Employees Admit They'd Walk Out With Stolen Data If Fired

Gunkerty Jeb writes "In a recent survey of IT managers and executives, nearly half of respondents admitted that if they were fired tomorrow they would walk out with proprietary data such as privileged password lists, company databases, R&D plans and financial reports — even though they know they are not entitled to it. So, it's no surprise that 71 percent believe the insider threat is the priority security concern and poses the most significant business risk. Despite growing awareness of the need to better monitor privileged accounts, only 57 percent say they actively do so. The other 43 percent weren't sure or knew they didn't. And of those that monitored, more than half said they could get around the current controls."

Best Pratices

[Mafiasecurity]

I remember reading long time ago in security 101 best practices to remove employee's network privileges a week before they receive the notice. I also know of a big company which had ITSEC work all weekend to remove and change creds so when workers came to work Monday they found themselves now jobless.

how stupid are people?

[SoupGuru]

I honestly don't understand. IT people need to be trusted with very important data. Each time one of these surveys come out they demonstrate that they can't be trusted with data.

As an IT guy, I wouldn't consider for a second walking out with data that's not mine. What the hell is wrong with the rest of you?

Re:how stupid are people?

[Jah-Wren Ryel]

As an IT guy, I wouldn't consider for a second walking out with data that's not mine. What the hell is wrong with the rest of you?

The summary, at least, says it is not "IT guys" it is IT management that has ethical problems here. Not too surprising given that full-blown psycopathy is 4x more common in senior managers than in the general population. [cnn.com] Since psycopathy is really a continuum with only the really extreme types qualifying for the label, you don't have to be a full-fledged pyscopath to rationalze walking out with stolen data either.

Employer could always be nice

[BrokenHalo]

This survey seems (admittedly without having read TFA) to be skewed by the "if fired" clause. Now, I would have thought most admins would have their privileges revoked if they were being sacked, but here's a question:

How many of us, if on the receiving end of unjust treatment, would honestly not at least entertain the fantasy of "getting back" at that company? Be honest, now.

Thought so.

Since the company invests a lot of trust in its sysadmins, it should at least treat them respectfully, since trust has to work both ways.

Re:Employer could always be nice

[houstonbofh]

Been laid off a few times. Most of the time I stayed on and had full access for the two weeks they paid me to stay and do knowledge transfer. I guess it depends on the person...

Or,

[Ralph Spoilsport]

Companies might build TRUST with their employees that they won't get fired at the drop of a hat, and Companies might develop an ecosystem of resilience with their workers, such that everyone feels responsible for the company and vice versa. How? Socialism. Democritise the work place. VOTE for your boss. You wouldn't accept totalitarian political solutions, why do you accept totalitarian economic solutions? If everyone felt like what they did mattered, and felt like their employment was a vital part of their existence (as opposed to something they do to make money) then people wouldn't dream of walking off with data when they get fired, because getting fired would be rare, and a mark of massive failure. CHANGE YOUR WORLD. For the better. it's not that hard. You just have to get off your ass and demand it.

Re:What, you don't have backups at home?

[Anonymous Coward]

Once upon a time I had two personal laptops I brought to work. One I had been using for a year, the other I had just purchased and had just reached the point where I was leaving the old one at home. Then one day they herded about 50 of us into a conference room. My manager tried to get me to leave my laptop at my desk, but I always took it with me to meetings, so I kept it with me. The CEO announced that our services were no longer required and that most of us would be walked directly to the exit.

My boss steered me to her boss's office and some "security" guy who had been hired a week earlier proceeded to tell me I couldn't leave until I gave him my laptop and the password to get in. I pointed out that it was my laptop and pulled my receipt out of the bag. He said it didn't matter whose laptop it was, I had to give it to him because it might contain company data. I refused, informing him that it contains confidential personal data that the company has no right to. He then threatened to call the police if I didn't turn it over. I pulled out my cell phone and offered to call them myself. The guy actually took the phone out of my hand and shut it off.

At this point I told him, "when I get outside, I'm driving to the police and reporting that you just assaulted me and stole my phone. If you take my laptop by force, now you're looking at assault and grand theft. I don't know how much they're paying you, and I suspect you don't either because you haven't gotten your first paycheck yet, but you really need to think about whether this is worth it." He got uncomfortable and slid my phone back across the table to me, reiterating that he couldn't let me leave with the laptop.

