Networking

When IT pros go bad

The recent case of the network administrator who shut down San Francisco's FiberWAN network may cause some corporate executives to initiate unneeded policies. Would that be yet another example of too much time spent on something that, in reality, rarely happens?

The recent case of the network administrator who shut down San Francisco's FiberWAN network may cause some corporate executives to initiate unneeded policies. Would that be yet another example of too much time spent on something that, in reality, rarely happens?

---------------------------------------------------------------------------------------------------------------

The Terry Childs case has been a wake-up call to corporate executives across the globe. (Childs, a network administrator for San Francisco's Department of Telecommunications and Information Services, is currently in jail and being held on $5 million bail for allegedly altering the city's FiberWAN network system to deny service to authorized users and setting up devices that would allow unauthorized service to the system.)

I would guess that few executives (and staff-level end users for that matter) had any idea of the power one lone IT pro could have until now. Since the mindset of most employees is that IT is the department you call when you can't access your files or your e-mail is running slow, it's pretty disconcerting for them to find out that, depending on their position in the company, IT pros pretty much hold the keys to the kingdom.

So now, of course, the media is feeding this newly found fear in the hearts of corporate executives everywhere.

Last Monday, in the Globe and Mail, a story by Rebecca Dube brought to light some other recent cases of disgruntled IT pros wreaking havoc on their employers. The stories included the Australian engineer who was sentenced to two years in prison for hacking into a waste-management system and causing millions of liters of raw sewage to be dumped into rivers and parks. And Roger Duronio who was found guilty of computer sabotage and securities fraud for creating a logic bomb that took down 2,000 of UBS PaineWebber's servers.

Then there was Alan Giang Tran who, after he was fired from his job at an airport limousine company, hacked into his former employer's network and wiped out the customer database.

You just know that company leaders are going to be instituting policies to protect themselves against any kind of retaliation like this. There are a couple of reasons such policies could be a waste of time. For one, those executives don't understand enough about IT to know how to form a policy to curtail its activities or access.

Second, if you think about all of the opportunity IT has to manipulate or destroy data or shut down networks, it's pretty amazing how rarely it happens. So this could be another instance of putting precious time into creating policies because of something that happens maybe 1% of the time.

Now I could be wrong. You could all be out there using the skills of your job to funnel streams of money into your Swiss bank accounts. But I don't think so.

So let's discuss. In your jobs, do you have the power to paralyze the company you work for? Why do you think some people take advantage of this power while most don't?

About

Toni Bowers is Managing Editor of TechRepublic and is the award-winning blogger of the Career Management blog. She has edited newsletters, books, and web sites pertaining to software, IT career, and IT management issues.

275 comments
ben
ben

In any case where an employee has the privileges to access secured information and control settings, there is the potential immobilization of operations. But this is a fact of life, is it not? This is like accountants and bookkeepers who end up embezzling money from a company, or like a bus driver who goes on a rampage. They keys these people are given are the keys they require for there jobs. It is a shame that people feel it necessary to abuse their positions. The only real solution is careful screening of the people you hire, and of course that isn't perfect either.

jkameleon
jkameleon

After installation, root administrative password should be written down in the presence of a C level officer commision. Specialized administrative accounts with lower privileges should be created. These privileges may not include administration of root account, of course. After that, root administrative password is put into sealed envelope, and locked in the safe box. If employer doesn't follow the above rules, the blame is entirely his.

SaulGoode
SaulGoode

Is there true justice? Is truth opionion or fact? how you answer these questions ultimately decide how you live your life. I think most IT guys have come to the conclusion that Truth is fact (either the servers down or it isn't). This prevents most of us from making the rationalisations necessary to destroy our employer (or x employers networks). IMO

