Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security IT

Employees the Next (Continuing) Big Security Risk? 111

surely_you_cant_be_serious writes "A nationwide survey finds that most companies consider their systems vulnerable to attack. Historically, crime rates increase during recessions — and some believe that cybercrime may well follow suit, especially given massive layoffs and the dim prospects many laid-off employees face in finding a new job. 'One thing companies can start doing is monitoring their networks on an ongoing basis so that they understand the normal pattern of data flow and usage, Brill said. In many cases, companies may not have the internal capability to do this, but outsourcing options are available. Kroll Ontrack, for instance, will be rolling out a 24/7 monitoring service for its global clients manned from a US location by professionals in early 2009.'"
This discussion has been archived. No new comments can be posted.

Employees the Next (Continuing) Big Security Risk?

Comments Filter:
  • Duh? (Score:5, Informative)

    by eln ( 21727 ) on Monday January 05, 2009 @05:34PM (#26336323)

    Summary of story:

    1.) Crime goes up when the economy goes into the tank and people start losing their jobs. Shocking, I know.
    2.) There are plenty of security companies willing to scare your pants off in order to sell you expensive monitoring services. They will gladly use the statistic above to those ends.

    Oh yah, and we'll throw a "cyber" prefix in front of "crime" to make this look like something new and different.

    • Re:Duh? (Score:5, Insightful)

      by qbzzt ( 11136 ) on Monday January 05, 2009 @05:40PM (#26336409)

      Exactly. It makes sense that crime by unemployed people goes up in a recession. But the main risk in a company's systems being hacked by insiders. If you have an effective termination process, which includes revoking access, laid off ex-employees are no longer insiders.

      However, I'm sure this kind of service is important for some companies, such as Kroll Ontrack, to survive the recession.

      • Re: (Score:3, Insightful)

        by idontgno ( 624372 )

        Well... revoking access is hypothetically a no-brainer. ("Hypothetically" because it's still shockingly uncommon.)

        But a former insider may still know enough about your environment to make an extremely effective blackhat. Not much you can do about that without using a big hammer, a la Catbert, to remove your employee's detailed knowledge before escorting him/her out.

      • Re:Duh? (Score:5, Insightful)

        by Anthony_Cargile ( 1336739 ) on Monday January 05, 2009 @06:11PM (#26336739) Homepage
        Well the article does not say Ex-employees, so that means we should also consider employees still part of the "team" (as my manager puts it).

        In a recession, somebody employed yet still enduring paycuts would probably be somewhat disgruntled too, even if not "terminated" per se (but with terminations all around said employee, or the looming fear of termination imminent). An employee with access to something worth anything would still be able to take it and run, and the possibility of him/her doing so in a recesssion/depression with constant paycuts and the constant threat of layoff is rather high, so this is where it gets hairy - how much do you trust your fellow employees? You can't cut present employees' access!

        Well, now that I've struck fear into the heart of any employers/administrators reading this, I don't think this recession is quite to that point yet, but it may be something to watch down the road if things keep getting progressively worse.
        • Re:Duh? (Score:5, Insightful)

          by Red Flayer ( 890720 ) on Monday January 05, 2009 @06:22PM (#26336851) Journal
          Good point. I'll add that it doesn't take pay cuts to motivate crime of this nature.

          Employees who feel their jobs becoming less secure may decide to take out an insurance policy while they still have access to the important data.

          Regardless of how you treat your employees, regardless of how secure their jobs are, in a crappy economy they may feel that their jobs are insecure, and that may lead them to the dark side.

          Having good security standards and processes will lessen your exposure. Maintaining employee morale will lessen your exposure. In the end, though, as long as one person has access to critical data, there is risk of the data being misused.
        • how much do you trust your fellow employees?

          Not very far.

          Now is the time to make sure that your backup and disaster recovery planning is up to snuff and can deal with malicious intent.

          (It doesn't cover data espionage, however... that's a whole different kettle of fish. But you won't have to worry about espionage if all of your systems have been hacked into the ground and your backups aren't any good.)
      • An effective termination process won't help if the person is aware of flaws. I know of a place which hosts data for many clients who access the data via http. Any halfway knowledgeable employee at any of those clients can easily fashion an injection that could trash an entire db. Yes, I have mentioned this to the place which hosts the data and the response was poo-poo, pish-tush, etc.
    • by Z00L00K ( 682162 )

      Employees being a security risk with computers has been up a lot of times the last decades - about as long as there have been useful computers around.

