Your Fired IT Employee Can Bring Down Your Company: Here's How to Stop Them

Terminating an employee always involves some degree of risk. No matter how well the employer “papers the file” or otherwise prepares for the moment, there remains the distinct possibility that the employee will claim that their firing was somehow wrongful; that it was an act of prohibited discrimination or retaliation which ultimately can lead to an EEOC claim or lawsuit. An employee being shown the door may act out in other ways, whether by walking off with trade secrets and other confidential or proprietary information or by an act of violence, vandalism, or sabotage.

But when the employee on the receiving end of a pink slip is an IT administrator or other technology professional, the threats to a business can be catastrophic and exponentially damaging.  

IT Employees Often Hold The Keys That Can Bring Down The Kingdom

These folks often hold the keys to the kingdom, and they may have the only set. They know all the usernames and passwords. They have access to every network, database, and file. They can obtain sensitive employee, financial, and customer data. Importantly, they may possess the ability not only to copy, remove, or destroy critical corporate information, but they may also have the power to cripple a company’s entire IT infrastructure.

Lest you think that being a victim of such acts of revenge or sabotage is unlikely, one study conducted by a well-known security firm found that a significant number of corporate IT personnel gratuitously look at sensitive corporate data. Nearly nine out of 10 would take confidential company data and remote access credentials with them if they were terminated. 

Even the largest and presumably most sophisticated technology companies are not immune from such acts of IT retribution. In 2018, it is reported that a voluntarily separated IT professional working for Cisco Systems intentionally deleted 456 virtual machines and disabled 16,000 user accounts five months after leaving the company. The employee ultimately pleaded guilty to a federal criminal charge of “intentionally accessing a protected computer without authorization and recklessly causing damage.” Cisco spent more than $1.4 million to repair the damage and lost millions more on lost productivity.

Unfortunately, too many companies see terminating an employee as expeditiously as possible as more of an imperative than doing so in a thoughtful and deliberate way that insulates the business from the IT professional’s power to use their knowledge and access in nefarious ways. Even when relieving an IT employee of his/her r responsibilities immediately are warranted, distributors still need to take urgent and proactive steps to protect their systems and information. The same holds true where the IT professional voluntarily separates his/her employment, as in the CISCO case.

Securing Systems, Removing Access, Building In Redundancy 

When firing an IT employee, companies should adopt all the usual strategies and approaches that apply to any firing, from when to pull the trigger to who should be in the room to how to escort the employee from the premises (and employing other customary termination procedures). Distributors should prepare for the event in advance and discuss concerns and questions with knowledgeable legal counsel and computer consultants (who can step in when need be). The process should be holistic – meaning it should start from the moment a new IT professional is hired (or earlier), to ensure that distributors are not only conducting the hiring process in as legally protective manner as possible, but also trouble shoot the IT infrastructure to prevent disaster if the time comes that the IT hire is no longer working – whether voluntarily, involuntarily, or otherwise. 

But terminating an IT administrator or similar employee also involves the potentially challenging task of terminating their access to or ability to manipulate the company’s IT infrastructure. This can be a much more complicated endeavor than it is for a regular employee, who can usually be boxed out of critical systems simply by changing their username and password and retrieving any company-issued devices. A holistic approach increases the chance that an IT professional engages in rouge action, like sabotage, any such action is more easily contained, and termination or layoff or furlough decisions are more effortlessly implemented. 

Effectively securing a company’s IT systems may require the specialized knowledge, resources, and abilities of a sophisticated cybersecurity contractor or consultant. Such vendors can identify and remediate vulnerabilities, establish safeguards, and implement company-wide policies and procedures that limit any given employee’s ability to run roughshod through networks and databases. This can and should be done in advance or as part of hiring in this space. 

But distributors can take plenty of steps on their own prior to termination that can reduce the chances of a fired IT employee going on a cyber-rampage. These can include:

• Establishing clear, written technology use and security policies and requiring every employee to acknowledge and agree to their terms.
• Implementing cybersecurity policies that segregate and control the company’s most sensitive data.
• Establishing dual controls for highly sensitive systems such that no single employee has exclusive access (i.e., two keys are needed to unlock the safe).
• Knowing which employees have super-administrative rights to any systems on the premises, in the cloud, at a data center, or with a third-party vendor.
• Refraining from providing IT administrators with access to the company’s most important and sensitive information, if possible. 
• Maintaining control of any master passwords and having system updates regularly. 
• Ensuring that all third-party vendors/accounts that the company uses are registered in the company’s name and not in the name of the IT director or other individual employee. 
• Backing up all information, databases, and systems.
• Vigilantly monitoring the employee’s uses and access between the time the decision to terminate is made and the date of firing
• Changing the employee’s logins and passwords before informing them of their termination.
• Locking the employee’s account out the morning they are to be fired.
• Consider implementation of any such employment termination outside the office, where access can be simultaneously disengaged.

For distributors interested in further follow up on this topic, or to discuss other aspects of employee termination and cybersecurity, please contact me at 312-840-7004 or fmendelsohn@burkelaw.com.