As mentioned in a previous post, it’s a good time to be a CIO when it comes to compensation. Just make sure the people working for you are feeling some of the love, too. There’s a danger in underpaying IT employees.It’s not that it drives morale down. Underpaid IT employees can turn into disgruntled workers who can pose a cybersecurity risk to your organization.Don’t take my word for it. The Department of Homeland Security is raising the alarm.In a warning at its website, DHS said, “There has been an increase in computer network exploitation and disruption by disgruntled and/or former employees. The FBI and DHS assess that disgruntled and former employees pose a significant cyber threat to US businesses due to their authorized access to sensitive information and the networks businesses rely on.”How are they doing it? Well, insider knowledge is one answer but not the only one. Employees are leaving online backdoors open most likely in the case they do get let go.DHS says, “The exploitation of business networks and servers by disgruntled and/or former employees has resulted in several significant FBI investigations in which individuals used their access to destroy data, steal proprietary software, obtain customer information, purchase unauthorized goods and services using customer accounts, and gain a competitive edge at a new company. The theft of proprietary information in many of these incidents was facilitated through the use of cloud storage Web sites and personal e-mail accounts. In many cases, terminated employees had continued access to the computer networks through the installation of unauthorized remote desktop protocol software. The installation of this software occurred prior to leaving the company.”According to the FBI, there is a clear fiscal penalty. It said, “A review of recent FBI cyber investigations revealed victim businesses incur significant costs ranging from $5,000 to $3 million due to cyber incidents involving disgruntled or former employees. Businesses reported various factors into their cost estimates, to include: calculating the value of stolen data, Information Technology (IT) services, the establishment of network countermeasures, legal fees, loss of revenue and/or customers, and the purchase of credit monitoring services for employees and customers affected by a data breach.”So, what to do? DHS makes these recommendations:
- Conduct a regular review of employee access and terminate any account that individuals do not need to perform their daily job responsibilities.
- Terminate all accounts associated with an employee or contractor immediately upon dismissal.
- Change administrative passwords to servers and networks following the release of IT personnel.
- Avoid using shared usernames and passwords for remote desktop protocol.
- Do not use the same login and password for multiple platforms, servers, or networks.
- Ensure third party service companies providing e-mail or customer support know that an employee has been terminated.
- Restrict Internet access on corporate computers to cloud storage Web sites.
- Do not allow employees to download unauthorized remote login applications on corporate computers.
- Maintain daily backups of all computer networks and servers.
- Require employees change passwords to corporate accounts regularly (in many instances, default passwords are provided by IT staff and are never changed).
Higher salaries could be the most cost-effective solution. As Allison Schrager, an economist and writer in New York City, says in a piece at BusinessWeek.com, “Few disgruntled employees take out their frustration by breaking the law. But if cybersecurity threats from within are a problem, companies shouldn’t simply increase security but also must consider what they can do to raise morale. The Hewitt survey shows few things are as effective as higher pay. Compared to the FBI’s claim that security breaches have cost some businesses as much as $3 million, couldn’t paying workers more be cost-effective?”