People and Policies: Working with the Right Ones
Honest, loyal employees are more important than the latest security gizmos. Use common sense. Beware of the $26,000-a-year programmer who suddenly acquires a posh home and a sports-car collection. Don’t pry. But don’t shut your eyes, either.
Start with a sensible hiring policy. Decide on the questions you want to ask applicants and their references—about the prospective employees’ backgrounds and characters. Then bounce them off your legal department. The rule of thumb is that you won’t get in trouble if the questions are related to the job. IBM has said it doesn’t even ask applicants about their ages or marital statuses. If there aren’t legal obstacles, you might invest $25 in a credit-bureau check of a keypunch clerk but perhaps several hundred dollars for a top programmer. Keep in mind the notorious lack of reliability of many reporting services. Check for criminal records when hiring for responsible positions. A Maryland hospital didn’t. It hired a convicted embezzler, a computer operator who later diddled $40,000 out of the system.
Granted, there are occasions when you might knowingly hire an ex-con to give him a chance. But ask the normal questions. What’s he done to justify your trust since his sentencing? What are your risks? How much could he steal, and how?
Whomever you hire—ex-cons, Harvard grads, or combinations of the two—know how to respond to the common criminal motives.
Jay BloomBecker, a top computer crime expert, sums up one of the main motives by quoting the title of a collection of Doonesbury comic strips: But the Trust Fund Was Just Sitting There.
Reduce the temptation. Let your people know there’ll be surprise audits—and mandatory vacations. A thief busy slicing salami might be loath to take too much time off, lest his or her replacement catch on to what’s happening. Likewise, consider rotating duties every few months and also divvying them. People who write checks with computers, for example, ideally won’t be the ones approving them; in a small business, of course, this might not be possible.
The old need-to-know policy, of which the military is so fond, may also increase the criminals’ risks—by increasing the need for collusion. This, too, isn’t always possible, and it could boomerang. If employees aren’t supposed to know what their colleagues are doing, maybe a thief would actually have less chance of being noticed.
Also, tell people that stealing—even small amounts from a large company—will hurt. If you can’t prove how it will hurt the corporation noticeably, then you’d better make a good case that it will hurt them. Pretend you’re a department store warning the nimble fingered: “All will be prosecuted.” Well, within bounds. You needn’t fire and prosecute a thirty-year man because he once used a company micro to calculate his average golf score.
But do remind your employees of the applicable theft-of-service laws, larceny ones, and others.
Not that electronic theft is your only problem. Whiteside tells of a computer-ridden North Carolinian, working for an insurance firm, who reportedly shot a handgun several times at the hated machine. And Harold Joseph Highland offers another cautionary tale. Executives at an East Coast firm fired a crabby woman, then returned the next Monday to find its floppies sliced apart with a paper cutter. They never proved her guilt. Regardless, someone moved the blade up and down, costing the company several hundred thousand dollars in time reentering the paper versions of the records into the computer. And that doesn’t even include the orders canceled by customers angry over the delay. In yet another story, a disgruntled worker short-circuited a terminal by urinating on it.
“Hire well,” says Jack Bologna, an expert on the “people” side of computer security, summing up ways to avoid such traumas. “Pay fairly, praise people for good work, give them opportunities for advancement, and make them feel comfortable talking over their problems.”
Remember that the line can fuzz between outright sabotage and simple sloppiness induced by poor morale.
If there’s a disaster and you’re not sure if it’s accidental or deliberate, however, don’t be too quick to point your finger. You may find it chopped off with a lawsuit filed by your suspect, perhaps for less than $1,000, while your firm must spend several times that to defend itself. Unjustified accusations, also, hurt morale and may even add to security problems.
And if you do prove theft or sabotage?
Act. Don’t cover up. Rather, cover yourself—legally. Tell your boss what happened. If you’re mum and someone else reports the crime, your superior may consider you among the guilty. Also, don’t discount the possibility that your boss may himself be either guilty or a part of a cover-up because he fears a stockholders’ suit. You may have no choice but to report him to his boss. Press for an independent audit committee if you’re powerful enough and if the size of the crime justifies one.
