Companies often like to describe their employees as the organisation’s greatest asset. But many companies fail to realize just how much of an asset their staff really are, because they fail to adequately control the property that is entrusted to employees. Property which, all too often, gets lost or misappropriated during the employee’s time with the company and which is frequently not accounted for when the staff member leaves the company or changes jobs.
Picture the all-too-common scene. You appoint a new marketing manager. He’ll need a password for the central network and for external internet access through the firewall. He’ll also need a VPN password to access the system from home, and permissions for various internal databases, external subscription-based research sites and up-to-date stock price systems, and the main intranet. He’ll need a laptop and a desktop PC, and a collection of software. He’ll probably be entitled to a car too, and possibly membership of the corporate gym or sports club. Then there’s his PDA and mobile phone, USB memory stick, and perhaps a calling card so he can use foreign payphones to call home. Not to mention a key to his office and perhaps another for the front door of the building, and the code number for the alarm.
Arranging all of these items is known as provisioning. Getting everything in place for a new staff member is difficult enough, but even trickier is keeping track of those assets once they have been granted, and revoking when someone leaves the company or changes their role. Which is why many companies simply don’t bother, and therefore rarely find out that an asset is being misused or is simply lost until it’s too late.
Types of Misuse
Misuse of corporate assets takes many forms. All are irritating, some are merely inconvenient, yet a few can be seriously dangerous to the survival of the company or its reputation.
Among those in the merely inconvenient class might be a former employee entering his previous place of work at lunch time and obtaining cheap food because someone forgot to relieve him of his card when he left the job. A more dangerous action might be someone who obtains access to his previous employer’s computer system because the personnel department neglected to realize that he had 2 different accounts and only one of them was disabled upon his resignation. Or perhaps an employee who, on leaving, handed back his keys to the front door of the building but failed to remind the company that he also had a key to the warehouse round the corner.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.