JosB
JosB

There are at least 3 things that need to be there before someone does something bad. First, there must be the opportunity to do something bad. Second, there must be a reason for people to do something bad. Third, there must be a moral justification for the act. While a lot of IT specialists have the opportunity, not that many have a reason to do so and even less the moral justification. For a company the easiest to focus on is opportunity. Taking that away prevents most damage. Second there is the moral justification, an environment where lines can be crossed without sanction will result in more severe damaging behaviour because "it's ok to do it". The most difficult is controling the reason someone does something bad. I've heard stories about people losing their house because of a bad investment on the stock or options market. That can happen overnight and cause people to do things they would never do under normal circumstances. Same for relationship problems. Still a company can do a lot there. In the end I think it's the companies or department's controls and more important culture that determines how bad things get. It's the mix of opportunity, reason and justification that determines how things end in 99% of the situations. That last 1% is exceptional and just an incident. Incidents happen... To give something to think about: I work in investment management and there are a lot of stories about companies collapsing because of things that got bad. I think IT can learn a great deal by looking in how other, more mature, branches have dealt with fraud and bad behaviour and why even those mess up badly from time to time.

brian
brian

Yes, I could cripple the company, from end to end. However, I was hired for my integrity and the responsibility to keep it all running. To attack those who may have fired you (with or without proper cause) would literally be biting the hand that feeds you. Imagine if you did retaliate in some way. What would happen to your career if uncovered? Unless you're a hacker who has found a unique way to get into a system, then I don't see any decent outcomes of the situation. Job loss - pretty much guaranteed. Blacklisting - Your name will be paraded around to every other CEO of nearby companies for your stupidity. Well, Skippy, you're so out of a job, that even the automated services scan for your name to cull you from the system. So, consultantcy is your next option. Exploring that, you find the CEOs who use consultants actually have the bank to review your personal/public history. Instant black card there. Terry Childs kept the keys for a person he felt had integrity and should be the keeper of those keys. Unfortunately, that's not how the rest of the world actually works. Prior record? Not so good. In charge of an entire city's networking infrastructure? Commendable. In a position to blackmail or ransom the access, all too ominous.

Lazarus439
Lazarus439

According to subsequent news stories, Childs was motivated by the same concern for security as all of us are supposed to have. This is NOT to say his actions are the correct ones, but he apparently did not act for malicious reasons or with malicious intent. I do think there is huge and substantive difference between this incident and some others that have been mentioned. While I don't condone what this person did or how he did it, it is essential to remember that he did not damage anything except some egos. Had the story not hit the news, the general public and even most city employees would have noticed nothing at all. This is not even in the same universe as someone who destroys databases, corrupts files or other tries to ruin a company.

tungstendiadem
tungstendiadem

People (at least according to some college courses I've taken) need to feel empowered. Feelings of powerlessness lead to cycles of escalation eventually leading to individuals in low power situations to act out utilizing the power that they believe (perhaps rightly so that they have). Power is comprised of power currencies, and individuals wield their power currencies in attempt to better their positions. When a person feels helpless and incapable of wielding their power in an ethical manner to realize improvement in their positions they are faced with the moral choice to use the power unethically or walk away defeated. In my detached and uninformed assessment of this specific case in a general sense. The perpetrator of the crimes (given that this is a crime of technical accumen) felt that control of the power currency of expertise had to be exercised against an organization wherein interpersonal linkages and communication skills blocked the ever coveted resource control in order to demonstrate (in a deluded sense) equalization of power. Clearly someone was incapable of articulating their grievances and felt helpless to the point of desperation. Survival Rule 1: Your job is not the entire world, it isn't even the only job like it in the world.

r8tdr
r8tdr

Yes. Because we can. Doing so will be immoral and unethical on your part. Do the right thing. Can't stand the heat - GET ANOTHER JOB, somewhere where they'll treat you equally and part of the business not just a solution.

maurimev
maurimev

to learn all the possible tricks they have to take care of... so remember: all you type may be used against you.