Should you fire someone for a computer-related offense, do it artfully.
“If they’re in a critical job position, help them clean out their desk, collect their ID card and any office keys, and walk them to the door or to the personnel department,” says Timothy A. Schabeck, who edits Corporate and Computer Fraud Digest with Jack Bologna. The FBI’s Lewis says as much.
If you do prefer instant firing, follow Schabeck’s advice to provide counseling and severance pay. And soften the blow, too, by warning everyone, when hired, that your axes are quick and sharp.
Mightn’t instant firing, however, be brutal, anyway? Well, it depends on the amount of damage that a discharged employee could inflict and on how vindictive you perceive him to be. Ideally, you could minimize the damage by having backup disks or tapes out of the your victim’s reach. Also consider how successfully you can keep the fired employee from returning to your computer—by ruse or otherwise? Is your office absolutely physically secured? Can you trust guards or janitors working weekends not to admit a familiar face?
It’s all a part of bridging the gap between policy and practices.
Don’t just wait until a crime to make your staff security conscious.
Too often, warns James A. Schweitzer, a Xerox security expert, people protect information only if it’s on paper. He says, “There have been a number of cases where tapes and disks have mysteriously disappeared from places like desktops.” If need be, designate an employee to make sure others have locked up right by the end of the day. In less than a minute, using a floppy disk, a thief may duplicate hundreds of times as much material as he could on a paper copier.
Worry, too, about your people’s use of modems—the gizmos that transform your computers digital output into a whiny sound for the phone lines.
Don’t let them routinely keep sensitive material on disks that will play back to savvy criminals who happen to dial in.
This especially applies to Winchesters. They’re the oxide-coated aluminum disks that remain in the machine housing them, and they stash away many times the amount of information on most plastic floppies. Now imagine the delights awaiting a thief or snoop. Via your auto-answer modem he could rifle thousands of pages of Winchestered documents. Such electronic robberies needn’t happen, but until businesses get burned this way, they will. So if you’re sharing an electronic spreadsheet or mailing list with your branch office, do so if possible at a prearranged time during business hours when you know who’s calling. Tell your people to do the same.
You’ll also need a privacy policy—internal and external. Do you, for instance, want salary information on a Winchester disk that any of your company’s computer-users could read? And how about employees’ health records? Good data security should protect your people as well as your company. So limit your computerized records to the essential and tell your executives not to use their home computers to bypass privacy laws.
Worry, too, about an external-privacy policy. Are you respecting the rights of your customers, including those, who, by computer, may be transmitting to your company their electronic jewels?
It isn’t just decency you want; it’s also good protection against suits, whether from people or client companies.
Here again, set a firm policy against your people misusing their personal micros. Alan F. Westin, a Columbia University professor of public law and government, correctly warned in Popular Computing, “A financial officer of a bank might store information about the life-style, habits, sexual preferences and other personal behavior of large individual borrowers or key corporate executives.” The banker might do this behind customers’ backs to help decide who was “stable” enough for loans.
You’ll also need a policy covering employees who use your computers for, say, maintaining their church’s bingo books. Why not let them? It isn’t the worst public relations. Some companies even allow their employees to play games after hours, tapping into company systems from home, and you, too, might experiment with this, provided it won’t add to your data-security problems. Better a fringe benefit than a crime.
On the other hand, you’ve got to draw the line somewhere. Can you estimate how much this extracurricular use of your machines costs in wear and tear—in, eventually, replacement costs? Feel your employees out on this one if you’re running a small business or hold sway over a large one. Would they rather enjoy computer privileges or better health insurance? You might offer cafeteria-style fringe benefits, with computer use as one of the options. Employees not selecting this choice might have to agree to it, anyway, if you discovered them using a company computer for personal purposes. This problem, of course, may lessen as the prices of small computers plummet and their capabilities grow.
Whatever the form of potential crime—theft or otherwise—keep remembering one of the basics of data security: It should cost neither more money nor morale than justified.