"I know you've only been here for a week, but I just started using this laptop a week ago. Ask my boss. What are you going to do about the laptop I've been using for the last year that's sitting at home right now? Are you going to break into my house tonight?" He looked at my boss, who nodded, and told me I could go.

The point is this: unless you've been enforcing strict security policies all along, trying to get stuff from the employee is like closing the barn door after the horse has bolted. And if you screw with them enough, you're just going to make things worse. To spite them for this, I took some non-confidential company documents I had, uploaded them to a file sharing site and emailed them a link to it: "Here are the files you wanted so badly. I wouldn't have bothered if you had treated me like a human being. Just something to think about the next time you fire someone." I'm sure they just about had a heart attack until they realized I hadn't uploaded anything sensitive.

Re:Best Pratices

[black6host]

The best practice here is to remove their access at the moment they're notified and escorted off premises if the data is that important.

That was SOP at a client I did work with. Nobody in house could handle the changes required to disable access to the systems so when someone was being fired, they let me know and I disabled access early in the morning of the day of their termination.

One time they asked me to do that for a person in a key position and I asked them repeatedly if they were going to terminate the person as soon as they walked in the door the next morning. They assured me, repeatedly, that they would be waiting at the door to take them into the owners office. Of course I had explained the consequences if they didn't (The employee would know before being told, which is a bit rude in my opinion, not to mention if the employee wanted to create a scene before being escorted out the door they'd have time to do it.)

Of course, I get a call first thing in the morning from the person being terminated: "I can't log into the system..." Idiots......

Re:how stupid are people?

[Stewie241]

I don't work in IT but I could see myself doing that out of curiosity.

This figure seriously boggles my mind

[serutan]

In 30 years as a software dev I don't think I've known more than a couple computer geeks who might have the guts to steal data, let alone the personality to locate a buyer, negotiate a price and actually follow through on the deal. Sure we've all seen Office Space and talked trash about what we'd like to do to a company, but at the moment of truth, no way. And managers tend to be even more gutless -- something tells me the survey results were heavily skewed by false bravado.

Re:Employer could always be nice

[Anonymous Coward]

Posting as AC for good reasons.
A few years backs, I was one of the top dogs in the IT dept of a small but VERY profitable company. I had a good reputation and I held myself to high standards as we all like to think of ourselves. But during a particularly bitter shareholder war I found myself a the crossroads. I was asked to do some very unethical tasks for one side of the belligerent parties and I refused knowing full well it could spell the end of me if that particular faction ever came on top.

Of course in the end they did and I was sacked promptly exactly like you mentionned -just as I entered the building I was nearly cattle prodded into the HR office and given my walking papers after eight years of above reproach work. I was left high and dry and no severance package whatsoever even though it was spelled out in my hiring contract.

Bitter and angry- yes you bet. However I had wisely created a "emergercy care package" for myself in the form of various pieces of informations and when I went to court, some of that information was used by my lawyer to very deadly effect.

In the end all my good conduct and proper attitude did not save my job. Doing the right thing usually does not assures you that somehow you will get not get screwed if it makes cash sense to someone. So yes, its not nice to walk out with some info but then most employers see you as cattle, so you might as well grow some horns.

Re:...and what would you do with it?

[Cow Jones]

You're right, that's the most important question. What do you do once you've got their crown jewels? Me, I'm a self-employed contractor. Half of the time, I get called in to work on fairly large projects where nobody expects me - or even wants me - to be on location all of the time. So I work from my office or from home. And sure enough, I've got their code, their passwords, and usually (if it fits on my laptop) their database. As an external contractor, I don't get fired. My contract just ends. This occurs far more frequently than employees get fired (I hope). Do I delete all of the data after I complete phase 8 of project X, while I wait if/when they'll call me back for phase 9? No, I don't. I keep it all. The only thing I worry about is that it's stored safely (meaning full disk encryption, at the least, and disconnected encrypted drives for old projects).

