There's an excellent article on Computerworld today that should be required reading for every IT organization on the planet.
Headlined "Security Fail: When Trusted IT People Go Bad," it makes a compelling argument that the likelihood you have a bad apple among your IT workers is much higher than you might suspect.
It's a CIO's worst nightmare: You get a call from the Business Software Alliance (BSA), saying that some of the Microsoft software your company uses might be pirated.
You investigate and find that not only is your software illegal, it was sold to you by a company secretly owned and operated by none other than your own IT systems administrator, a trusted employee for seven years. When you start digging into the admin's activities, you find a for-pay porn Web site he's been running on one of your corporate servers. Then you find that he's downloaded 400 customer credit card numbers from your e-commerce server.
And here's the worst part: He's the only one with the administrative passwords.
Actually, the worst part is that all of that really happened to a large retailer in Pennsylvania that wanted to keep the whole thing quiet. Sweeping the episode under the rug like that is, in fact, what 75 percent of companies do when they fall prey to such insider activity, according to a survey cited by Computerworld. As a result, opportunities to learn from those experiences are lost, and we're lulled into a false sense of security because we hear about such a small percentage of the activity that actually occurs.
As is often the case when stories like this are reported, some of the most valuable insights come from readers. One reader noted that power corrupts both employees and employers:
Companies planning to outsource wring everything they can from current employees and drop them without a thought or remorse. So this corporate bad behavior is just supposed to go unnoticed? The 'use people up' mentality of the current corporate culture is creating an adversarial relationship, so no wonder these things happen. Maybe if companies started thinking about more than the bottom line but also about people they would do a little better.
Another reader expanded on that theme:
Perhaps another thing companies should do is treat their employees in such a manner that doesn't inspire revenge plots. Rather than turning themselves into the corporate version of the TSA, maybe these companies should ask themselves what they have done that inspires such malevolent action against them by people they considered their best employees.
I've been around long enough to have seen that there are plenty of IT workers out there who are bitter and vengeful. Many of them have legitimate gripes, and many don't. Regardless, illegal or unethical behavior on the part of any IT employee is inexcusable.
That said, a lot more corporate soul-searching needs to be done. As these readers pointed out, adversarial relationships are unhealthy, and companies need to be much more willing to consider how their actions impact the lives of their employees, and how those actions might compel their employees to engage in uncharacteristic behavior.
One more thing. I had a reason for calling this blog, "From Under the Rug." Way too much is swept under there, including accounts of rogue IT employees, and it needs to be brought out into the open. There is no shame in having an employee who goes bad. But an unwillingness to allow others to learn from that experience reflects poorly on any employer that could otherwise help prevent such harm.