How to Protect Your Company from the Rogue IT Ex-Employee

It’s become fairly common to hear horror stories of the ex-employee who decided to “take the company down in flames” as they exited. Be it extortion, like what happened in Indiana in January,  or the ex-employee who maintains a backdoor account and proceeds to hack your data. It is important in this day and age of connected IT and cloud that you, as a business owner or executive, are protecting your company’s IT assets.  Here are a few tips to help you along the way.

1) Protect Your Website, Domain, and Email.

While we’re finding that we are increasingly doing more consulting on Azure Cloud and cloud management on AWS these days our core business has always been managed cloud hosting and as a hosting provider this is the part we get involved in most frequently.  We will often receive a call about someone letting an employee or contractor go, or splitting with a partner, and wanting to know who controls their hosting account and what the passwords are. As a hosting provider, we can only provide account details to the account holder. If your name isn’t on the account, then you can’t be given access to the account details. Here’s an example: You hire a developer to build your new website. She sets up your hosting account for you, registers your domain, installs WordPress and gets everything going. Six months down the road things just aren’t working out, and you want to separate from this developer. Without thinking of the consequences, you terminate her employment. Suddenly, you find out she registered the domain name in her name, set up the hosting account in her name and maintains all of the credentials like FTP, email and WordPress in her name – and all are tied to her personal accounts. Now, what do you do? You have to get everything back from this person, but it could take months. So, check your domain registrations to see if they list your name on them. An easy place to do this is at domaintools.com. Then make sure you have the login credentials for the domain names, and ideally have the domains registered in your account that only you have access to. Next, check your hosting. Make sure you’ve set up the hosting, and it’s not on someone’s friend’s server or something like that. The hosting should be in your company name with invoices coming to you and charges to your credit cards. Next, whether it’s tied to the hosting or hosted through Office365, email should also be in your name; you should have full admin access to it at all times to ensure any changes that happen have notifications coming to you. If you need help with your hosting or your Office 365, our team would be happy to help you.

So here are a few things to make sure you avoid this nightmare before it ever happens: check your domain registrations to see if they list your name on them. An easy place to do this is at domaintools.com. Then make sure you have the login credentials for the domain names, and ideally have the domains registered in your account that only you have access to. Next, check your hosting. Make sure you’ve set up the hosting, and it’s not on someone’s friend’s server or something like that. The hosting should be in your company name with invoices coming to you and charges to your credit cards. Next, whether it’s tied to the hosting or hosted through Office365, email should also be in your name; you should have full admin access to it at all times to ensure any changes that happen have notifications coming to you. If you need help with your hosting or your Office 365, our team would be happy to help you.

• Your Domain name – check your domain registrations to see if they list your name on them. An easy place to do this is at domaintools.com. Then make sure you have the login credentials for the domain names, and ideally have the domains registered in your own account that only you have access to.
• Your Hosting –  Let’s check your hosting. Make sure you’ve set up the hosting and it’s not on someone’s friend’s server or something like that. The hosting should be in your company name with invoices coming to you and charges to your credit cards. Developers will almost always try to get you to buy the hosting from them on their server.  “It’s cheaper, and it’s faster. I can take better care of you.  I have instant access to the server backend. It will make your life easier.” are all things that they’ll say to convince you to do this.  While much of this is true and can make their job easier, it further locks you in with this developer and ties you to them.  Let’s say you’re hosted on your developer’s server and he travels to Thailand the week they have a Tsunami, and you can’t get in touch with him for the next three weeks and meanwhile your site is offline, and you don’t know what do to.  What now? It sounds absurd, but I’ve seen that very scenario play out. Next, whether it’s tied to the hosting or hosted through Office365, email should also be in your name; you should have full admin access to it at all times to ensure any changes that happen have notifications coming to you. If you need help with your hosting or your Office 365, our team would be happy to help you.
• Your Email –  Whether the email is tied to the hosting or hosted through Office365, email should also be in your name; you should have full admin access to it at all times to ensure any changes that happen have notifications coming to you. If you need help with your hosting or your Office 365, our team would be happy to help you.

2) What’s your server/desktop/mobile device disaster recovery plan?

Let’s assume your servers, desktops, routers, phones, laptops, mobile devices, etc., went away today. Do you have a backup? Today, many businesses trust their IT employee or service provider to maintain backups, but many of these firms are inadequately protected.

Investigate your backup strategy today and ensure it meets your needs. Ensure backup restore tests are being performed. If you’re relying on media like tapes or drives that are prone to failure, frequently rotate media and replace it as it reaches its end of life. This is why I love our Awesome Cloud Backup product. With Awesome Cloud Backup, you’re able to back up locally to a device (like a USB drive, file server or tape backup system) and also replicate this backup to the cloud, providing you instant access to your files and data from anywhere in the world at any time. Oh, and here’s something amazing! Awesome Cloud Backup can backup servers, desktops, virtual machines, cloud servers, phones, tablets, desktops, and laptops.