larrie_jr
larrie_jr

"Why would we /format c: a network we spend nights worrying over"...Why does a postal worker bring an AK-47 to work? Something already unstable in the individual has SNAPPED; unfortunately, it happens more than we care to admit. I can't claim to speak for everyone, but in my PERSONAL experience, I have watched people who one would think would NEVER be capable of such actions, do exactly this sort of thing; one guy I was able to "talk down", but the other I was only able to bring to a contingency plan as opposed to "immediate" action...(he ended up "rigging" the network, that in the event his actount was ever deactivated, it would release a .bat which would bring it down) In both cases the individuals felt "betrayed" by their employers and wanted to "hurt them back". The way in which company's hire and fire people in these positions ARE sometimes VERY underhanded; the individual has NO IDEA it's coming... I've been told SEVERAL times not to mention this to anyone when calling about the position as it's a secret. The reasons in these cases were very "personal" and 'revenge' plays a part. But, as a part-time free-lance consultant who doesn't ALWAYS get paid IN FULL for services rendered, I am tempted by these same thoughts of "well, if they're not going to pay in full, I'll take down the network"...In my younger day I was a painting contractor who had these same issues, what am I going to do? go take the paint back off the house? Graffiti the thing? No... I ended up eating the remainder of the contract, but would apply stronger contracts in the future. Temptation hits EVERYONE at one time or another... what makes us "IT Profesional" is what we do with that 'impulse'...and DON'T bring the AK to work... it only seems good on paper.

MavMin2
MavMin2

I think most people are rational and place blame where it belongs and would not do something like this knowing that it would harm in some way or another people who have no control over the issues that hacked them off. True, some would do it out of ego just beause they can do it but I think that others do it out of maybe a form of temporary insanity. Timing might be everything. Did he get fired or threatened just as he bought a new house, had a child, lost big in the stock market or a had threat of divorce from his wife last night? Has he had sleep deprivation because of a two month long hot project? Is the Boss a jerk? Any or all of those issues at any given time could push a man over edge and cause him to act irrationally. That doesn't excuse the action or remove responsibility from him but at least gives a reason for such an unreasonable act.

piercedtiger
piercedtiger

When I was a helpdesk tech for client with 250+ employees. Within a week of being onsite I got sick of being booted from an RDP session when my boss or coworker logged into the same server as administrator. So I set myself as domain admin and used that login for all my server work. My laptop wasn't on the domain since I wasn't an "official" employee at the company so I wasn't running as domain admin viewing websites, etc. Just to map network drives as needed and remote into servers. They had all their financial, accounting and employee records saved to those mapped drives with open file permissions! (So not only did *I* have access to them, but so did everyone else in the company that cared to look.) I setup more secure permissions, but since I was the one doing it my login had full access by default. Same for the Exchange server and being able to access people's mailboxes (which I routinely had to do to figure out problems). I could also remote in from home via their VPN. Kinda sad that a lowly helpdesk tech paid $13.50/hr had that kind of access. Took them 2 weeks to lock things down after I was fired over a BS charge. Made me think about a few things....

Russell_dazzle
Russell_dazzle

In my job, I may have the power to paralyze since am one of the IT Supervisors. But situations as discussed above should not even happen. There should be a good IT Security Specialist that would enable the systems to prevent those type of attacks. And second, if only companies would value the existence of their employees, this could have been avoided. - Russty

IT2MD
IT2MD

i could and i still can....it's kinda scary... i have all the passwords, ip addresses, info, everything to bring down the small financial organization that i used to work for.... i suddenly quit my job back in february, and i can STILL log into thier network from my home network... AND I'M A NEWBIE!!!!! My ops mgr didn't think i was smart enough to work there, but she isn't smart enough to realize that those passwords should be changed....i can check everyones email, i can change their webpage, i can do anything to bring them down like they brought me down...but i won't...my personal integrity is stronger than that....but it is kinda scary to know that I HAVE ALL THAT POWER!!!!...I just don't dwell on it too much....but every now and then i do check, and its still there, after almost eight months.....

candice
candice

Yes, I think most of us have the power to kill our baby. But that's just it. It's out baby. We would never want to hurt it. We go out of our way to protect it. We study all the enemies out there and put policies in place to protect it. We baby sit night and day and we have a heart attack if anything looks like it might possibly have a problem. I think most of us are the defenders and protectors of our network. Even if we get fired or let go most of us scramble around to try to tell the next guy exactly what to do and how to go about doing things to keep it running smoothly.

