enough that you have codified a rote procedure for it, then you are a fucking shitty manager. Apparently, you don't have any skill hiring decent workers in the first place. When you brag about canning people, you're really bragging about how awful a judge of character and skill you are. HR, of course, knows these procedures by heart (it's their job function). But if you are a decent manager in any sense, the termination of an employee should be a reason for you to quite literally sh
  • by Anonymous Coward on Wednesday June 13, 2012 @08:52PM (#40317315)
    As someone who has been laid off from a job (and forced to wipe the hard drive of my personal laptop before I could leave the building), and who has had to hire and fire dozens of employees over the last 10 years, I can offer a bit of insight:

    10% of your employees would never steal from you. Ever. It wouldn't occur to them to do it.

    10% of your employees are determined to steal from you. It's why they applied for the job!

    The other 80% are swayed by circumstance and opportunity. If you treat them like crap (when they're employed or when you fire them) or make it clear that you're lax on security (often as simple as not paying attention), they're going to steal from you. Treat them well (as employees and as ex-employees... don't just toss them overboard... give them a severance package... give them a nice letter of recommendation... make some genuine effort to ease this life-altering transition and show them that you care about what happens to them after they leave) and maintain good security practices and you will drastically cut down on the number of people who steal from you.
  • by MobyDisk (75490) on Wednesday June 13, 2012 @08:59PM (#40317399) Homepage

    Be very careful when reading these surveys. The wording can be critical, and can mean something different than what the headline is implying. For example:

    If you were told that you were going to be fired tomorrow, what, if anything would you take with you?

    The answer would have to include things that you already have in your possession. So no malicious intent is required here! For example, 5% responded "R&D plans." That doesn't mean that they would steal R&D plans in response to being fired. It could be that they already had those plans on a flash drive on their key ring, perhaps because they gave a presentation on the topic recently. 8% responded "Privileged password list" which could mean that they keep an encrypted copy of vital passwords in case they need to remote into the servers from home. They might take the "Customer database" because they keep a copy on their laptop in case they are on call and need to contact a customer.

  • by johnny cashed (590023) on Wednesday June 13, 2012 @09:05PM (#40317447) Homepage
    The problem I have with this is the hypothetical "if you were fired tomorrow" angle on the survey. Why would I be fired tomorrow? For cause? Due to downsizing? A lot of people would feel threatened if they were suddenly fired, especially if they can see their termination as unjustified. This doesn't justify their potential actions, but it really leaves out a lot. How many people, if they were fired tomorrow, would come back with a gun and start shooting people? Probably a lot less. Was that question on the survey?
  • by v1 (525388) on Wednesday June 13, 2012 @09:12PM (#40317513) Homepage Journal

    You have two competing goals, company security BY the employees, vs company security FROM the employees.

    IT are like the cops in town. In order for them to do their job you have to trust them with powers that can be abused. There is no perfect solution to this problem. The best thing you can do if you are a reasonable sized organization is to simply have the power spread out horizontally well, so the watchers can watch each other.

    In small businesses, you may have a small IT staff tree that's composed of people that do jobs that have very little overlap, and that makes their position more abusable.

    I've seen it work both ways on the way out. I've seen people get 6 weeks of advance notice, and I've personally been handed papers when I arrived in the parking lot. Paranoia varies, just as trust varies. If you're in an "at-will state" you can get the rug pulled out at any time, and many companies do this as a matter of policy. I consider it very double-standardish, that last place my manager told me he expected me to give two weeks notice if I was leaving, but when I asked how much notice he'd give me, well, that's different! IMHO, employers that think that's playing fair deserve zero day notice, and should consider that the tradeoff for having a zero-day notice for their employees.

    Considering the present economy, the value of job security has gone up, and I would certainly find a job less attractive if I knew my employer had a "meet you at the door on Monday with a box of your stuff" policy. But what if I were going to be evil? Then I'd say you need to train your HR people to hire people with better character, good references, and thorough background and job-history checks. You need to be able to trust your IT staff, because of the nature of their position, just like the city needs to be able to trust the cops it hires. If you don't hire people you don't trust, you don't have to zero-day bomb them when layoffs are required. Promote from within instead of hiring off the street into positions of trust and power. If a new hire isn't trustworthy, thank him for his time and give him his two weeks and find someone else. Don't burn people that are in a position of power.

    You think it's unfair when a semi-key staff walks on you? Try being that staff when he gets to go home and sit on the couch all day waiting for the wife to get off work, trying to figure out how to tell her he's unemployed as of now. It hits the employee a lot harder than it should hit the company. And in any reasonable sized company, no single person walking should be able to do great damage, nothing like your home income dropping 50 (or 100) percent overnight.

