Into each IT department, some turkeys must fall. You do the best you can to screen employees before you hire them so that you get people who are competent, well-trained, and committed, but occasionally you make a mistake. Sometimes you hire someone who just doesn't work out. Eventually, you get rid of that person. You issue a department-wide email using the phrase, “pursue other career opportunities,” you change passwords, you delete administrative access, and you breathe a sigh of relief.
Don't sigh too deeply just yet. An incompetent, discontented, or malicious employee often leaves a trail of problems. Some of them will be obvious (which is why you got rid of the person in the first place), but other issues are likely to stay hidden until they rise up to smack you, usually at a highly inconvenient moment.
After letting the turkey go, most IT managers focus on security issues, which is where you've got to start. (See below for some security-related things to do.) But the problem here usually isn't malice. Most failed employees aren't malicious. They're just incompetent, lazy, uncommitted, or trying to slide by with the minimum work.
As a result, in addition to the security issues, you need to discover what the turkey was doing – or not doing.
Don’t Trust Anything the Turkey “Finished”
“In simplest terms, it's a matter of checking to see if things have been done or not,” says Ben Nettleton, content management and IT support at Global Healing Center in Houston, TX. “I can recall one situation where, after the person had moved on, we took a look at his To Do list. We found tasks that weren't done, which was a surprise because they were marked as done on his To Do list.”
IT compliance consultant Fredrick Trevor, of Frederick Trevor Consulting in Pleasanton, CA, agrees. “When someone does sloppy work, they may do fifty percent of the work that needs to be done, but not the other half,” he says.
The problem is the work that doesn't get done is usually the least obvious.
In examining the ex-employee's work, everything may look more or less okay on the surface, but underneath are major, nasty problems. These are the ones can rise up and bite you in the butt. The person added new users to the system as required, for instance, but for the past few months he didn’t bother to delete old users or close their accounts. If you're paying for your software licenses on a per-seat basis, this can get very expensive.
Don’t trust anything that the ex-employee did that relies on automation, anything that should happen on its own. Backups are an area that can cause serious problems. If the employee had responsibility for any backups, they need to be checked. “Make sure your backups are working,” says Gary Howe, a consultant based in Denver. “Are they actually working and not just firing off without any error messages? Until you do a restore, you don't know if you've got a functional backup,” he points out.
It's also important to check any outside relationships in which the former employee might have had a part. “Contracts are a big thing,” Howe says. “We had a woman in a previous position who had signed a multi-year contract. For a single T1 line they were paying $450 to $500 a month. Here in Denver, you can get a T1 for $200 a month.” Malicious? Probably not, but it was expensive nonetheless.
Often these employees took the easy way out, even if it was sub-optimal. For example, the person may have registered the company website in her own name rather than the company's, or may use his personal information in the WHOIS listing.
Optimizations are another vulnerable area, particularly if it was a database administrator you let go. It's easier for a bad employee to not bother with optimization – or even to take the time to set up a database correctly. This last is particularly troublesome; with databases, many of the “easiest ways to do things” run the company over a cliff as the number of entries grows, causing a drastic slowdown in performance. You may not realize this until months after the employee has departed… whereupon you want to bring her back in just to fire her all over again.
The basic lesson here is to go looking for trouble in the wake of the departed employee. Don't assume that he did everything he was supposed to, or that he did it efficiently.
This is particularly true, Nettleton says, of the last few months of the employee's tenure. “For that window of time, just take a look at anything that has autonomy involved,” he says.
The Obvious – and Not-So-Obvious – Security Sweeps
Then there is the whole area of security. “Take the appropriate steps to make sure the employee who's been let go cannot do any harm,” says Trevor. “That's the most important thing.”
In addition to deleting the ex-employee's account and removing administrative passwords and such, it's a good idea to go an extra mile with IT employees. That include running perimeter and server sweeps looking for processes or open accounts.
“Change all your passwords,” says Trevor. It's not a bad idea to have users change passwords as well, since many users unthinkingly give their password to anyone from IT who asks for it. “Make sure you have all the (physical) keys,” he adds.
Protecting outsourcing, vendor, and customer relationships is important as well. Inform all your contacts that the ex-employee is no longer with the company and is not entitled to any access.
Not all the security holes left behind are malicious. Some will be the result of sub-standard performance. The application the ex-employee was maintaining may run fine, for example, but the turkey didn’t add patches as they became available. If you don't look, you're likely to find this out when a bad guy drives through the big gaping holes in the un-patched application's security. Another common situation is that the ex-employee installed a desktop access program to make the job easier, whether or not the software was approved by IT.
And, of course, in some cases there is malice. This may not be common, but it's what keeps IT administrators awake nights. Someone who has been on the inside and had access to your system can be a lot more clever and more destructive than J Random Hacker who's trying to break in from the outside.
The good news is it's getting easier to spot malicious activity, thanks to new software. “This is becoming a lot easier to manage, because a lot of companies are installing robust data loss prevention systems,” says Gary Bahadur, CEO of KRAA Security in Miami, FL.
Don’t limit yourself to the obvious security holes. “For one of my clients, we were called in right after an IT admin left, and did a checkup,” Bahadur says. “All the perimeter devices seemed to be OK, the key servers were OK, but then we ran a basic ping sweep. A new desktop popped up in the department. Since all department systems were known, this seemed very suspicious. We tracked it down to under an unused desk. It was a desktop, covered by papers and boxes. It was allowing remote access to the network by running GotomyPC, letting that ex-employee get past all the firewall rules and access controls.”
“It was something so easy to do that could really have led to a major compromise of the network,” Bahadur adds.
While acts of malice by ex-employees may be rare, it can't be taken for granted that they won't happen. “I think most people who get called out (i.e. let go) probably just want to let it be,” says Nettleton. But he adds, “Would I inherently trust someone to do that? No.”
What practices have you learned, after the turkey is gone? Let’s talk about them in the comments.