lamont.turner
lamont.turner

Yes, I have the ability to steal the entire Active Directory database NTDS,dit, as well as changing passwords, creating backdoors etc.... The problem is that management is ignorant to these facts, and as such don't realize the value of keeping the Enterprise admin happy with a generous salary and appropriate recognition, but are all too eager to imprison and prosecute the perpetrator for causing disruption. I would propose that the CIO is the one that should be prosecuted for the breach of security by Terry Childs, and should be fired for lack of performance and not separating powers of the admins to cause such disruptive actions.

herveyallen
herveyallen

1% of the time. Not even! How about .0001% of the time. This is just fear mongering and business as usual in the press that has no clue about IT. Any decent IT department properly locks out employee access once they are fired. And, this is the typical disconnect and catch-22 of management and IT. Management has to hire the IT personnel, but management has zero clue as to how to do this, what their IT folk are doing, etc... If an employee causes damage to the company's IT system or the company in general with malicious intent, then that employee should be dealt with just the same as any other person who might take such action.

bookkeeper
bookkeeper

Do I have the power yes would no because i would like to think that i would never lower myself to those kind of standards lets face it is destroying property or info and it is wrong on all accounts. These little people as i call them they sit in there little cubicles with there energy drinks or coffee or what ever and have an EGO as big as a house well i don't think i would want to lower my intelligence to that level. And nobody has the right to do so. Signed Just an opinion

witzend
witzend

Three years ago I abruptly quit a job due to multiple bad business decisions they made -- and I had what I jokingly refer to as "god-power". I could easily have destroyed that place on the way out. I didn't. My integrity and ethics wouldn't let me. It's not that I don't fantasize about taking revenge... but I'm an adult. Thinking about it and doing it are two different things. There are consequences to be had for such behavior, which Terry Childs is experiencing as we speak. Incidentally, my former boss had two other IT people that screwed him up royally when they left, and he thought I would too (even though my track record showed otherwise). When he realized I was not like them, and his business was in no danger, he ended up calling me and asking me to consider contracting with them instead, so I could still have my own business and they could still get the benefit of my expertise. You know you did it right when you ex-boss still speaks highly of you even after you quit!!

PlexusSage
PlexusSage

I love this story. What is this nut job trying to cover up? Or is he protecting others who he knows will do him in?

davidhiggins
davidhiggins

Not only power within my company, but several others as well. People worry about ss numbers and privacy. I control healthcare systems areound the world with VPN access to the majority of them. I also have the administrative passwords to their networks, as well as their routers. I think I could get over 4 million SS numbers and addresses and phone numbers. And that number is signifigantly climbing. We could bring this economy to its knees if we really wanted to, but we are also called to a higher code of conduct. Much like a physician, we are part of something greater than ourselves. And where there is one bad guy, there are 3-4 good ones who will shut him down.

bernalillo
bernalillo

I think poorly of people who would do such things. I feel it is better to be stolen from than to steal, same with sabotage. Why do some people do it? Better to ask this question in corporate board rooms and the halls of congress. I suspect that ethics is more severly tested where the power is greatest and that those who actively seek power have fewer ethics to restrain them.

mfahy
mfahy

You don't take advantage or power because of: Trust, Integrity, Professionalism.

Triathlete1981
Triathlete1981

One thing about not having technical people in charge is that when the three company websites to one DNS registrar, I put the three websites in my name. The VP who had the domains registered had to approve the transfer, approved it to my personal account, so the domains are registered to me, not the company. I can point all websites to adult sites at the drop of a dime and also change the MX record for the company's email to something else. And just like that, no one gets email!! And the wonderful (for me not them) is that since I own the domains, I can do with them what I want and not get into trouble. After all, the VP approved the transfer. People are more starting to realize that we're not simply tech support. Information is the most important part of any company, and the lowly network admin has the same access to information as the CEO. That's once how I found out a former company I worked for was closing its doors in four months and was able to find a job before then.

