A member of the IT security department is terminated for poor performance. He goes home, angry, annoyed and frustrated. He has a drink or two and really gets worked up. Being a computer systems expert, he decides to see if he still has access to his former employer's network. So he goes online and tries to log in. Sure enough, he has full access to every system and every file on every system. Amused, he pours himself another drink.
He realizes he feels entitled to a little revenge. So he deletes every file and every application that management needs to perform their jobs. He deletes spreadsheets, memos, letters, network accounts, everything. He knows the impact this will have on the company, because he was the one responsible for doing backups of these systems, and he hasn't done a complete backup for weeks.
The next business day, management realizes they have a significant problem. The IT security guru sobers up and realizes he forgot to delete the log files that reveal his activity. He gets arrested. Does the company have the last laugh? No, because their data is destroyed, and now they have to spend thousands of dollars manually recreating it.
Everyone's a Threat
Although IT professionals can have easy access to corporate systems, they are not the only ones who can have an impact on corporate data when they leave an organization. Imagine a chief technology officer who has worked his way up through the ranks of his company for eight years, taking roles in numerous departments with varied responsibilities before reaching his current position. He is trusted by his employers, and they grant him access to everything. He has keys to the front door, the elevators, the network operations center, the telecommunications closet, storage closets and a handful of offices. And if he does not have the key to a particular office, he has a key to a lockbox that holds the keys to every office and file cabinet.
He designed, installed and configured the computer network. He still has administrator rights on all systems. He has a company-supplied laptop and he has permission to work on projects at home on his own computer systems. In fact, he has copies of every document he ever created burned to CD and stored on his home office computer. He also has a company-supplied cell phone and PDA. He knows the work habits of other key employees; he knows that the president of the company is always in the office on Saturday mornings between 10 a.m. and noon.
What would happen if this man were terminated and all company property were not collected immediately upon his termination?
- He could enter the facility after hours and delete every file on every network server the company owns (after destroying every backup tape).
- He could enter a storage room and destroy all client files and information.
- He could enter the accounting department and steal company checks.
- He could sit at home and disseminate proprietary information to competitors (and his previous employer would never know).
- He could modify the company Web site so that it appears to adverise a business specializing in the taxidermy of family members.
- He could change the passwords for all system administrators and then uninstall all network printers. Everybody could still log in to the network, but they couldn't print, and the system administrators would not be able to log in to fix the problem.
- He could enter the business on a Saturday morning and kill the president of the company.
Although some of these possibilities are the result of my overactive imagination (a member of law enforcement once said to me, "I'm really glad you're on our side."), some of these are based on incidents that have actually happened. Despite these eye-opening scenarios, many businesses do not have adequate mechanisms in place to recover all company-owned property when an employee leaves an organization. In addition, many also have no mechanism to immediately disable network access.
Protecting corporate data and employees when a person leaves the company requires a team approach. Methods and team members will vary depending on the organizational structure of the company, but the concept is still the same. When a person is going to be terminated the following groups should be involved: human resources, the legal department, IT/IT security and physical security/loss prevention.
The human resources department can provide guidance on what should and should not be said during a termination meeting. Although this does not directly protect data, it can help minimize the possibility that the termination meeting will further anger an already upset employee. There is nothing worse than telling a employee who has just lost his or her job, "It's OK, this is probably the best thing that could have happened to you." Statements like this can push a despondent person into acts of revenge or retaliation.
Depending on the organizational structure of a company, the HR department can play a critical part in the termination process. In many organizations, personnel files include an inventory of company-owned equipment and devices assigned to employees. If this is the case, the HR department should ensure that all company-owned equipment is returned in a timely fashion. Some companies will withhold an employee's final paycheck until equipment is returned. It is recommended that HR check with the legal department or in-house counsel prior to withholding a paycheck. This may or may not be possible depending on local laws and the terms of the employee's contract.
The legal department can provide insight on how to prevent or minimize legal retaliation on behalf of the terminated employee. This can significantly reduce the costs associated with a wrongful termination lawsuit. The legal department will understand the enforceability of numerous company policies and employment agreements. They will be aware of what should be done should it be determined that an employee is in violation of non-compete, non-solicitation or non-disclosure agreements.
The legal department may also decide to preserve the employee's electronic data, specifically the desktop hard drive. Some companies either make a forensic image of the drive or simply remove it and store it in a safe. This will allow the firm to have a pristine copy of the drive should litigation ensue or if investigation is needed to determine an employee's activities. A forensic examination of the hard drive can determine
- an employee's activities on his or her last day of employment;
- whether the employee conspired with a competitor to steal proprietary information;
- whether an employee documented the theft or diversion of corporate funds; and
- if employees conspired to use company resources to start their own business.