      So there is no new news on this issue, it's only the methods that are changing a bit.

  • crime also goes up (Score:5, Insightful)

    by thermian ( 1267986 ) on Monday January 05, 2009 @05:36PM (#26336351)

    when employees think their employer is treating them like criminals with little more than dubious and extremely general statistics for proof.

    Its amazing how fast people will start breaking the rules if you start on the premise that they already are, and treat them accordingly.

    • by Chris Burke ( 6130 ) on Monday January 05, 2009 @05:43PM (#26336439) Homepage

      Maybe in some cases, but I actually commit less crime when my company treats me like a criminal, since I figure I don't need to work as hard to get the point across anymore.

    • by nine-times ( 778537 ) <nine.times@gmail.com> on Monday January 05, 2009 @06:17PM (#26336803) Homepage

      That might be true, but regardless it has always been true that employees have been one of the big security risks for businesses. In one way of dividing things up, security basically falls into two categories: denying access to people who shouldn't have access and preventing those who have access from abusing their access.

      Think about a bank, for example. Protecting against bank robberies is one kind of security problem, but it's not really the hardest thing to do. You put things in a vault, lock the vault, install an alarm, hire security guards, etc. The trickier issue is that you have all these employees with access to the money, and if there are no security measures, it wouldn't be hard for a teller to pocket a hundred dollars every now and then. So banks have procedures where the tellers have to do account for the money in their drawers at the end of the day (or whatever the particular procedure is).

      So computer security isn't really much different. Instead of vaults and locks and security guards, we have encryption and firewalls and antiviruses. Protecting against external threats isn't really that hard a lot of the time. Most of the time, the biggest dangers are either directly or indirectly from employees. It's a very tricky security issue to deal with, since you can't "plug the hole"-- employees are *supposed* to have access.

      And when I talk about dangers that come "indirectly from employees", I mean that they might be the source of a breach even if they aren't themselves criminal or dishonest. I've heard hackers say that often social engineering (i.e. getting an authorized employee to give you access) is easier than actually exploiting any security holes.

      Besides the danger of purposeful social engineering attacks, employee carelessness can also leave you exposed. People often choose bad passwords in spite of good password policies, i.e. just because you make them use a 10 character combination of letters/numbers/symbols doesn't mean they won't choose a password that's easy to guess (Passw0rd!!). Also people do things like access a secure webpage in an Internet cafe computer (which might have keyloggers installed for all anyone knows) and then walk out without closing or logging out, or put highly sensitive data on a usb stick and lose it somewhere. Sometimes employees even go through a lot of trouble to pierce their company's security (for example, in order to get Kazaa working inside the firewall) and effectively open a hole to potential hackers, too.

      So overall, yes, employees are a big potential danger to securing your data. A criminally inclined employee can cause lots of damage, but so can a careless one.

      • by Belial6 ( 794905 ) on Monday January 05, 2009 @07:09PM (#26337369)

        Sometimes employees even go through a lot of trouble to pierce their company's security (for example, in order to get Kazaa working inside the firewall) and effectively open a hole to potential hackers, too.

        Companies could go a long way in avoiding this kind of behavior if they didn't fall for the false dichotomy of "Access to everything" and "Work is supposed to suck". I know you didn't say it, but these kinds of articles always bring out the admins that recommend that every machine should be locked down to the point of basically being a kiosk often actually preventing people from doing their job, and rationalize that since "it's the companies" computer, it cannot be used to make work a place people want to go.

        This always gives me images of the bad boss from 9 to 5. After all, how much different is it for a real live admin to tell an office worker that they can't have a picture of their family on their desktop than the fictional manager who told the characters in the movie that they cannot have pictures of their family on their... desktop?

        Businesses regularly spend money to try to make their business a 'good place to work'. There is a huge amount of safe area between "full access to anything" and "treat it like a bank vault". The PC is one of the least expensive ways to improve a work environment. A $2 set of headphones, or even just making sure that the CD drive can play music and let the employee bring their own headphones goes a long way to improving a work environment. Heck, have the admins 'certify' a safe CD ripping app, and you are less likely to have people downloading random rippers from who knows where.