gjansen
gjansen

With no technical training, the cow was able to do far worse to Chicago than a Cisco wizard did to San Francisco. Vandalism is vandalism. Would we pride ourselves on our knowledge of chemistry because we know how to drop sugar into a gas tank?

jreich
jreich

Without a doubt, I could bring the whole company to its knees. The key thing is to have a good CIO / Senior IT Leadership in place that knows IT and can speak to the other execs and assure them these types of things don't typically happen. Good leadership, hopefully prevents a little bit of 'rouge missions'. Everyone in IT just wants to be appreciated. Bottom line.

jsggervais
jsggervais

I've worked in various industries, some of which required a background check before I got access to any sensitive data / systems. Not foolproof, but might be a way to weed out those with a chip on their shoulder.

stewie_griffin
stewie_griffin

While your article addresses some valid issues I think it would probably make more sense to research some of the facts of a case before attempting to sensationalise it. Childs did not shut anything down nor did he prevent users from accessing the network. What he did was refuse to provide the incumbent executive the passwords to the core devices in a network designed by him and for which he held a patent on. He did finally provide the password to the Governor and at that point the network was inaccessible because all vpn credentials had been changed and no notification was provided to the end users. Facts first. Please!

Pete_B
Pete_B

Why use a padlock? The answer is that the purpose of a padlock is to keep an honest person honest. It will not prevent the determined thief from breaking into anything. The same applies to the IT world. Nobody can predict every challenge to compromise IT security. At best we can detect when damage has been done. I do not have much experience in this field. My recommendation is to include in Operational Plans a recovery action for a partial and full system failure. My employer allows developers access to systems on an as-needed basis. Systems Operations has access to and maintains the backups. Changes to live systems cannot be made without obtaining permissions from Change Management. Perhaps the best safety net is to use the same method as the military uses for classified systems and equipment: Make it a no-alone zone. Two or more must approve access and must be present during access. The Atlanta Artful Dodger

wwu
wwu

Sure I can. But we don't do it because morlarity and accountability.

philip.kelley
philip.kelley

If I leave a company under less than favorable circumstances, my favorite way of getting back at them is by leaving. All my knowledge, all my expertise, all my understanding of their systems, everything that they used to use and rely on me for (such as late-night support), is now walking out the door, never to return. Certainly, I've felt that pang when others were leaving a company!

fgranier
fgranier

I'm surprised that the question even comes up, IT folks.

etkinsd
etkinsd

and his political staff go bad worse things happen...

annerobbins
annerobbins

Yes we all have the power, some companies more than most. I've yet to work somewhere that I wasn't given the keys to the kingdom the moment I walked into the door. And with great power comes great responisibility. For me knowing I have the power to do everything I want is enough. It pretty much negates every desire I would have to do anything nefarious. My first job out of college our company was purchased. They started laying off departments and as a department was let go they would lay off a tech person at the same time as almost all our jobs where redundant with a new parent company. After layoff anouncements came on Friday everyone went out and and got lit Friday night. Our company exchange administrator was finally let go. She convince someone to let her back in the data center where she proceeded to format the exchange server which she also had not been backing up for the last 2 weeks because we where wating on a part for our tape vault. Needless to say we lost 2 weeks of email, and it was all her colleagues left behind that had spend hours recreating the data we could and a sleepless weekend getting us to functional again for monday morning. I've forgotten a good portion of people I've worked with, but I will never forget her name and her resume has walked across my desk and gone straight into the trash because of the sabotage and personal pain it caused not only me, but our colleagues at the company that where left behind until the next round of layoffs.

ouafouaf
ouafouaf

Talking about giving lessons to IT Pros ??? Then imagine a world where only 1% of politicians, ecleciastics, vendors or miltary forces would fail our trust. IT pros are leading yet not just in the virtual world :)

bryanmuts2000
bryanmuts2000

Even this policy does not really do away with the problem, but the good thing is it addresses the problem I think the goo thing about it is that it places responsibilty on someone. Policies are not necessarily meant to stop things from happening but to safeguard the interest of the organisation.

