Companies often like to describe their employees as the organisationís greatest asset. But many companies fail to realize just how much of an asset their staff really are, because they fail to adequately control the property that is entrusted to employees. Property which, all too often, gets lost or misappropriated during the employeeís time with the company and which is frequently not accounted for when the staff member leaves the company or changes jobs.
Picture the all-too-common scene. You appoint a new marketing manager. Heíll need a password for the central network and for external internet access through the firewall. Heíll also need a VPN password to access the system from home, and permissions for various internal databases, external subscription-based research sites and up-to-date stock price systems, and the main intranet. Heíll need a laptop and a desktop PC, and a collection of software. Heíll probably be entitled to a car too, and possibly membership of the corporate gym or sports club. Then thereís his PDA and mobile phone, USB memory stick, and perhaps a calling card so he can use foreign payphones to call home. Not to mention a key to his office and perhaps another for the front door of the building, and the code number for the alarm.
Arranging all of these items is known as provisioning. Getting everything in place for a new staff member is difficult enough, but even trickier is keeping track of those assets once they have been granted, and revoking when someone leaves the company or changes their role. Which is why many companies simply donít bother, and therefore rarely find out that an asset is being misused or is simply lost until itís too late.
Types of Misuse
Misuse of corporate assets takes many forms. All are irritating, some are merely inconvenient, yet a few can be seriously dangerous to the survival of the company or its reputation.
Among those in the merely inconvenient class might be a former employee entering his previous place of work at lunch time and obtaining cheap food because someone forgot to relieve him of his card when he left the job. A more dangerous action might be someone who obtains access to his previous employerís computer system because the personnel department neglected to realize that he had 2 different accounts and only one of them was disabled upon his resignation. Or perhaps an employee who, on leaving, handed back his keys to the front door of the building but failed to remind the company that he also had a key to the warehouse round the corner.
Stories of employees being able to gain access to the computer systems of previous employers are rife, and access still being possible after many months is not uncommon. In one case that Iím aware of, an account still hadnít been disabled after six years. In the case of someone who leaves a job only to take up a similar position with a competitor, itís hard to imagine a more damaging scenario.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.