    I also read from time to time about karma coming back and biting employers that zero-day a key IT. And I'm not talking about the cases where Joe Fired remotes in and makes a mess etc. I mean the "this broke again, oh crap, Joe usually fixes this, what do we do now?" sort of cases. Responsible employees try to prevent this sort of dependency but companies often don't give enough time or resources to accomplish it. (time to document, hours to crosstrain, etc) So you can't just blindly go blaming the employee. And so now you're left with missing key experience, and a burned bridge. I watched that happen twice at one company. They zero-day'd a key person, only to find that he was the best go-to man for certain things, and a company mass-mail went out to NOT call that person for help. (because they had made it clear they were going to charge for every support call they received a result of his departure) So that leaves us all fumbling around for hours at a tim trying to figure things out that a 10 second phonecall could have solved. Wonderful waste of resources, makes us look like bumbling idiots in front of the client, etc. "Why are you here? Where's Joe, he's always the one you send to work on our server? Really? Are you going to be able to fix this? (after a few hrs...) Can't we just call

  • Or, (Score:3, Interesting)

    by Ralph Spoilsport (673134) on Wednesday June 13, 2012 @09:14PM (#40317533) Journal
    Companies might build TRUST with their employees that they won't get fired at the drop of a hat, and Companies might develop an ecosystem of resilience with their workers, such that everyone feels responsible for the company and vice versa. How? Socialism. Democritise the work place. VOTE for your boss. You wouldn't accept totalitarian political solutions, why do you accept totalitarian economic solutions? If everyone felt like what they did mattered, and felt like their employment was a vital part of their existence (as opposed to something they do to make money) then people wouldn't dream of walking off with data when they get fired, because getting fired would be rare, and a mark of massive failure. CHANGE YOUR WORLD. For the better. it's not that hard. You just have to get off your ass and demand it.
  • Biased Survey? (Score:4, Insightful)

    by ark1 (873448) on Wednesday June 13, 2012 @09:42PM (#40317771)
    An ID management provider does a survey designed to promote identity management. Why should I trust them?
  • by serutan (259622) <snoopdougNO@SPAMgeekazon.com> on Wednesday June 13, 2012 @10:26PM (#40318069) Homepage

    In 30 years as a software dev I don't think I've known more than a couple computer geeks who might have the guts to steal data, let alone the personality to locate a buyer, negotiate a price and actually follow through on the deal. Sure we've all seen Office Space and talked trash about what we'd like to do to a company, but at the moment of truth, no way. And managers tend to be even more gutless -- something tells me the survey results were heavily skewed by false bravado.

  • Offsite backup (Score:4, Insightful)

    by Kim0 (106623) on Wednesday June 13, 2012 @11:56PM (#40318787)

    "Stealing data" is another way of saying "offsite backup".

  • Don't burn bridges (Score:5, Insightful)

    by Fencepost (107992) on Thursday June 14, 2012 @12:04AM (#40318865) Journal
    The one time I was laid off (knowing it was coming for months - closing an entire facility, plus I got extended a couple times and had turned down an offer to move to Dayton, Ohio), I was working on wrapping up a project up to the very last day. The last parts were documenting, etc. but when I walked out the door I had my personal laptop that I'd been using for some development work and testing.

    What did I do with the company information on that laptop? I zipped it all up, burned it to a CD along with an index/directory and notes on what might be of interest in case there was anything like homegrown test tools that wasn't on my main system, and mailed it to them. What did I get for all this? Thanks for being so great about everything, which kind of confused me - they'd offered to keep me on if I was willing to move and I refused, and I wasn't going to screw the people I'd been working with for years.

    If you dislike the people you work with enough to screw them when you leave, you're in the wrong place (mentally, physically, whatever) already.

    As it turned out, I ended up doing some fairly substantial hourly consulting for a different division of the same company a few years later, and I suspect that had I pouted my way out the door it wouldn't have happened. I didn't end up needing any of my old coworkers as references (jumped into freelance work with some other former employees), but I have no doubt that I'd have been able to get good references with no difficulties.
  • by jandersen (462034) on Thursday June 14, 2012 @01:23AM (#40319347)

    There is, believe it or not, another way - it consists in treating your employees as real people, with fairness, respect, dignity and honour. The fact is, you basically get what you ask for; if your whole attitude is that your coworkers are criminals, then for the most part that is exactly what they will choose to be.

    I know this from personal experience - at one point I felt ostracised and treated with suspicion and contempt; and I wouldn't have hesitated with stripping the company of all valuables if I had got the chance. Then we got a new manager, who gave a fair chance to prove myself - and now I wouldn't dream of betraying the trust of my workplace. Of course, the problem is finding a manager who has the integrity and the guts.

  • by kikito (971480) on Thursday June 14, 2012 @02:32AM (#40319665) Homepage

    ... They are not "insiders" any more. You could call it "previously-insiders" threat.

Aren't you glad you're not getting all the government you pay for now?

Working...