bernalillo
bernalillo

That really wouldn't stop anyone who knew his stuff.

brad
brad

Saul, you're a brave man opening that can of philosophical worms I reckon :) I totally agree that most of us are prevented from rationalising malicious damage to employers past or present, but by our moral/ethical compass as others have already noted. Like most contributors here, I take my trustworthiness and commitment to my duty of care very seriously indeed as key traits that make me employable. If employers take the leap of faith & give me the keys to their kingdom, *I* know they won't be misplacing that trust. That's my truth. But *they* don't know until I've proven myself to them (assuming they give me that opportunity) because grubby boofheads like somebozo (above) plant the seeds of FUD often enough to largely negate any inate trust of IT people that may have once existed. That's their truth, in many cases. But is there justice in that ? Depends which end of the pineapple you're presented with. Just like real life I guess :)

Russell_dazzle
Russell_dazzle

Thomas, has a point (empowerment thing). And Maurimev, mentioned about what we write can be used against us (This is a well disguised survey...). Both have a point. But on the other hand, I believe it is a matter of "choice". The choice to act right, think right, be professionally ethical or the other way around. People define insanity when it is completely the opposite of what most people do, think, and say. But in my opinion, the cases of those that are being discussed here was that they have been charge for a crime which they thought they have the power to believe they are right. What ever these guy's reasons are for acting as such. In the end it is still a matter of choice.

pgmomni
pgmomni

as a independant software consultant since 1987, I agree the very small incident rate of internal IT sabatoge speaks loudly of how professional almost tall of us adhere to. BUT, I have more then a few times had to advise mgt that a particular IT employee was "unhappy". Most of the times they had good reason to be unhappy, but, hey, if your job sucks, get a new one! overall, most uppper mgt views/feels/perceives IT as a cost center or worse. They have too little respect or understanding of jus thow much work we do and how hard we work protecting their data and the firms we work for. In the early years of my consulting practice I made up a slogan I live by to this day! "Computer Nerds Unite and Take Over World!" I dont know about the rest of you, but I have done quite well putting up with the "BS upper mgt" dishes out by simply billing directly in portion to the amount of BS the client puts out. "That will reflect directly in your bill1" is one of my famous responses to stupid, BS comments. I say this with a small smile and they usally shut up right quick! "Unite"! pete

RaymondJM4
RaymondJM4

Keep preaching the IT Gospel. IT is the only field that hold integrity as it's highest requirement.

dmcaplan
dmcaplan

A number of years ago I worked for a stock brokerage as compliance and IT coordinator. I was let go as part of massive layoffs by the company, and was told when I was leaving for lunch on a Friday. I asked if I could pull my personal files off of my work computer, and was allowed to do so, unsupervised. It took me about an hour. When I left the office, no one looked at the computer to see what I'd been up to (all I did was copy my personal files to disk and delete them from the hard drive - I could have done much, much more), but they did check my box to see if I was trying to walk out of there with any office supplies...the irony still makes me laugh.

Persepone
Persepone

You said: "You know you did it right when you ex-boss still speaks highly of you even after you quit!!" Yes! And I'll bet you get a lot of referrals for your consulting business. Ethics and values are the root of the problem...