        Most people are going to respect "Music must be ripped using THIS easy to use software so that we can secure against viruses." a lot more than "Music is not allowed in our company". If you take the later route, you have a much higher risk of employees just ignoring the rules and going with Kazaa. Heck, the people that feel they MUST get music from Kazaa will still be safer in that they are more likely to do the downloading from home, and sanitize the files by first converting them to standard CD format, before bringing them to work and re-ripping them.

        Instead of trying to prevent employees from accessing the internet, give them access to virtual machines that have no access to the company network. This makes the path of least resistance be not being a security risk, instead of encouraging people to try and circumvent the companies security AND making work a crappy place to be.

        • Re: (Score:3, Insightful)

          Most people are going to respect "Music must be ripped using THIS easy to use software so that we can secure against viruses." a lot more than "Music is not allowed in our company".

          You know, you could just allow iPods - you could even hand out nanos as an onboarding gift. Solves the ripping problem nicely.

          • Re: (Score:3, Insightful)

            by billcopc ( 196330 )

            Nice idea, but there's one problem: iPods break - a LOT! Not just because they're flimsy, but because they get dropped fairly often, and frankly any company property will get abused more than personal items, because "it's not mine so who cares".

            In my opinion, people can bring their own music, and I would continue to block Kazaa and any other known P2P services at the network level. Bring a disc full of MP3s if you must, or stream them from home/radio/wherever... but opening up P2P will result in a few und

            • by Belial6 ( 794905 )
              I agree, and by allowing them to use their own music, and even going so far as allowing them to stream from legitimate sources, you legitimize your decision to not allow P2P.
        • I know what you're talking about, but as an admin I have to say it: the appropriate place is probably closer to "locked down completely" than "access to everything". That the following issue:

          Most people are going to respect "Music must be ripped using THIS easy to use software so that we can secure against viruses." a lot more than "Music is not allowed in our company".

          Honestly, my problem with people ripping music has never been viruses. Most people just use WMP or iTunes anyhow, so viruses aren't really the issue. The problem I've run into with ripping music in the past is that I get the complaint, "my computer isn't working," and when I check out the situation, the hard drive is

          • by Belial6 ( 794905 )
            I would say that you are discribing yourself as the boss from 9 to 5. Work does not have to suck, and you are saying that if you have to put in any effort, you are going to block them from enjoying being at work. If you wanted to, you could easily find a solution to allow people to have music on their machines AND prevent big problems. Heck, you could go so far as to tell them that music must be on an external hard drive. Then your issue (which doesn't sound real plausible) that you are constantly havin
            • OMG? What did places do before MP3's and computer speakers and CD-audio in computers was common? Cd players, walkmans, and AM/FM radios. Nothing's changed, move on. He's making an intelligent policy, one I happen to agree with. If you let people store their music, soon it's their photo collection, and eventually videos.

              I once had a user filling up a 100G network drive with 25G of home movies he wanted to share with people.

              Well, do it the way your parents did, rent a projector, cook some dinner and invi
              • by Belial6 ( 794905 )

                OMG? What did places do before MP3's and computer speakers and CD-audio in computers was common? Cd players, walkmans, and AM/FM radios. Nothing's changed, move on. He's making an intelligent policy, one I happen to agree with. If you let people store their music, soon it's their photo collection, and eventually videos.

                Really? Really??? What they did was run on IBM XTs, or more often, didn't have computers at all. Is that really what your suggesting? Or are you suggesting that because it might take the slightest bit of effort on your part, the company should not use the equipment that it already pays for to make the work environment more appealing?

                I once had a user filling up a 100G network drive with 25G of home movies he wanted to share with people.

                I once had a user spill coffee on their keyboard. So what! Sometimes people make mistakes. Banning music on PCs because one user put 25G of home movies on a network drive makes about as much sense as banning drinks because a user spilled coffee on a keyboard.

                Well, do it the way your parents did, rent a projector, cook some dinner and invite your friends to your house.

                Are you seriously suggesting that we all start acting like it's the 60's or 70's again? Are you seriously suggesting that we all join in on an honest to goodness neo-luddite movement? Or did you say that because it makes a good sound bite, even though the statement is patently ridiculous. Seriously, you comments simply validate mine.

            • I would say that you are discribing yourself as the boss from 9 to 5

              Er... I don't know what that means, but I never said work has to suck. People can still play CDs on their computers, or they can use their iPods, plug their iPods into their speakers, or whatever. Hell, we even have a few game consoles hooked up to a TV in the office.

