Employees Admit They'd Walk Out With Stolen Data If Fired 380
Gunkerty Jeb writes "In a recent survey of IT managers and executives, nearly half of respondents admitted that if they were fired tomorrow they would walk out with proprietary data such as privileged password lists, company databases, R&D plans and financial reports — even though they know they are not entitled to it. So, it's no surprise that 71 percent believe the insider threat is the priority security concern and poses the most significant business risk. Despite growing awareness of the need to better monitor privileged accounts, only 57 percent say they actively do so. The other 43 percent weren't sure or knew they didn't. And of those that monitored, more than half said they could get around the current controls."
...and what would you do with it? (Score:5, Insightful)
I recall distinctly during my time with a certain F50 company that they would not only refuse to buy any of the secrets, but that they would be the first to call the FBI on you for trying. The last thing they wanted or needed was to have those secrets unearthed years later, potentially costing them billions of dollars.
Now the gray/black market? Maybe... but that's as much of a jail risk as carrying around an open box full of kiddy porn in front of a police station.
If anything, the things I can see IT employees walking out with are software licenses, images (even hardware!) and crap like that - things they would find useful to themselves later on.
Re:Best Pratices (Score:4, Insightful)
I'm not sure that's really a best practice. Rather than dealing with the risk of data theft, you end up with the risk of them shooting up the building or engaging in non-network sabotage while they still have their access cards.
The best practice here is to remove their access at the moment they're notified and escorted off premises if the data is that important.
Re:Best Pratices (Score:5, Insightful)
It would depend on the employee, I suspect. As a sr. sysadmin, if my access was cut off, I'd know immediately what was up (since I'd need it for my job), and if I were unscrupulous, I'd have alternate backdoor accounts and backups already in place to suck out all the data that I really wanted. *shrug*.
Simple Solution (Score:5, Insightful)
The solution to "insider theft" is simple:
Don't hire from the bottom of the barrel just to save a buck, and you won't have to fire people.
Treat your employees like valuable assets and not just cogs, and your people won't quit.
Comment removed (Score:5, Insightful)
Re:What about being a decent employers!!! (Score:4, Insightful)
No matter how hate the concept, the parent post is right.
Once the honest employee gets screwed no matter what, there's absolutely no incentive to the other employees to be honest!
You get what you promotes!
Rule of Thumb for Employee Theft (Score:5, Insightful)
10% of your employees would never steal from you. Ever. It wouldn't occur to them to do it.
10% of your employees are determined to steal from you. It's why they applied for the job!
The other 80% are swayed by circumstance and opportunity. If you treat them like crap (when they're employed or when you fire them) or make it clear that you're lax on security (often as simple as not paying attention), they're going to steal from you. Treat them well (as employees and as ex-employees... don't just toss them overboard... give them a severance package... give them a nice letter of recommendation... make some genuine effort to ease this life-altering transition and show them that you care about what happens to them after they leave) and maintain good security practices and you will drastically cut down on the number of people who steal from you.
Re:Simple Solution (Score:5, Insightful)
This article, despite the headline, isn't about "IT Employees". It's about IT executives and senior management. These are the employees that are treated like valuable assets. It's the low-paid one which are honest - which is probably why they're still low-paid.
Re:Best Pratices (Score:5, Insightful)
This is the kind of treatment that makes workers angry enough to do the things your 'big company' doesn't want happening in the first place.
Re:When I fire someone... (Score:4, Insightful)
Re:When I fire someone... (Score:5, Insightful)
It's management attitudes like this that breeds disgruntled employees that will steal company data. Treat people decently and 1) you will very rarely have to fire employees, and 2) when employees leave they aren't going to be inclined to take the customer database with them.
I think a lot of people would have issues (Score:5, Insightful)
Re:how stupid are people? (Score:2, Insightful)
since most businesses are run by insecure twats, it is likely the sysadmin will have the nuclear option used against him for trivial disagreements. The sysadmin, in a state of rage over unfair treatment, hits his red button figuring he's got little to lose at this point. His employer just destroyed his career and his credibility after all. As far as I'm concerned, the party with the most power, the employer, deserves what it gets. If it treats its employees well, statistically, it doesn't have much to worry about. If it treats them like criminals out of insecurity, then it deserves what it gets.