Persepone
Persepone

I was lucky to have worked for two companies where all employees were made to feel that they were a part of something greater than themselves. We were valued for our honesty, our integrity, our knowledge, our skills, our talents and our work. This was true not only for the high-level managers, but for the lowly, young, entry-level employees. If you worked in customer support or were an admin or something, you were still a valuable employee and were expected to do your job to the best of your ability--and the company and other employees at all levels would help you do this. Fostering this attitude in a company is the best innoculation against malfeasance. The truth is that we were paid fairly--but were probably on the low side of the "customary." We had decent benefits--but those, too, were in line with other employers--they weren't spectacular. There were no special "perks." Only in retrospect is it apparent how rare that sense of value and respect for all employees was in America. We all worked very, very hard for that company. Turnover was very, very low. Many years later, many of us are still in touch with each other and most of us feel that those were the best companies we ever worked for and we are all grateful to have had the experience of working for a company that allowed us to truly be a part of something greater than ourselves. We did not make a product that saved lives or changed the universe or brought on world peace--but each and every one of us was made to feel valuable and essential and good about ourselves and the work we did. Yeah, a lot of us (there was no real IT department) in a lot of different roles could have brought things to a dead stop. We had a lot of responsibility even when our jobs were low down on the pyramid. None of us would have done it! One of the posts referred to looking at Accounting and other departments where the safeguards are in place. Yes, that is valid. But there is more to it than "safeguards" and "checks and balances." How about a CEO and a company culture that values its employees and says to each and every one of them--not only in words, but in daily behavior and interaction--we value you and your contributions to the company--and you are an important part of the company. I've integrity. I'm not going to sabotage something just because I can. When I get fed up enough, I'll send out my resume and the next job will be better. But I have to say that we've lost something very important in the past 25 years in American companies and it is that sense that each and every employee has something important to contribute to the whole. Without that, everyone's job becomes more difficult. For example, I can't promise someone that I can ship something overnight if I can't depend that guy in the mailroom. Convesely, he can't do his job properly if I don't get the package to him before his deadline so that he can do his job of getting it on the truck. I need to give him what he needs so he can do a good job for me... In the end it is "expectations," "respect" and "integrity." If the company does not have integrity, if the company does not have respect, if the company does not value its employees, regardless of job title, rank, etc. then you have a situation that promotes some of the "getting even" behavior discussed in these posts. It all trickles down from the top.

drbayer
drbayer

I beg to differ with the comment that "the lowly network admin has the same access to information as the CEO". The lowly admin has MORE access. He (potentially) has access to ALL data at a company, including accounting, customer, and order data as well as technical data on the systems and networks. The CEO can request access to everything, but it's the lowly admin that grants the CEO that access. If nothing else, the CEO generally won't have access to systems configuration data, as it's far enough outside the average CEO's realm of expertise that they are more likely to do damage to those systems than not. All that being said, when one hires an IT person, one implicitly states that the IT person is being trusted with maintaining the systems under his/her care. If the IT person cannot be trusted to do so in an ethical and responsible manner, he/she should not be hired. This is where hiring managers must make effective use of personal/professional references, in an effort to make the most informed decisions possible. I believe that most seasoned IT people are aware of this and act accordingly both in the interests of the company (deserved or not) as well as in his/her own interests (to have a long and fruitful career). That is part of the challenge facing newly-hatched IT people, either fresh out of school or freshly certified. The newbie not only has to overcome the lack of "real-world" experience, but also the missing track record of ethical behavior (it simply hasn't been recorded anywhere yet).

jwise
jwise

If 5% of the population is unethical, I would expect that 5% of IT people are unethical. People are also exposed to situations that invoke rage. Unfortunately, IT is a high frsutration occupation. If the solution is to employ some kind of IT auditor, then I would expect this to merely transfer the problem to an equally unethical (or ethical) career path. This is no solution. All occupations are exposed to moral decay. I don't see a solution to this problem.

normhaga
normhaga

Pretty much worthless because they fail to measure character. The only true measure of character is observation of a persons reactions to adverse and amenable situations. This is nullified by todays job hopping.

a.southern
a.southern

Wow, and I usually just leave a packet of frozen prawns distributed around the plumbing, server room, filing cabinet and curtain rails.........

HAL 9000
HAL 9000

When things go wrong. If there is nothing in place it's easy to blame the Innocent for Managements Incompetence by saying [b]"You had no right to do that."[/b] But if the Requirement is written out this just can not happen. It's not a perfect answer but at least it's a start. Many places just fail to see the need to even think about addressing situations like this. Col

Russell_dazzle
Russell_dazzle

Well said Brad. I totally agree. Seemed like a bit similar to what I have mentioned few posts ago. It all comes down to the "choice" we make for ourselves.