I have no idea how much all of that data would be worth to the right (wrong) people. I never really thought about it. When somebody _gives_ me their passwords and/or their data, that implies a level of trust I just couldn't violate (unless forced, but that's not what we're talking about here). I enjoy cracking passwords and finding exploits as much as the next guy, but once somebody trusts me, they're off limits.

I don't know. In the last 15 years I've gotten along fine with each and every customer I've had. Some were more difficult than others, but there has never been a situation where I was even remotely tempted to betray them or sell them out. Might be a different story if I were working for organized crime, or some other organization whose morals I deeply object to, but as an external contractor I get to choose my customers. If I ever get sucked into something like that.. I have no idea what I'd do. I probably wouldn't pull a Bradley Manning, but who knows... Whistleblowing is one thing, blackmail is quite the opposite.

CJ

Re:...and what would you do with it?

[girlintraining]

You're right, that's the most important question. What do you do once you've got their crown jewels?

Even if they handed you the keys to the kingdom, don't tell them you have the keys to the kingdom. I have also been that contractor with 'god level' access to everything. And then one day it was pointed out to management that all of this nonsense about using IDS and scanners to detect whether a USB drive had been plugged in or not would really only serve to get in the way of people trying to do their job; anyone with even 3 working neurons in their brain could figure out how to get around it (as one example, printing a binary file, and then going over to the printer, plugging in an SD card, and copying it. Windows group policies don't work on printers. It was pointed out that the entire IT department had the necessary rights on the network and technical know-how to do it. So, naturally management nuked everything from orbit. They fired over 50 people in the span of a few months in a political fiat between infosecurity and the rest of IT (Little known fact: many people who work in info security have no previous background in IT. They usually can't tell a router from a switch) So you know, security must have improved after that, eh? Well, actually it didn't; They were robbed of a significant chunk their customer's credit card and billing data six months later because when you fire a significant chunk of your IT staff in one go, minor things like security patches tend to get put on the backburner while everyone goes into crisis mode.

Anyway, people talk about employees walking off with confidential data, but for every person that does that, at least a hundred others got fired because management got paranoid... probably more. Usually the value of the data they're protecting is worth less than the cost of hiring and training new employees, because management got spooked about the old ones.

Re:Employer could always be nice

[lightknight]

Hmm. In my case, I drop what I'm doing, and leave.

So far as I cam concerned, if I'm fired, the network / users are officially no longer my problem, as of that exact moment. I don't plot revenge; if I've been doing my job, and the firing is unjust, my absence will slowly deteriorate the network / machines into an unusable state (let the users solve their own driver installation problems, and good luck with the servers if / when the RAID goes down). If it is just, then I'm sure someone equally or more capable has / will be hired to maintain things.

You'd be surprised what happens when things are left to their natural tendencies (it usually takes 3 months before things have gotten bad enough to warrant a phone call).

Re:Employer could always be nice

[CAIMLAS]

However I had wisely created a "emergercy care package" for myself in the form of various pieces of informations and when I went to court, some of that information was used by my lawyer to very deadly effect.

As someone who's going through something very similar now, let me ask: what was in your care package?

Re:Best Pratices

[characterZer0]

Unless you are firing your employee for doing something horrible, best pratice when terminating white collar employees who have been trusted with access is to cut off access Friday evening, give notice Monday morning, and pay them for another 2-4 weeks at full salary to work half time writing documentation (and be free to spend the rest of their time looking for another job or golfing). The company avoids sabatoge and burning bridges, gets documetnation, and has remaning employees who know they will be treated respectfully.

Re:Best Pratices

[butalearner]

Revenge isn't rational. When I was first laid off, I stole the department's best set of pliars. Not because they were worth much, but because they were really nice pliars and I just felt really annoyed. Me and a coworker were exactly equal in qualifications, skill and productivity, so it was fairly clear that the decision over who to fire came down to him being the one willing to go down the pub with the boss and play the occasional game of football.

And there's the problem with this survey: you ask a bunch of people with reasonably good-paying jobs if they'd take some revenge if they got fired, in this economy, when most of them don't deserve it? But it should come as no surprise when the survey was conducted by Cyber-Ark, who sells three products:

• Privileged Identity Management Suite
• Privileged Session Management Suite
• Sensitive Information Management Suite