              The point is that your computer is dedicated for work purposes, and anything that interferes with that computer's proper functioning has to go away. People filling their drives with MP3s interferes with the computer's proper functioning.

              Bu

            • Heck, you could go so far as to tell them that music must be on an external hard drive. Then your issue (which doesn't sound real plausible) that you are constantly having machines break due to too many music files, would not be an issue

              Ahh but there is an even easier way for a disgruntled user to take confidential data out of the workplace, creating an even bigger security gap. Really, the solution would be to find a happy medium. Enable drive quotas for users, tell them they get X MB/GB of space, they fill it, too bad, THEY need to clear it out/maintain it. They come to you with issues, you tell them that their solution is to delete some non-important stuff. I have been down the road before and while you may piss off joe blow now and th

              • by Belial6 ( 794905 )
                I think the worry of employees taking data is overblown. After all, they can get data out of the building through non-computer means, and we don't want to fall into the "it's on a computer so that makes it totally different than the same thing done on paper." mindset.

                That being said, I agree that your solution of giving them a reasonable amount of drive space for personal files with a drive quota is generally going to be better. I only suggested an external drive because the other admin suggested that
        • Heck, have the admins 'certify' a safe CD ripping app, and you are less likely to have people downloading random rippers from who knows where.

          Most people are going to respect "Music must be ripped using THIS easy to use software so that we can secure against viruses."

          Advocating ripping music on company computers make me wonder if someone couldn't get jammed up. I have got to believe not all of the music ripped would have proper license. I copied a CD from a buddy and then brought my copy into work and

      • ). So computer security isn't really much different. Instead of vaults and locks and security guards, we have encryption and firewalls and antiviruses. Protecting against external threats isn't really that hard a lot of the time. Most of the time, the biggest dangers are either directly or indirectly from employees.

        While I agree with your point overall, I do disagree with this. A key difference is the lack of physical "stuff". I copy a file to a network share, access it randomly from someone's PC that got left unlocked, copy it to a USB stick... it's worse than no evidence, it's incorrect evidence.

        The audit of physical goods (particularly money in a bank) is very comprehensive. The audit of information is much more complex, if not impossible, to maintain in a way that is guaranteed accurate. Unless you prevent hu

        • I copy a file to a network share, access it randomly from someone's PC that got left unlocked, copy it to a USB stick... it's worse than no evidence, it's incorrect evidence.

          That's not incorrect evidence, it's just limited evidence. If you access it from someone else's unlocked computer, then all I know is that it was accessed from that person's computer. Someone who knows what they're doing will know that's the end of the audit trail, and that the information is limited.

          I'm not saying that there aren't interesting aspects of security that are different for computer/network security, but in a lot of ways, it's not much different. Lots of the same principles apply.

      • Re: (Score:3, Funny)

        by maugle ( 1369813 )

        People often choose bad passwords in spite of good password policies, i.e. just because you make them use a 10 character combination of letters/numbers/symbols doesn't mean they won't choose a password that's easy to guess (Passw0rd!!).

        Thanks a lot, jerk. Now I'll have to change my password after you leaked it all over the net.

      • Think about a bank, for example. Protecting against bank robberies is one kind of security problem, but it's not really the hardest thing to do. You put things in a vault, lock the vault, install an alarm, hire security guards, etc.

        What are you talking about? Protecting against bank robberies is nearly impossible these days (here in the USA), and it's ridiculously easy to rob a bank. It's been happening very frequently here in Phoenix. If you want to rob a bank, just do the following: write a note saying

        • Think about a bank, for example. Protecting against bank robberies is one kind of security problem, but it's not really the hardest thing to do. You put things in a vault, lock the vault, install an alarm, hire security guards, etc.

          What are you talking about? Protecting against bank robberies is nearly impossible these days (here in the USA), and it's ridiculously easy to rob a bank.

          If it's easy to rob a bank, it's because their security practices aren't good-- or perhaps aren't designed to stop robberies. In your example, the banks have instituted security policies that are focused on preserving human life, and not securing the money. The idea is that people are less likely to get killed if you give a robber what he wants. They don't care very much about securing the money because, as you said, it's all insured anyway.

      • The danger of password policies is that more is not necessarily better.