Re:When I fire someone... (Score:4, Insightful)
Re:Solution: (Score:5, Insightful)
This is the mentality that causes people to stick it to the holy churches of corporate psychopathy in the first place. subject employees to hostile working environments like slaves, and they'll act like slaves when they rebel.
The article title is wrong. (Score:5, Insightful)
That's why you don't understand.
The title should read: " MANAGEMENT Admits They'd Walk Out With Stolen Data If Fired"
TFS says they surveyed managers and executives, not rank and file.
Biased Survey? (Score:4, Insightful)
Re:Best Pratices (Score:5, Insightful)
Re:Employer could always be nice (Score:2, Insightful)
"How many of us, if on the receiving end of unjust treatment, would honestly not at least entertain the fantasy of "getting back" at that company? Be honest, now.
Thought so."
I can't really get upset with a business owner doing what he wants with his own property, even if I think it is a stupid self destructive choice in this hypothetical case of being fired or whatnot even while doing good work. Furthermore, revenge wouldn't make anything better, it would just add more misery to the mix. So no, this notion of lashing out seems absurd to me even as a simple fantasy. Perhaps my enlightened attitude would go out the window if such a thing ever did happen to me, but even then I could not imagine this being a good idea. Doing such a thing destroys the goodwill you have built up in your career and puts you in a worse position than someone who has no job experience at all. If HR is worried about bad hires coming from the untested, imagine how quickly they'd pass over a resume that returns from a background check with mention of malicious behavior.
In isolation, these things sound scary, but for a person to actually go through with this sort of nonsense, they'd have to be pushed much closer to the edge of sanity than just being fired or having a shitty boss. I'd expect to find that in cases that this sort of thing does happen, additional variables are at work like mental instability or favorable opportunity to not get caught for example.
Re:Employer could always be nice (Score:5, Insightful)
It does depend on the person. I would never even remotely consider it for a second, even if I was owed money. That's what lawsuits are for.
When you do sensitive work like working with customer databases and sysadmin work that takes you everywhere inside a company, you need to be trusted. Your actions could get around to other companies.
As for still having access, I wouldn't know. That would require testing for it.
I know it is tempting to get revenge, but in the end I would rather have my integrity and knowing that I was the better person and professional.
Re:Best Pratices (Score:5, Insightful)
The real question is "Why?" What purpose does stealing that info have? You could "potentially" sell it to a competitor just like you could "potentially" be thrown in jail. The risk vs. reward without having a pre-existing deal to steal data for another company is not worth it. It's like quitting your job before you've even handed in a resume to another company that has no idea who you are.
here's the results of treating employees like shit, enjoy.
As opposed to the results of shitty employees trying to screw over the company? These people who would steal the data just because they're fired are EXACTLY the people that should be fired. They are the shitty employees that get what they deserve.
Re:Best Pratices (Score:4, Insightful)
In reality, you always have a clue that your job is in jeopardy, and you're hoarding whatever information you want to take ahead of time. Some people I know do this as a practice regardless of their job security. They have what they consider their "IP" (regardless of how their employment contract defined IP sharing/ownership), and constantly back it up. I'm not sure you can really stop them unless you want to go to the paranoid level of some banks, and remove all USB ports, seal away the hard drive and disconnect them from the internet...all the time.
In reality I think there is somewhat less danger of an employee walking away with vast company secrets for personal profit, most of the time its stuff they simply worked on, which they have some sort of emotional investment in. Spending a single cent trying to stop this is both fruitless and a poor use of money that could otherwise be invested in the company for more profit.
Re:Employer could always be nice (Score:5, Insightful)
Your actions will get around to other companies.
FTFY
Re:Employer could always be nice (Score:5, Insightful)
Your actions will get around to other companies.
FTFY
Not necessarily. A lot of companies are too concerned about lawsuits to say anything other than job title and start/end dates. They blacklist you at their company, of course, but there's not a lot of interest in informing other companies; just risk with no real upside, prudent policy generally shun references.
Offsite backup (Score:4, Insightful)
"Stealing data" is another way of saying "offsite backup".
Don't burn bridges (Score:5, Insightful)
What did I do with the company information on that laptop? I zipped it all up, burned it to a CD along with an index/directory and notes on what might be of interest in case there was anything like homegrown test tools that wasn't on my main system, and mailed it to them. What did I get for all this? Thanks for being so great about everything, which kind of confused me - they'd offered to keep me on if I was willing to move and I refused, and I wasn't going to screw the people I'd been working with for years.
