All business organizations rely upon talented and skilled personnel. Without those people it would be difficult to turn a profit and stay in business. Yet, relying on key personnel has its drawbacks.
Not long ago I consulted with a company that operated with a few dozen employees. there was redundancy in employee roles in each department except for the Information services department. In that department there was only a couple of people that were highly skilled and they kept to themselves in a somewhat introverted fashion.
One of the responsibility areas that a particular employee had control over was the telephone and data router management. In this area he was the only one who understood the configurations and the only one who actively managed the equipment. In his role he could enable and disable phone stations, turn up and turn down Wide Area Network (WAN) interfaces, and reload a router or wipe the router configuration completely leaving it as functional as a boat anchor.
This situation caused me many sleepless nights particularly when the employee started to become increasingly agitated in meetings and started to switch off network based security cameras so that management couldn’t see when he was leaving and returning to buildings for lunch and other outings. He was in effect holding the company hostage because of his knowledge and access to the core data network.
I eventually moved to a new contract, but not before informing senior management of the potential for a single employee to disable the corporation’s ability to conduct business for an extended time. Senior management seemed unimpressed and touted that they had cell phones so it was not a problem
What does this have to do with continuity of operation?
The management of the company either didn’t fully understand what was meant by “inability to conduct business for an extended period”, or they were sufficiently arrogant so as to believe that no one could possibly have the power to affect the corporation unless they were in senior management.
There is a surprising affect felt by organizations who embrace increased reliance upon technology. The power to make a drastic impact on a corporation’s day-to-day business, at one time, relied solely with senior corporate management. In today’s marketplace it sits firmly with a hidden individual(s) nested deeply within an IT group. A series of commands entered at a virtual console could immediately halt incoming and outgoing calls, stop inbound and outbound email and web traffic, quickly rendering routers and switches useless pieces of hardware unable to move data, and at the same time disable all security cameras.
What does an organization do to recover from a catastrophic failure caused by a disgruntled employee. In this situation the business continuity plans would not function as planned. All plans of this sort operate off of certain assumptions and one of them is that a backup facility is operative. In the disgruntled employee situation described above, the primary and backup site would be rendered inoperative. In effect there would be no backup site to switch to. A bad situation no matter how one looks at it.
Recovery is hinged upon prevention. Prevention is particularly difficult once the situation exists for potential abuse. The prevention process would have to include hiring a backup to the individuals’ role as administrator of the core systems. Step two would then be to isolate the individual from direct access and the passwords to affect change. Implementing management controls would seem to be the answer. Running practice tests to recover configurations is probably warranted as well.
The high cost of technology
To protect the corporation from being held hostage would involve an additional hire, or contracting an organization to come in as backup to the employee. Additionally, new processes and procedures would need to be implemented and managed taking time away from existing managerial responsibilities. New software would need to be purchased to create an additional step in the router and switch management process.
The cost estimate for protection was estimated to be $260,000. for the new hire scenario, and $130,000. for the contracted services scenario. As far as I am aware neither scenario was adopted.
Review your potential for being held hostage
Any organization with an advanced data network should develop plans for being held hostage by a few key technology personnel. In their plans they should include reviews of password availability, remote access methods, configuration recovery methods, and periodic testing of scenarios to defend against internal malfeasance.