Computer Sabotage

Do you have a company policy concerning the use of computer access passwords? What about a policy against leaving unattended computers logged onto the system during breaks, lunches, meetings, etc.?

Is there a policy prohibiting an employee from continuing to work at your premises or via remote computer access after you've notified the employee of his or her pending termination or after an unstable employee quits (especially, if a bad incident is involved)? If not, you should!

An engineering company in Sunnyvale, California found this out the hard way. A systems administrator took a written warning badly and resigned effective the following workday. As a precautionary measure his employer changed the password to its file servers and its remote digital access.

Upon being denied access when his password was rejected, the systems administrator used a different employee's computer terminal to access the system. He then wrote a program to delete running files prior to dawn each Wednesday. Press reports on the resulting criminal case did not state whether he had used an unattended, but logged in computer or "borrowed" another employee's password. However, the result would have been the same in either scenario.

The computer sabotage caused the engineering firm to suffer losses of $237,000 in lost files, outside consultant fees for restoration of part of the lost data, etc. Fortunately, the firm had purchased insurance to cover this type of loss.

What to do: Develop a formal written policy concerning passwords and unattended computers. Let common sense be your guide.

For example:
1. Assign a separate password to each employee;

2. Allow each supervisor to know the passwords only of his or her own subordinates;

3. Prohibit sharing and lending passwords with fellow employees;

4. Make it easy and not intimidating to ask a supervisor for a forgotten password;

5. Prohibit entry of passwords in view of another employee or a vendor;

6. Prohibit leaving logged-on computers unattended during breaks, meetings, etc.;

7. Prohibit posting passwords near workstations (often done by forgetful or insecure workers; if they must write it down, they should keep it in a locked desk drawer.);

8. Clarify to employees how computer sabotage reduces funds available for raises, bonuses, benefits, upgraded equipment, company growth, etc.

Notify each employee that whenever someone else uses employee X's password to log-on, anything done during that log-on is entered in employee X's name.

Additionally, upper management should develop a policy concerning when and why passwords should be changed. After devising such a policy, don't be afraid to use it. If the policy inadvertently locks an employee out of the system, his or her supervisor can easily and quickly rectify the situation.

Finally, consider adopting a strict policy wherein a terminated employee must leave the premises shortly after notification of termination. Some companies handle terminations at the end of the work day to faciliate this policy. (Be aware that having a manager or a guard escort an employee off the premises can possibly lead to a libel lawsuit for implying termination due to dishonesty.)