Have you ever wondered what damage a disgruntled IT employee could do?
Actually, employees don’t even have to be disgruntled to do a lot of harm. A single upset, disturbed or simply bored worker with only average tech skills can easily inflict millions upon millions of dollars of damage with only a few keystrokes.
And while it doesn’t happen every day, it does happen, even though in nearly all cases it could have been prevented with relative ease.
In late April, a systems administrator from Tucson, Ariz., was sentenced to 33 months in prison for sabotaging the servers his former employer, a cloud computing service company, used to handle its clients’ IT operations. Jonathan Hartwell Wolberg had worked for an unnamed cloud provider based in Virginia.
Reports did not go into detail about why Wolberg did what he did. But according to a federal grand jury indictment handed down against him last August, Wolberg resigned from his job sometime in early 2012 but continued to access the company’s networks in order to damage its servers from approximately March 16, 2012, until approximately August 1, 2012. While monkeying around inside the company’s system he logged into and shut down a key data server. He also encouraged the company’s customers to change providers.
Among those damaged was RevSpring, a healthcare billing vendor based in Wixom, Mich., one of its key clients, the University of Pennsylvania Health System, and more than 1,000 of Penn Medicine’s patients who received wildly inaccurate bills.
After an FBI investigation and the federal grand jury proceedings Wolberg admitted to intentionally causing damage to a protected computer to avoid an actual trial. He’s now scheduled to get out of a federal prison in 2017.
Damage Can Last Longer Than Punishment
But the damage done by disgruntled IT employees like Wolberg typically lasts longer than their prison sentences, assuming they’re even caught, prosecuted and convicted (and many aren’t). For those Penn Medicine patients already having to deal with big medical bills, getting things sorted out will take months while their credit reports remain compromised by what would appear to be non-payment of big bills. Penn Medicine’s embarrassment is nothing compared to the administrative costs associated with straightening out the mess and getting paid late. And RevSpring, which in addition to being potentially liable under any legal actions Penn Medicine and its patients might bring, has suffered a huge blow to its reputation that could damage its ability to compete effectively in the future.
As for the cloud provider for whom Wolberg worked? Federal prosecutors judged – rightly, perhaps – that the potential damage to its reputation was so great that they chose to keep the company’s name secret.
This one event – which is far from the only example of such breaches perpetrated by current or former employees with ill intent – highlights one of the concerns that have kept many companies from tapping into cloud services. And while such IT outsourcing arrangements create greater opportunities for employee-related IT sabotage, companies who handle some or all of their own IT work are vulnerable too.
What SMBs Can Do to Avoid Such Problems?
So what are small and midsize businesses to do if they can’t trust their providers to keep the hardware and software on which their company depends safe and secure? For that matter, what can they do on their own to make sure one of their own workers or former workers doesn’t do the same thing to their IT systems that Wolberg did to his company’s.
Well, there are some basic, simple steps to take. The most obvious step is to monitor those employees who have access to key software, data and processes to make sure they don’t become angry, disillusioned, bored, frustrated or disgruntled in the first place. That’s a primary management function that has obvious implications for IT security management.
And if you’re shopping for an IT managed services or cloud provider, it isn’t just a legitimate question to ask potential vendors. It’s imperative to ask companies you’re interviewing to provide solid proof that their employees are happy and motivated in addition to being skilled.
The reality, though, is that companies will always have some employees who for reasons that might or might not have anything to do with how they are treated by their employers simply aren’t happy.
So small and midsize companies need to have strict procedures for closing off disgruntled, unstable, or angry employees’ access to key systems and data. And they need to seek proof from current or potential vendors that they do likewise.
That goes beyond merely shutting down their basic passwords – something many companies these days still, amazingly, fail to do. They also must block any access such employees or former employees have to more deeply embedded, supposedly protected systems. That’s because if the employee had the skills necessary to have such clearances in the first place, they probably have the skills to quickly get around having their basic password shutdown so that they can continue accessing particularly sensitive systems and data.
Just as it’s wise not to deposit cash and other valuables in a bank you’ve never seen and whose officers you’ve never met face-to-face, it’s not wise to store or process key data with, or to tie your company’s operations to, the systems of a third-party managed IT services vendor that you’ve not checked out thoroughly.