With information technology falling further and further out of its traditional confines, it’s important that you have an understanding with employees. Because, without guidelines, they could end up like the guy who outsourced his own job.
Did you hear the one about the guy who outsourced his own job to China so he could surf Reddit all day?
It takes one “innovative” person with a line to a consulting firm in Shenyang to ruin it for everyone. That is, if you let it.
(I’ll give you a second to take in that sentence. It’s a bit of a doozy.)
Anyway, yes, according to a recent blog post from the Verizon Security Blog’s Andrew Valentine, one of the company’s clients had a problem with a Chinese IP accessing its virtual private network (VPN). The client thought it was malware and couldn’t figure out what was going on, as accessing the VPN required a RSA key fob to access the developer’s work, and he was sitting at his desk.
But after Verizon got involved, the company realized that the VPN access had been happening over a long period—six months or longer. And after an investigation, they figured out that the employee, who had been commended for his development skills, had been outsourcing his work to workers in Shenyang, China, paying them a portion of his salary, and spending the bulk of his day screwing around on the internet. He was so confident about his scheme that he mailed the key fob all the way to China for them to use.
Yes, he had been doing the same thing at other companies in the area, too. Yes, he was fired—because, even if he was actually proving to be extremely efficient, he was also endangering the company’s sensitive data.
Now, most associations don’t have specifically this kind of problem happening under their noses. But it does teach a lesson about needing to know what’s happening on your network—as well as the need for employee trust.
The Changing Rules of Trust
Recently, Gartner Research Vice President Earl Perkins suggested in a webinar, according to Network World, that because of all the unstable trends out there at the moment, there is a need to change policies of old, where many things were locked down, to move to a trust-based model of security. This is especially true considering that mobile and bring-your-own- device (BYOD) policies “challenge the fundamental principles by which we deliver applications,” according to Perkins.
But the thing is, trust is one thing, but enforcement is another, and with these new policies, a consistent style of enforcement will be needed. If an employee breaks the rules, “swift punishment,” especially in the case of BYOD, is required. The level of punishment, clearly, should be based on the crime. (Perkins suggests, rather than just one big stick, a set of little sticks, or levels of punishment, based on the misdeed.)
Trust is a tough thing to earn and an easy thing to take away. It takes one “innovative” person with a line to a consulting firm in Shenyang to ruin it for everyone. That is, if you let it.
(Granted, if your employees are outsourcing association management work to China, you have bigger problems than information technology going on.)
Find ways to build a strong foundation,and even as things evolve, that trust will go a long way.