        Where I currently work, the policy is letter count, no dictionary words, and must include a number or 'special' character.

        It also requires that it be changed ever 30 days, and starts notifying you the last two weeks.

        Also, there's not much in the way of 'single sign on' despite having an active directory, and thus I have somewhere in the region of 10 different accounts, for various things with various privileges.

        This almost inevit

        • If the validity periods are in sync you could maybe use the same for everything, with exceptions for really important things - a production server, for example.

          Alternatively, don't write the passwords down, but write down clues that only you would get.

          But I agree, most people will write them on a post-it. At least some of them have the sense to hide it under the keyboard.

          • Alternatively, don't write the passwords down, but write down clues that only you would get.

            This is one sure fire way to drive yourself insane, as clearly the parent has.

            Also, nice sig, loser. I am e-famous!

        • I agree. I am actually of the opinion that the setup you describe constitutes a "bad security practice". Changing every 30 days with two weeks notice essentially brings your window down to 2 weeks, and worse still, I bet they have some kind of rule that doesn't let you use any of your last 15 passwords (maybe not 15, but... whatever).

          My solution to too many passwords is to keep them all listed in an encrypted file. That way I only really have to remember the password to the encrypted file, and if I use

      • by guruevi ( 827432 )

        The problem in IT is that somebody could get away with valuables (data) without the original owner (the company) actually losing anything. If the cashier is short $100, that is $100 that the bank doesn't have. If you steal the data from a hard drive, the data is still there, there's now a valid copy elsewhere.

    • Exactly. Treat people like criminals and they will act like criminals.

    • Re: (Score:3, Interesting)

      Its amazing how fast people will start breaking the rules if you start on the premise that they already are, and treat them accordingly.

      You mean like the **AA and their minions do? Or, for that matter, the way Redmond does with its WGA? Or, just maybe, the way the TSA does at the airport?

  • Duh? (Score:4, Informative)

    by starfishsystems ( 834319 ) on Monday January 05, 2009 @05:40PM (#26336407) Homepage
    Move along, people. Nothing remotely new here.

    Now if you want to actually do something to improve security performance, how about establishing some security metrics [informit.com] as a point of reference?
  • by Freaky Spook ( 811861 ) on Monday January 05, 2009 @05:41PM (#26336411)

    People have been around long before computers, and have always been the biggest risk to business.

    Computers have just made it easier for employee's to do more damage, either through malicious intent or just plain negligence.

    Having many SMB clients where cost is always placed over security, its scary just how vulnerable many businesses are to their employee's, from even ignoring the most basic security steps like using ACL's to secure files and basic auditing of file access, or even implementing basic password policies like "Do not give your password, to anyone, ever!"

  • First OnKrack (Score:5, Insightful)

    by Ethanol-fueled ( 1125189 ) * on Monday January 05, 2009 @05:44PM (#26336451) Homepage Journal
    Did anybody else read "Kroll Ontrack" in the summary as "Troll OnKrack"? Seems to describe the people who would buy that crap as well as the users who necessitate it.
    • Did anybody else read "Kroll Ontrack" in the summary as "Troll OnKrack"? Seems to describe the people who would buy that crap as well as the users who necessitate it.

      No I didn't, but your reading of it is much more entertaining.

  • Trust (Score:5, Insightful)

    by drooling-dog ( 189103 ) on Monday January 05, 2009 @05:44PM (#26336455)

    Kroll Ontrack, for instance, will be rolling out a 24/7 monitoring service for its global clients manned from a US location by professionals in early 2009.

    It's a good thing that Knoll Ontrack's employees are all totally uncorruptable, unlike the felons that must work for their clients...

    • Re: (Score:1, Informative)

      by Anonymous Coward

      It's just a PR hit posing as a story. I'm surprised how often /. allows The Submarine [paulgraham.com] to strike the front page as "news".

  • by girlintraining ( 1395911 ) on Monday January 05, 2009 @05:49PM (#26336505)

    So, let me get this straight -- Let's say Super Important Data Stuffs (SIDS) is in a database and as a company you want to protect it. But over 300 employees access that data every day. Evil Bad Hacker comes in and drops a trojan on one of those systems. A few days later, Evil Bad Hacker does a SELECT * FROM... fill in the blank... and in a few minutes it's compressed and uploaded. Super Important Data Stuffs was only 2 GB in size. How does your solution, or any solution, stop this while it's happening? Short answer: It doesn't. But you'll have a fine audit trail to give to the apathetic FBI, who will assure you everything will be done... Before promptly putting it into the circular filing cabinet.

