Revenge of the Laid-Off Techies

Angry ex-employees can do real damage to your company's computer networks. Here's how to make sure pink slips don't lead to meltdowns

By Alex Salkever

These are busy times at the FBI's San Francisco office, home of the most active computer-crimes unit in the country. Thanks to the availability of automated tools that can wreak havoc on the Web, investigators there are seeing increasing reports of malicious hacking. The FBI is also seeing rampant insider hacking, which accounts for 60% to 80% of corporate computer crimes, according to consultants such as Gartner Group.

As layoffs at technology and manufacturing companies continue to climb, more and more disgruntled former employees are attempting to damage or break into their former employers' networks. "It has definitely been on the rise. We have had more referrals to and complaints from victim companies," says Andrew Black, a special agent in the office.

The FBI can't reveal the exact number of such cases, and getting an accurate tally of these attacks is problematic. Companies often don't report such crimes, preferring to deal with private security companies rather than air their dirty laundry. But Black and others around the country say the trend is sharply upward and could spike further.


  Pink slips have always engendered bad feelings and, on occasion, irrational acts. What's different now is the Internet and the increasing ubiquity of computer networks. During the last economic downturn, in the early 1990s, a far smaller percentage of employees used corporate computer networks. Furthermore, companies employed fewer workers who had the technological knowhow to do any real damage to an enterprise beyond trashing their own desktop machine or sending out angry e-mail.

But these days, "many companies are reliant on their employees having access to their networks," points out Black. In 1990, a company might have had a few system administrators and a handful of other technically savvy personnel, whereas now they employ firewall engineers, database engineers, router operators, Java programmers, and many other technically proficient specialists. Any one of them might possess sufficient knowledge to do serious damage.

"If somebody who has access to one PC gets laid off, they can't do all that much. If you're thinking of downsizing your systems people, your risk factor goes up dramatically," says Alan Brill, a senior managing director in the information security group at Kroll Associates. "You're dealing with people who have the access and the knowhow to do serious damage."


  What to do? While every company should have a computer-security policy in place, preparing for layoffs is particularly difficult. Companies would be wise to review those policies and make a checklist of actions they can take to lock down their system if they plan to cut employees. Brill recommends that companies make a complete system backup before they begin the layoff.

That backup has a dual purpose: It could help companies recoup if they're viciously hacked, and because a backup allows a company to pinpoint where changes in its network have occurred, it could serve as forensic evidence in a criminal or civil case. "That backup should be safely stored under the control of a highly trusted employee or put in a vault somewhere," advises Brill.

Companies should also think about changing passwords frequently and auditing all active and inactive accounts on the system -- especially after a layoff. "You have to do an inventory to make sure laid-off workers don't have accounts you didn't know about. And you have to change all the passwords -- not just the system passwords but also the router passwords and the firewall passwords," says Brill.

Experts don't recommend going as far as to change Internet addresses of company servers. "That can cause more disruption than its worth," says Victor Wheatman, a vice-president and research director at Gartner.


  Companies might want to also consider employing any of the many access-control technologies on the market today. Netegrity and Camelot build systems that can, to a degree, read user behavior and spot seemingly aberrant use by examining what parts of the network users access and what they do there. "With our system, if a user leaves the company and their account remains inactive for some time, it will automatically be blocked," says Moti Dolgin, Camelot's general manager for the Americas.

Companies often extend courtesy services to departing employees, such as giving them access to company e-mail. That's a nice gesture, but "...if there are courtesy privileges extended, limit them to the ones that aren't that dangerous," advises Wheatman. For example, firewalls or any centralized file-server systems should be off-limits.

Does all of this sound pretty callous and unfeeling? Perhaps. Most employees getting fired need help, not a suspicious eye and a bum rush out the door. But a few rotten apples can wreak havoc, so erring on the side of caution makes sense.

Salkever covers computer security issues twice a month in his Security Net column, only on BW Online

Edited by Douglas Harbrecht

Before it's here, it's on the Bloomberg Terminal.