It might also be prudent to save or archive backup tapes that contain data created by the employee.
IT/IT Security Departments
The information technology department should be notified immediately upon the termination or departure of an employee. They should disable all network accounts, including access to corporate e-mail systems and databases. This should be a priority and should be addressed immediately, not when the IT staff gets around to it.
Another issue that should be addressed is how to ensure that proprietary company data and software is removed from home computers. This can be an interesting issue, and one that is adequately addressed by only a handful of companies. A policy should be developed for employees that are going to be working at home, and it should describe what methods will be used to remove corporate data from home systems when the employee leaves the firm. This can range from having an employee sign a document stating that all company-owned information has been deleted, to something as complex (and invasive) as having the IT staff visit the employee's house to verify that corporate data no longer exists on home systems.
Physical Security/Loss Prevention
The physical security team should be a part of the departure process to prevent terminated employees from having physical access to facilities including parking garages, data centers and remote properties. This team should supervise terminated employees that are cleaning out their offices and ensure that no access is allowed to their computers. The physical security team will often escort terminated employees to their cars and can distribute photos of terminated employees to various departments and facilities, asking to be notified if any of these employees is seen on company property. It is important to recognize that a skilled technical person can take over a computer system or network if he or she has physical access to computer equipment, even without a valid user ID and password.
Don't Just Hand It to Them
Not using the team approach is only one mistake companies make during the termination process that can jeopardize corporate data. Another critical mistake is allowing employees to continue working for a period of time after they have been notified of their termination. Many companies will provide a two-week notice out of sympathy. Many employees will use this two-week period to not only finish up current projects, but to siphon off corporate information.
One company that gave a lead design engineer this type of termination option wondered why he spent the last week of employment burning CDs. It later learned that he was copying all the design materials he could find for new products, which he eventually sold to a competitor. If a firm wants to show some kindness to an employee, it may continue paying a salary for a period of time, but it should eliminate access to corporate information immediately. Even loyal and honest employees may not be able to avoid the temptation to steal information once they know they are terminated. This pending termination issue should also be considered by companies facing staff cuts, mergers or acquisitions. Employees that are suddenly faced with the loss of a job may start collecting company information just in case their position is terminated.
Know Your Enemy
Another mistake companies make is underestimating the computer expertise of their employees. An employee who apparently does not know how to efficiently use a computer may learn some additional skills when faced with the loss of a job, just to be able to steal information. That said, the biggest threat to corporate systems is the termination of an IT or IT security staff member.
The corporate culture of many organizations provides free reign to the IT staff. The IT staff often performs unsupervised with no checks and balances in place. In many companies, if you asked a member of management what the IT staff did, they would reply that they have no idea. This is a dangerous position for management, since the IT staff often has control over the company's most critical data and systems.
IT staff members, depending on their job responsibilities, can have administrator rights on all systems and devices, which means they have full control of a system. If you terminate a technology professional, it is sometimes necessary to hire a third party to verify that the company has removed all rights and access to a terminated IT staff member. This may include "cracking" the employee's password and changing it, especially if he is the only administrator of a system. Third parties can also look for back doors on systems that might have been placed there by a technology person prior to his or her departure. This can be tough to orchestrate and can sometimes require the third party to disable access to a system while the technology professional is in the termination meeting. Prior planning in this type of situation is critical.
Protecting corporate data requires a layered approach, a concept often referred to as "defense-in-depth." Properly handling terminated employees is part of this approach. Many companies have excellent mechanisms in place to protect their proprietary information, but their efforts are futile if the termination process pokes holes in their security systems. An organization needs to recognize that once an employee is terminated, his or her loyalty to the organization ends. This is true regardless of how long the employee was employed by the firm or how amicable the termination appears to be. As soon as employees are terminated, they immediately ask themselves, "What do I do now?" or "What's next?" Their focus shifts to other employment opportunities, and this change of focus can cause them to ask, "What can I take with me to help me at my next job?" If security professionals keep this in mind, they will be taking the first step in protecting corporate data from terminated employees.
John Mallery is a managing consultant for BKD, LLP, one of the ten largest accounting firms in the United States. He works in the Forensics and Dispute Consulting unit and specializes in computer forensics. He is also a co-author of "Hardening Network Security" which was recently published by McGraw-Hill. He can be reached at firstname.lastname@example.org.
This article was published in the March 2005 issue of ST&D magazine.