    You want your data to be less vulnerable? Stop having your servers practice unsafe hex with everyone who happens to be in the building. -_-

    • But you'll have a fine audit trail to give to the apathetic FBI, who will assure you everything will be done... Before promptly putting it into the circular filing cabinet.

      i found the solution to that particular problem. They can do the same thing I did when I got broken into last night. Called DHS, told them someone broke in and stole my computer with the Anarchist's Cookbook, Terrorist's Handbook, and plans for a nuclear missile on it.

      I feel very confident that they'll get the culprit...

      [...]

      Uh-oh, I've just come to a horrible realisati

      [NO CARRIER]

    • by hurfy ( 735314 )

      Solved...we don't have enough bandwidth to send that out in less than X hours ;)

      lol, now i have another reason for keeping my vintage DSL connection.

  • by afrop ( 181815 ) on Monday January 05, 2009 @05:49PM (#26336513)

    You're concerned that your employees or former employees will attempt to exploit their insider status to commit crimes against you. The most natural and obvious answer is to hire an entirely separate company, with a whole additional set of employees, and give them insider access to your network.

  • Most companies do have inadequate security, and many pay dearly for neglecting something so essential--they just cover it up so you don't hear about it.

    But using data flows to catch insiders? A doubtful proposition. Insiders would likely steal/sabotage the data they work with daily, so it would be expected to see flows to those people.

    • Re: (Score:3, Informative)

      by plover ( 150551 ) *

      But using data flows to catch insiders? A doubtful proposition. Insiders would likely steal/sabotage the data they work with daily, so it would be expected to see flows to those people.

      Not necessarily.

      In a well-designed system, the data would flow only from the source to the destination, with as few stops in between as possible, right? In the case of credit cards, they would come into a cash register, travel to the authorizing system where they would be sent to an authorizer, then travel to the accounting

      • If your thresholds are set tight enough to catch someone sending an "unusually large" attachment you'd be getting hundreds of alerts a day. It's not that "unusual" behavior can't be detected, it's that it can't be easily classified without a lot more knowledge than the typical automated detection system has (or could practically have). Some of the better solutions take a sample of what you consider to be "private" data and look for that in data flows, so you can hit on specific bits of data moving in ways y

      • I've worked with a system like that, and it was all false positives, all the time.

        The best part is having to determine that everything is a false positive. "This IDS says someone in the bangalore office sent a lot of data to a mail server for the first time. I don't know who it was or how to contact him. Now what?" Meanwhile, the console fills up with 10000 other false positives...

        There's no way to tune. "Larger" does not mean "more suspicious." DHCP is fun, too.

  • Hire a bunch more people outside your business to snoop your network...
    Wouldn,t that result in MORE people potentially tampering with your data, not less?

  • Hi Guys! (Score:4, Insightful)

    by fuzzyfuzzyfungus ( 1223518 ) on Monday January 05, 2009 @06:18PM (#26336805) Journal
    Worried that people with access to your data might steal it and cost you money? Pay us to have access to your network! Don't worry a bit, our office is staffed by American Professionals(tm) just like the ones you are laying off and worrying about! And never mind the fact that, when the marketing hits the fan, a dead-end schlub earning jack-all to do boring work counts as a Professional(tm) if he is wearing a tie with two or fewer stains!

    Seriously. Ok, employees are obviously a potential security risk, they are the ones who have legitimate access to the gates and the keys, of course there is a risk. And, in some cases, you'll get genuinely bad apples, sociopaths, paranoics with bizarre persecution complexes, fred in accounting with the gambling problem, etc. In most cases, though, you are basically just dealing with people. And people will be a lot happier, more productive, and less dangerous if you spend less money on orwellian surveillance consultants and more on them. Does anybody seriously think that an office full of bitter, resentful employees, even under the all-seeing-eye of your consultants is less of a security risk than an office full of more or less satisfied people, with standard, basic, procedures in place(particularly given that, in a lot of cases, somebody with basically no assets can do damage that cannot be repaired and costs more than they could ever repay, even if the lawsuit goes well)?
  • Just spy on your employees 24/7, and their friends, families.. datamine every movement they make and can them if they even think about looking sideways..