3) How many backups are you keeping?

Let’s face it – we create a backup because we know stuff happens, servers crash, hard drives fail and “‘it” will eventually hit the fan. But what’s your backup for when the backup is lost, corrupted or fails to restore? Just like hard drives fail, so do backup hard drives. It’s always a good idea to have more than one backup and an additional “archive backup” tucked away in a third location just for safe measure. Today, with inexpensive USB drives, cloud storage services like Google Drive, Dropbox, and OneDrive, it’s easy to maintain multiple copies of your important files.

Take my family photos and videos, for example. I have the originals on my desktop and a backup stored on a removable USB drive, but I know both of those drives can disappear, so I have a full-sized backup stored in Apple iCloud. And, just for good measure, I use the Google Photos app and save a reduced size copy of all of my images there as well. So, even if all of my other photos and backups disappeared one day, I could still get an 8×10 print of my photos from my Google photos backup. And these services today are fantastic! They use facial recognition, geo-tagging and even perform advanced tricks like photo stitching, best smiles and the like. Let’s not forget, though: just backing up isn’t enough. If you’re not testing these backups and verifying that the data is readable, then you don’t know if the backup is valid or not.

4) What’s your mobile device management strategy?

No, this doesn’t mean holding your expensive new iPhone with two hands. What happens if one of your employee’s phones gets lost or stolen? What data is on there? What customer lists, what account logins? What about a laptop that gets stolen? Today, with the cloud, Mobile Device Management is easier than ever and provides all kinds of great tools like geo-location, remotely wiping a device and even phoning home. One of my favorite applications is Prey from preyproject.com. For just a few dollars a month you’re able to protect phones, laptops, desktops and tablets from theft or loss. Let’s say your sales guy, Carl, is out one night after work and forgets his phone and laptop at the restaurant. When he realizes he’s forgotten and heads back, it’s gone. With Prey, you’re able to remotely lock or wipe the device and even sound an alarm on the device that can’t be stopped without disabling the device completely. If the device connects to the Internet, you can use geo-location to find out where the device is, and you can even have it take screenshots and use the built-in camera to take photos when it’s in use. You’ll get all of the information you need to get your device back, with the help of the authorities if needed.

5) Where’s the source code? Where’s the database?

Today, many businesses operate custom applications. These are frequently web-based applications today and almost always have some sort of database backend. But what’s your source control strategy? If a developer quits, how do you get the source code back? Where’s the source code stored? What about the customer database records? Where’s that stored? These are all questions you need to ask and know how to answer. For source code, you can leverage services like github.com or team foundations services and have your source code replicated automatically. This has the added benefit that if you need to bring in more developers, they too can get access, and the two developers won’t have as difficult of a time merging code changes. As for the database, backup is once again your friend, but it’s crucial that you know where your database is stored. A database backup program I like is sqlbackupandftp.com. This software takes a backup of a database and stores it in a cloud service of your choice. If you use MySQL, then look at mysqlbackupftp.com to do the same thing, but for MySQL databases.

6) PASSWORDS!

You’d be surprised how many usernames and passwords exist on your network and impact your business. It’s a very good idea as a business owner/leader that you maintain a copy of all administrator level account usernames and passwords and have this list updated on a regular basis. Here are some examples:

1. Routers, modems, ISP services – if you’re not able to connect to the network, you’re probably as good as out of business.
2. The phone system, CRM, ERP, POS, HR, Payroll, etc.
3. Web hosting account, control panel, mail servers, domain registrations, FTP accounts, logins to your CMS, web application, etc.

That’s just a short list, but build an excel spreadsheet, and you’d be surprised what you start to come up with fairly quickly. Now, if you’re going to create a spreadsheet of passwords, don’t leave it lying around somewhere. Put it in a safe place, even a file cabinet or a safe, where it will be protected from prying eyes.

If there are passwords you frequently have to share within your organization and are unable to maintain delegated access accounts, password management applications like LastPass are great.  With a tool like LastPass you’re able to share login credentials for web-based applications without having to share the password with the individual you’re sharing the account with.

 

Where to go from here

These are just a few ways you can protect your company from not just a rogue employee, but from data loss in general. In today’s business environment, stuff happens. Be it nature, software, man or employee, stuff happens. It’s best that you protect yourself and your company from it.

If you’d like to discuss some options on how to protect your company from these types of threats, our team at Applied Innovations would be happy to assist.