When sysadmins attack: how to delete an entire company is an article in nakedsecurity.sophos.com about how a web hosting company in the Netherlands temporarily lost many of the web sites it was hosting, and it may or may not have been because of a disgruntled ex employee. It also talks about some confirmed cases of IT employees and consultants turning on their former employers and deleting data.
It's all a great warning about the importance of backups and about immediately withdrawing the credentials/access of ex employees and soon-to-be ex employees, and the importance of other non-IT staff knowing exactly what the IT manager does, knowing passwords, knowing that things are backed up, etc.
But there's another warning as well. Back in the 1990s, an organization I volunteered for in Austin, Texas had a lot of their new donor data deleted by a volunteer who had been recruited to input information that had been snail mailed in. It turned out that she was not supportive of this organization's mission, and she had volunteered specifically to get access to the computers and do some big damage to that organization, which back then did not screen volunteers or supervise them in such a way as to be on the look out for malicious people who wanted to use volunteering as a way to harm an organization. That story has always stuck with me - some nonprofits know they are the target of people that want to undermine work, but not all volunteers really thing about it. Yes, of course volunteer and employee candidates can lie about their motivations to volunteer, but honestly, if I were recruiting anyone, paid or not, to manage IT-related jobs, I would do some online searches of names, particularly if I was working for a nonprofit that did work that had active opposition, to make sure a candidate in which I was interested hadn't been posting in opposition to our work.
-=-=-=-=-=- Jayne Cravens Author, The LAST Virtual Volunteering Guidebook
I think the despite all of our best intentions and efforts, we can not be 100% guaranteed that any volunteer or staff member will always behave themselves.
We generally take people at face value, and while it pays to always check, a thorough volunteer induction program and ongoing supervision is needed.
I hope that the idea that if someone volunteers they're automatically accepted because they're breathing. Like any role in your organisation, volunteers need to know what their job is and what happens if they can't perform.
While some volunteers are well trusted, they don't need access to core business systems. Those area should always be carefully monitored and backed up.
"While some volunteers are well trusted, they don't need access to core business systems."
But a paycheck someone makes it okay for someone to access core business systems? The aforementioned article as all about PAID staff causing havoc. Also, organizations often DO need to give volunteers access to core business systems - they've often sought out such a volunteer SPECIFICALLY for such roles.
Volunteers can be trusted with critical functions, IT or otherwise - so long as they are properly screened and trained. Same for paid staff.
I agree with you Jayne. If you properly screen employees and volunteers, they can be trusted. I work for a nonprofit and volunteer for another. I have access to everything in both orgs and had to pass a criminal background check.
Gary Network/Systems Admin Berlin, NHHost Non-profit Tech Careers, Security ForumsCo-Host Networks, Hardware, & Telecommunications Forum
I think the real lesson is to build resilient systems - resilient to both malicious and accidental havoc. While the scenario here is malicious employee, I suspect the vast majority of massive failure is because of mistakes. The AWS outage from a month or so ago was because someone typed the wrong character.
My favorite thing of the past few years is Netflix's Chaos Monkey project. They take the position that their systems should stand up to all kinds of unscheduled catastrophies. What if we just turn off the switch randomly to X? Where X could be any system or group of systems at any time. Then, they have a program that does just that. You can extend that by saying what if we sent random staff on unscheduled 2 day vacations where they could not be contacted or contact the office. Can your org manage and thrive?
Obviously, that's difficult for small orgs of any size, especially nonprofits, but if you start thinking that way, it can help you mitigate the unknown unknowns.
Regardless, at the end of the day, you have to trust someone, regardless whether they are paid or volunteer. Do your due diligence and manage your risk.
Have a great weekend!
TechSoup Community Manager
Close this window