    • Just spy on your employees 24/7, and their friends, families.. datamine every movement they make and can them if they even think about looking sideways...

      Are you perchance, a member of the UK Labour Party? Comrade Brown-shirt, is that you?

  • by golodh ( 893453 ) on Monday January 05, 2009 @06:43PM (#26337067)
    The opening post breathes a mentality which seems to pervade US firms. It runs approximately as follows:

    (1) view employees purely as resources (about on level with the printers and the staples)

    (2) use every possible means to make their job manageable for the Human Resources department (which is shorthand "define all tasks in such a way that every individual instantly plug-replaceable by (a) your average worker in the job market with his job title and (b) any of his colleagues, actively remove any individuality, and rather waste someone's talents than allow him to enrich his job")

    (3) use HRM to "Dynamically contribute to optimization of enterprise processes and results" (translation: hire people when they are marginally qualified for their job and let their colleagues educate them, fire 'em the instant they become overqualified and aren't immediately placeable in a higher function, or if they show signs of become tired, bored, jaded, cynical, or if they catch on to what Human Resource Management really means for them)

    (4) use an elaborate system of "who reports to whom", physical access checks and "security" guards, to ensure that people are total strangers in the company they work for with the sole exception of the department they work (this enhances "security")

    (5) determine scientifically that your employees may spontaneously become disgruntled and hostile towards the company they work for (or after being fired)

    (6) determine that the company urgently needs to protect itself from the consequences of its employees becoming disgruntled and hostile

    (7) further plan employees jobs and tighten "security" so that the amount of damage any disgruntled individual below the rank of executive can do is reduced to an acceptable minimum.

    The final step (8) is to spend good money to outsource security and workflow monitoring to establish tight restrictions on what employees can mess up before being physically apprehended. Outside firms have nice glossy brochures that provide your board with plenty of reasons why employees should be treated as detainees rather than as collaborators. Recommending specialized outside firms to cover specific areas of employee containment definitively establishes you as a savvy and professional manager (and keeps you in line for that end-year performance bonus).

    On the other hand, the suggestion of actually treating employees as if they were collaborators confuses simple PR slogans meant for glossy company brochures with actual management. Expecting people to behave civilly when treated like people is naive in the extreme and something no manager with an ounce of professionalism should sully himself with.

    Recognize this mindset? I foresee that work-flow monitoring will become a growth industry.

    • Re: (Score:3, Insightful)

      by owlnation ( 858981 )
      Mod parent insightful.

      So very true. Human Resources Departments are the biggest single barrier to progress on Earth. They are often filled with defective individuals with all sorts of complexes and psychological problems (I wander what percentage of HR workers are clinically obese? High, I'd think). Nobody, nobody, ever wanted to grow up to work in HR. You only work there if you can't do much else.

      They are holding employees back, they are holding whole corporations back back hiring people who fit int
    • by cdrguru ( 88047 )

      A lot of this is B-school and management training simply observing general employment trends. It is very difficult to differentiate between groups of employees, especially nominally professional jobs (like IT people) and folks on the loading dock.

      In the last 40-50 years the folks on the loading dock have seen a loss of unions, guaranteed pensions, guaranteed employment for life, and virtually nothing in return. Trying to explain to people that companies are no longer in a position to offer "employment for

      • by golodh ( 893453 )

        In the last 40-50 years the folks on the loading dock have seen a loss of unions, guaranteed pensions, guaranteed employment for life, and virtually nothing in return.

        Well ... ok.

        Trying to explain to people that companies are no longer in a position to offer "employment for life" or pensions falls on deaf ears. People want assurances.

        Well ... they want them, but they know they can't get them. On the other hand, people have a certain gross labor cost. Part of it goes towards pay, part towards benefits.

  • Remember 2003 (Score:4, Informative)

    by jellomizer ( 103300 ) on Monday January 05, 2009 @07:10PM (#26337387)

    During the time of the big viruses hit. Oddly enough it was when outsourcing became popular for IT staff. A lot of pissed off IT unemployed IT Guys and a lot of location without people local to fix the problems. Create prime virus spreading.

  • Better hurry (Score:1, Redundant)

    by Tubal-Cain ( 1289912 ) *

    One thing companies can start doing is monitoring their networks on an ongoing basis so that they understand the normal pattern of data flow and usage

    Assuming theft isn't already the normal "data flow usage".

