For many small companies, the IT staff is a single person or even a consultant brought in to handle the business’s computing upkeep. Either way, the question of what your IT person knows about the inner workings of the company is well worth asking–because the IT person may know far more about your company, employees, and personal information than you ever thought possible.
Take a look at your server room or server closet, and you’ll probably see a bunch of white, gray, and black boxes, lots of wires, and a swarm of blinking lights. If one box was surreptitiously monitoring every piece of data that entered or exited your Internet connection–phone calls, video chats, AIM messages, and so on–could you identify that piece of hardware? What if it was the size of a wall-wart-style power supply, like the one for your home DSL router? What if it wasn’t in that room at all, but was tucked above a ceiling tile?
One of the few ways to protect your sensitive Internet traffic from being sniffed and reconstructed is to use SSL-secured websites, especially for logins. If you happen to hit http://somewebsite.com and log in during the day, someone snooping on the network will know your username and password. If you use https://somewebsite.com or if the site is smart enough to force logins through SSL, that information will be encrypted. However, many other Internet activities have no SSL option, and they’ll remain open for inspection.
When an IT person works on your PC while you’re at lunch, it’s a snap for them to install a software or hardware keylogger that records and relays to them, via any number of methods, every character you type. No form of encryption can defeat this type of snooping.
The Real Deal
By using those simple methods, a nefarious and skilled IT pro can easily collect data on every transaction that crosses your network. In fact, the same device could also run code that fishes through company file shares–password-protected or not–for keywords and email messages of interest to someone offsite.
And about that ceiling tile–would you know if a Wi-Fi access point with a hidden SSID was tucked up there? Such a setup would enable a person to park across the street and access the Internet through your corporate Internet connection and wreak all kinds of havoc without leaving a trace. Having the feds show up to ask about child pornography traced to that location isn’t something that any business wants to endure, but it’s amazingly simple for a malicious IT person to execute that very scenario in just about any business that has an Internet connection.
That’s why you need to be able to trust your IT person or team implicitly. There’s simply no way for a nontechnical business owner to know what the company’s IT folks are actually doing with their network and servers.
The point of this warning is not to sound a hysterical alarm and spread fear or uncertainty; it is simply to note the truth. The scenarios described above are extremely easy to implement, and they are undoubtedly happening in businesses all over the world right now, without anyone else in the company having any inkling of what is going on. Usually, sinister IT practices are uncloaked only when a different IT person or consultant arrives without warning to the treacherous IT person.
Many stories detail the misbehavior of IT people who have gone rogue and done everything from stealing and selling company data, to planting logic bombs in company servers that permanently cripple a business. The latest public example came out just a few weeks ago when disgruntled IT admin Walter Powell used keylogger data to hack back into his previous employer’s network and inflict some $80,000 worth of damage, including causing a pornographic image to appear on the conference room television during a PowerPoint presentation at a board meeting.
Trust but Verify
The only way for a small company to protect against this type of internal threat is to use an outside consulting group to audit its network regularly. Many large and small outfits perform this type of work, with wildly different costs, skill sets, and degrees of effectiveness. You can always call IBM or EDS, or go with a budget-friendly smaller firm. As when hiring any other prospective services provider, it pays to get plenty of references first.
The audit should consist not just of physically inspecting all computing resources, but also of performing a Wi-Fi scan to detect rogue access points, and of running scanning software on each PC (or at least a random number of them) to look for keyloggers and the like.
Of course, if you resort to these auditing measures, you send your in-house staff the clear message that you feel you can’t trust them, which can hurt morale and may even cause the IT suspect to implement extraordinary methods to find out why you’re being “overprotective” of your network and what you’re trying to hide.
Perhaps the best way to handle the situation is to be frank about it. Discuss the security need for a second set of eyes on the network, and emphasize that bringing in an outside group to do security audits is in your IT department’s best interests. After all, if your network does get compromised, the outside company responsible for testing the network and pronouncing it secure must shoulder a substantial amount of the blame for failing to identify the vulnerability.
In a small or medium-size business, being able to trust your employees is vitally important, as is being able to navigate a sensible course between budget constraints and the potential for future problems. Consider yourself very fortunate if your IT group has earned your complete trust, and you can confidently say that you don’t have to worry about this problem.