The bitter reality of tough times can be made more sour by bad relations with the employees who can do real damage
So, you're an IT manager and you've just received the news that with the economic climate being what it is, you're going to need to cut costs. One of your network administrators has to go.
Do you think about how you can make this process easier for you and your colleague? Or do you, and should you, be thinking about how well you really know your employee?
In San Francisco this year, a disgruntled systems administrator facing the boot from his post at the city's department of technology apparently managed to lock the city out of its IT network. The sys-admin, Terry Childs, allegedly created a super password for San Francisco's new FiberWan network, which provides access to confidential databases including payroll files, jail booking records and law enforcement documents – a move that could cost the business more than £670,000 in upgrades, consultants and repairs to undo the damage.
Letting go of someone with high IT privileges, then, could come back to haunt you. As the credit crunch continues to hit, businesses are starting to face the facts and make staff cuts.
As redundancies continue, IT provision will be viewed as expendable, while other companies will look to outsource IT departments, with independent suppliers offering competitive rates in the face of the economic downturn in June, July and August 2008. The number of unemployed increased by more than 150,000 to 1.79 million – the highest rise for eight years – and union leaders are already predicting that two million will be out of a job by Christmas as a result of the ongoing crisis in the financial markets. The number of redundancies saw an even more dramatic leap, growing by almost a quarter to 147,000.
Many of these redundancies are taking place in the financial sector where data security is an essential part of everyday life. But with key players in the field such as Citibank getting rid of 75,000 workers this year alone, you have to wonder if work relationships are well maintained enough to avoid any dramatic parting gestures from embittered soon-to-be ex-employees.
This is especially pertinent when you consider the recent survey by Cyber-Ark revealed that 88 per cent of IT administrators would steal valuable and sensitive company information if they were fired tomorrow.
Now, whether those figures accurately represent what's happening in reality we don't know, but they are worrying enough to make IT managers stop and think about their redundancy procedures, should they have to put them in place.
Possibly the most worrying aspect for businesses is this: when redundancies are in the pipeline, there is usually a period of ‘at risk' notification for the employee before their role is terminated.
If the person being let go is a system administrator with high levels of IT privileges and a seething mass of resentment for management, how can you ensure that your soon to be ex-employee won't attempt some risky business of his/her own?
Answer: You can't. You can't monitor their activity on the network or PC, as they are the ones with complete control over it and your systems.
You can't remove their admin privileges, as that effectively makes their role immediately redundant. You can't just send them home, as many workers now have remote access to servers and could do a fair bit of damage from the comfort of their armchair.
Furthermore, even when their contract has ended and their system rights have been removed, the employee may have the hacking skills, alongside the acquired knowledge, to inflict further damage on the business.
So what's the moral of the story? Build good relationships while things are going well, or regret it later.
However, no matter what the circumstances of redundancy, and how unavoidable they were, there will always be someone who bears a grudge – and when times are hard, the last thing any business needs is a potentially devastating systems failure.
Ken Munro is director of SecureTest, the penetration and security testing division of NCC Group. email@example.com