  • This reads like something written by someone trying to justify even higher pay for CEOs and Execs who are already too highly paid.

    Seriously, your risk factor decreases the less pay you give your senior staff and the more employees think they are valued as contributing to the company, instead of wage serfs that work for the Pharoah (oops, CEO).

    I've had senior execs ask me to destroy data that shouldn't be destroyed - and I've made sure it got copied. A lawyer would say I stole the data - a smart tech would

  • by Anonymous Coward
    about companies that offshore. These people have the possibility of make LOTS of money by selling what ever they can get a hold of. Verizon Business actually allowed Indians to touch several networks systems including a new one for the federal gov (it is suppose to be off limits, but managers were allowing Indians to come to America for a time and have full access to production systems). That network contains DOD and other groups on it. These foreigners are not stupid. Verizon has horrible internal network
  • by Anonymous Coward

    I figured out some time ago to add cameras to all offices. Then match the camera recordings with logs and suspicious activity. What I found is a lot less suspicious activity. Just the thought that they are being watched, was typically sufficient to reduce the number of people even messing around. It also seems to cut down in the screw around time, if you check browsing activity against the cameras. I also make it well known that that is what is going on. No hiding anything.

    Much cheaper than sticking another

  • by Orion Blastar ( 457579 ) <orionblastar@@@gmail...com> on Monday January 05, 2009 @08:56PM (#26338271) Homepage Journal

    the weakest link in any computer security are human beings.

    I remember reading how some AOL employee took 26 CD-R disks, each one filled with a letter of the alphabet of data tables of AOL customers with phone numbers, addresses, bank accounts, and credit card numbers and passwords. He tried to sell it for millions but got busted by the FBI.

    When I worked for a law firm, there was a department called Litigation Support that changed its name to Technology Services and competed with Information Systems. I was the main developer on a lot of software programs. My machine kept blue screening and crashing, and I installed Black Ice because it looked like someone was sending me the ping of death and ping floods. Black Ice traced the attacks to Technology Services PC systems. When I reported the fact to my boss, he told me to take Black Ice off my system. Then it started crashing again. Eventually it stopped, but I had missed a few deadlines because my computer would crash or freeze up or lose the network connection, and it wasted my time trying to develop programs. Later on I got a bad performance review, but my boss refused to listen to me about hacker type attacks from TS directed at my IP address, despite the proof I had from Black Ice logs. Apparently I think my boss was in on the sabotage because I earned too much money and they wanted an excuse to get rid of me. It really stressed me out, and I had to go on short-term disability and had to suffer from emotional and psychological abuse from coworkers and managers. I developed schizoaffective disorder, and once I came back to work, two weeks later I was fired for being sick on the job. But it all started with denial of service attacks on my IP address.

  • The Board first (Score:3, Interesting)

    by sane? ( 179855 ) on Monday January 05, 2009 @09:59PM (#26338723)

    As has been demonstrated recently, the board of the company is the biggest threat to the continued survival of the company. Not only are many incompetent, they are often woefully out of touch and prone to making decisions to protect their bonuses rather than the health of the company (excuse me while I take the corporate jet to beg for a loan so I can continue to pay my 'bonus').

    What's needed is for an application that looks over the shoulder of each board member and reports back their actions to the shareholders. THAT would be a good place for an external, outsourced company. Monitor the board 24 hours a day and analyse the data flows.

    • as the biggest stock holders probably will be some investment company, they are more then wiling to pocket short term earnings, and then sell their shares and leave the company to die.

      You'd rather need to pay the bonuses not based on the quarterly results, but on the quarterly results in 20yrs time.

  • Protection from the "insider threat" was a selling point for the last two companies I worked at. BTW, I'm looking for work. Hey, if they can slashvertise, why can't I?

  • From the original post:
    "One thing companies can start doing is monitoring their networks on an ongoing basis so that they understand the normal pattern of data flow and usage".

    The important point is not to snoop on each and every employee. Rather it is to "understand the normal pattern of data flow and usage". Which seems like a really reasonable thing to do. How can you detect an anomaly on your network when you don't know what normal is. So Joe is accessing the finance database at 10:00 on a Friday ni

  • Hey, here's a novel concept: Don't treat your employees like crap, and they're less likely to treat you that way. (not a common idea in American Big Business, I know...)

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...