For a different take on this story, check out Sue Marquette Poremba’s post, “‘Developer Bob’ Highlights Importance of Monitoring Network Logs.”
The story, as posted at Help Net Security and elsewhere, is pretty funny: A company called in Verizon’s Risk Team when they noted an open VPN connection between the computer of a trusted teleworker and Shenyang, China. The presence of malware was the very reasonable suspicion.
In turns out that the teleworker was outsourcing his work to contractors in China. He had sent his RSA token to his “employees” and was paying them about one-fifth of his six-figure salary. It may not even have been the only company upon which the individual – identified in press reports as “Bob” – pulled the scam. The funniest part is that Bob spent his days chatting on Facebook, shopping at eBay and otherwise wasting his time.
The story generated a decent amount of reaction. A Forrester analyst – who, like Bob (but for presumably different reasons), is not named – blogged at ComputerWorld UK that despite the “terrible security implications” of what he did, it should be noted that Bob was delivering superior products to his employer. Moreover, though the blogger doesn’t say it precisely this way, he or she implies that telework, BYOD, the encouragement of innovation and other pillars of contemporary work technology and networks could make Bob a visionary in some folks’ eyes.
A reaction piece at The South China Morning Post cited a pro and con reaction. It’s interesting that the reaction – at least as related in the story – didn’t deal with the moral and ethical implications of Bob’s big adventure:
In a world where economic and trade relationships have been shaped by outsourcing and delegation including, ironically, that by US tech companies, Bob's story has had mixed reviews. While Verizon bloggers hailed him as a genius who understood the art of delegation, a Chinese developer lamented having to do his "dirty work" for a cheap price.
Sometimes folks lean over a bit backwards to give a pass to somebody who may have done something wrong, but showed innovation and panache in how he or she did it. Why give a ticket to the person riding alone in the HOV lane with mannequins in the other seats? Sure, it’s wrong. But give the guy a break. It’s funny.
That’s wrong. What Bob did was unethical, dangerous to his employer – who knows what kind of mischief his helpmates in China could cause with the access he gave them – and probably illegal. He’s a jerk. He should be fired and, if feasible, charged criminally and/or sued civilly.
That takes care of Bob. The bigger issue, of course, is how to manage employees performing sensitive tasks in such an open, flexible and chaotic world. This has to be discussed in a number of ways: From the point of view of what the employee understands about his/her rights and duties; the technology in place at the remote location; organizational limits on what can be done outside the office; and what technologies should be in place to protect the organization’s crown jewels when the inevitable mishaps occur.
Each of these are interesting topics. The ComputerWorld UK piece alludes to the fact that it is unclear if most organizations even include prohibitions against arrangements such as Bob’s in their employment contracts. If they don’t, they should. Indeed, it is time for far more specific and expansive lists of dos and don’ts. These should be advertised internally and a class or two given to new hires. A lot has changed, and there are many gray areas.
Along the same lines, companies must take tight control over what can be done outside the office and what can’t. Control of portable media, which can be stolen, lost, copied and otherwise mishandled, must be tight. An adequate level of security, as decided by IT and security personnel, must be present on portable devices. If an employee won’t comply, he or she shouldn’t be included in a BYOD program – and this shouldn’t be held against them.
The list is essentially endless. The bottom line is that all sorts of bad things – some creative and a bit funny, some mundane and simply dangerous – come with the explosion of mobile devices and high-capacity networks. Many of these challenges are not obvious. But a plan must be in place to handle them all.
Just ask Bob. You can reach him on Facebook.