June 14, 2004
In an effort to be flexible and increase productivity, more companies are offering employees remote access to their computer systems, yet many are unaware the convenience easily opens them up to data sabotage and harassment, experts say.
Firms wanting to help the environment and offer employees convenient hours are allowing workers to access computer systems over the Internet. But doing so also allows disgruntled former employees an opportunity to steal confidential information or wreak other kinds of havoc using nothing more than passwords they were given.
"It’s a problem companies are becoming more aware of because of the horror stories that they’ve heard from others," said Brad Hartman, a Valley attorney specializing in Internet law and information technology issues. "Once people hear about those types of things, they realize when an employee leaves, you need to go through a checklist of termination events which include more than getting your health insurance card back and the parking key back or the corporate Visa, but also deactivating user log-in names or changing passwords, and doing other things to prevent access to the network."
Hartman, a northeast Phoenix resident, is a partner at Stinson Morrison & Hecker LLP, where he is chairman of the intellectual property law section of the State Bar of Arizona. He represents businesses whose computer security has been breached.
One of the cases he’s seen was where a former employee logged onto the network shortly after being fired and used her yet-to-be deactivated user name and password to delete customer information.
"What happens is the company has to recreate all this information from backups, hopefully, or sometimes you can have orders that are missed because they’ve erased order information or changed production times," Hartman said ."
In another case, a former Web site designer changed a company’s site code to delete some pictures and include profanity. "That’s something that happens quite frequently," Hartman said.
Large companies are turning to remote computer access to save money in office space, said Brandon Disney, Data Doctors Computer Services vice president of operations.
"Usually, the larger the company, the slower changes are made," he said. "If somebody works in the business, it’s very easy to turn them off because they’re not coming in the building anymore. When they work outside the company it takes more time. Even though somebody may be terminated today, it may take a couple of days, to a week or more, to actually go through all the departments to get their account disabled. It’s a big problem that’s only going to get larger as more and more people have the kind of access from outside the office."
In smaller- and mediumsized businesses, remote computer access isn’t used much except by top management and owners, Disney said. The companies that do offer access are quick to shut it down when an employee leaves, he said.
Companies may have the most to fear from employees in the information technology department, workers who are often trusted to set up the system and who are often the only ones to know network and other important passwords, Hartman said.
"Every time a new employee starts, they go ahead and install, say, Microsoft Word, on their computer even though the company only owns 10 copies, suddenly they have 30 employees using 10 companies of Word," Hartman said. "When they leave, especially if they’re fired, they contact the Business Software Alliance and report them for copyright infringement. Then that company gets a letter stating . . . you need to do an audit and you owe for 10 copies at $300 a copy, that’s $3,000 plus damages."
Companies that allow their IT employees to register the firm’s Web site domain name can face a nasty surprise.
"When I leave the company, the domain name may be registered in my name and so I can (theoretically) redirect it to another Web site or redirect it to some pornography site," Hartman said.
Companies wronged by hackers and former employees do have recourse through the courts.
Whenever a computer is connected to the Internet, it’s given an IP address by an Internet service provider, Hartman said. When wrongdoers visit Web sites or go to computer networks, ISPs will typically have software set up to log the addresses, dates and times of the visit.
Companies file a lawsuit against John and Jane Doe and the court issues a subpoena to the ISP, requiring them to reveal the computer address and who it belongs to. The same technology was used by the recording industry to hunt down computer users downloading unlicensed music, Hartman said.
Hartman figures his job is secure as more and more companies try to protect their Internet confidentiality.