If you dislike the people you work with enough to screw them when you leave, you're in the wrong place (mentally, physically, whatever) already.
As it turned out, I ended up doing some fairly substantial hourly consulting for a different division of the same company a few years later, and I suspect that had I pouted my way out the door it wouldn't have happened. I didn't end up needing any of my old coworkers as references (jumped into freelance work with some other former employees), but I have no doubt that I'd have been able to get good references with no difficulties.
Re:Employer could always be nice (Score:4, Insightful)
In the end all my good conduct and proper attitude did not save my job. Doing the right thing usually does not assures you that somehow you will get not get screwed if it makes cash sense to someone. So yes, its not nice to walk out with some info but then most employers see you as cattle, so you might as well grow some horns.
I worked at a job years ago which was going through a merger. Because of this...during the weekly meeting it was mentioned the IT department didn't want to face another $250,000 fine from the BSA that year for pirated software. Of course...all the contractors they had working were running tons of pirated software...as well as some of the employees. When I was handed my walking papers two weeks after this...my first call was to the BSA. Don't know what happened to these employees or company...but I ended up with a better paying contract job I loved three days later...even though my contract wasn't renewed six months later because of the economy.
The funniest part was this company I was fired from didn't lock me out for several days...so I could have done some damage...but didn't. Companies don't take due diligence...they deserve whatever happens to them.
Re:Best Pratices (Score:3, Insightful)
>Of course, I get a call first thing in the morning from the person being terminated: "I can't log into the system..." Idiots......
No, they are not idiots. They just left the job of explaining the situation to you.
You are the idiot for not realizing this.
Re:Best Pratices (Score:4, Insightful)
Here's a question for you -> if you're in the Sales group for a company, and have spent years cultivating relationships with various clients. You're given a pink slip. A week later, you're working at a new company. Is it screwing over your old company if you contact those clients? What if you kept a copy of the Goldmine database from your former company?
And there in lies the problem. If I develop code, on my own time, that I reuse at the workplace, whose code is it? If I work for a new company, and the old company brings charges against me for the code I developed on my own time, with my own equipment, who wins? See, these kinds of polls are...inexact, to say the least. If someone has a pet interest in tarring IT, and drumming up a 'need' for security services to watch IT, for instance, could a poll, with vague phrasing, not confirm the need for said services if read one way, instead of another?
Re:Employer could always be nice (Score:5, Insightful)
If an employer doesn't want me, I don't want to be there. If they want me but can't keep me due to overall economics (it happens in contracting regularly), then you just smile, thank them, and move on and you may well be back working there again later sometime.
Revenge is not only infantile, its often criminal. Is it really worth getting your @$$ kicked and fined or jailed? Don't think so.
Never burn your bridges, even if the other side are unmitigated jerks. You can be the bigger man. Even if you get the short end of the stick, somebody will probably notice your conduct and recognize it for the right way to behave. Sometimes you might end up working for them 5 years down the line.
Case in point:
Final year of college (software engineering) in city A, I did a project with well known embedded POSIX compliant OS vendor in city B. I met some of their staff.
After completing the year, I had a bunch of interviews in city B at a different company. On arriving, I recognized one of the guys I'd be working with/for. It took us most of the time there to twig to what it was. I'd met him in City C at COMDEX working for the POSIX OS company from city B. He was now working for another company (whom I went to work for as well).
I'd met him months before at a computer show in another city entirely and only coincidentally happened to be doing a project for the company he worked for, then we met at an interview for the company I was actually interested in working for and there he was.
If I'd been a jerk beforehand, he'd have remembered. As it was, he remembered me favourably. The interview was good enough I got hung with a fun nickname even before I was officially hired!
Beware the bridge you burn, it might be the one you need to advance across later.
Re:...and what would you do with it? (Score:5, Insightful)
when you fire a significant chunk of your IT staff in one go, minor things like security patches tend to get put on the backburner while everyone goes into crisis mode.
That, and if you fire more than one IT guy at once, each of them now has plausible deniability...
Re:Best Pratices (Score:4, Insightful)
If you treat people as enemies then expect them to treat you as an enemy. Thats both game theory and free market economics in action. Its also the reason why IT systems are a pain in the arse to use and cost twice as much as they should. Its a free choice.
Re:Best Pratices (Score:4, Insightful)