75

I'm going to hire an IT guy to help manage my office's computers and network. We're a small shop, so he'll be the only one doing IT.

Of course, I'll interview carefully, check references, and run a background check. But you never know how things will work out.

How do I limit my company's exposure if the guy I hire turns out to be evil? How do I avoid making him the single most powerful person in the organization?

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
Jesse
  • 1,910
  • 3
  • 23
  • 28
  • 6
    The sure proof way is to learn IT your self. It sounds like you are having trust issues, which the job requires. Your title seems to say you want to protect your computer, but your subject seems your whole network. – Nixphoe Jun 24 '11 at 18:54
  • 22
    @Jesse: So you're saying that your accountant couldn't embezzle from you and cause you to go into bankruptcy? Your sales manager couldn't sell your client list causing so much lost revenue that you go under? Personally, if I were a rogue employee I'd much rather have access to your bank account than your computers. – joeqwerty Jun 24 '11 at 19:35
  • 8
    @joeqwerty: The accountant has access to financial stuff; the sales manager has access to sales stuff; the IT guy has access to *everything*. – Jesse Jun 24 '11 at 22:11
  • 3
    @TomWij if I were your IT guy and I knew you were doing IT work behind my back (backups or otherwise) on the system you charged me with managing, I would throw a fit. It costs you more, destroys any rapport you have with your employee, and will damage your company in the long run. Don't do that. – Paul McMillan Jun 25 '11 at 00:58
  • 1
    Documentation, Documentation, Documentation. – Stuart Jun 24 '11 at 20:18

5 Answers5

106

You do it the same way you protect the company from head of Sales running off with your client list, or the head of Accounting embezzling funds, or the Stock manager from running off with half the inventory, largely: Trust, but verify.

At the very least, I would require that all passwords for all Administrator accounts on systems and services under IT be kept in a password safe (either digitally like KeePass, or a literal piece of paper kept in a safe). Periodically you will need to verify that these accounts are still active and have appropriate access rights. Most experienced IT people call this the "if I'm hit by a bus" scenario, and it's part of the general idea of eliminating points of failure.

At the one business I worked at where I was the sole IT Admin, we maintained a relationship with an external IT consultant who handed this, primarily because the company had been burned in the past (by incompetence more than malice). They had remote access passwords and could, when asked, reset the essential administrator passwords. They did not have direct access to any company data, however. They could only reset passwords. Of course, since they could reset enterprise admin passwords, they could take control of the systems. Again, it became "Trust but Verify". They made sure they could access the systems. I made sure they didn't change anything without us knowing about it.

And remember: the easiest way to make sure a person doesn't burn your company is to make sure they're happy. Make sure your pay is at least at the median value. I've heard of too many situations where IT personnel have damaged a company out of spite. Treat your employees right and they'll do the same.

Bacon Bits
  • 1,511
  • 1
  • 9
  • 8
  • 1
    Well said Bacon. I hadn't read your answer before posting my own saying the same thing. – joeqwerty Jun 24 '11 at 19:31
  • This is the best answer. Get a trusted 3rd party on a contract basis. – mfinni Jun 24 '11 at 19:51
  • On intuition, the IT guy changes things to effectively lock out the third party the day before he's fired. What then? Take the entire network offline until you can get it audited, every time you fire someone? – Matthew Read Jun 24 '11 at 21:06
  • 1
    -1 for: "I made sure they didn't change anything without us knowing about it." – Kzqai Jun 24 '11 at 21:29
  • @Matthew Of course the IT guy can do that. You can't stop that. You *can't*. If someone is a Domain Admin, they can trash the domain. Period. "I create a new DC in a VM, move all FSMO to the VM, then delete the VM." or "I delete random fields from the schema." All you can do it put in as much redundancy as you can, and the audit constantly. – Bacon Bits Jun 25 '11 at 00:38
  • @Tchalvak "Trust but verify" has to go both ways for two domain admins (in my case, me and the consultant). When you're domain admin, you can only have peers and subordinates. There is nobody above you. I audited authentications from the remote account and audited most actions they performed. It's not that hard to set up; the logs are just not that informative typically. – Bacon Bits Jun 25 '11 at 00:41
  • +1 for the "hit by a bus" scenario – bevacqua Jun 25 '11 at 14:49
  • @Bacon Fair enough. +1 – Matthew Read Jun 25 '11 at 15:08
  • 1
    better: have the emergency back account info stored by someone with no access to your network at all. An escrow service, an outside lawyer, the bank vault where only the partners in the business have physical access to. If you're really paranoid, that's how you do it. And of course have a dual key system in which there's always at least 2 people required to log in on the root account, both knowing half the password. – jwenting Jun 27 '11 at 06:27
32

How do you keep your bookkeeper from embezzling from you? How do you keep your sales staff from taking kickbacks from your suppliers?

Non-IT people have a misguided notion that we IT people practice a black art that we wield from the line bordering good and evil and that on a whim we will resort to some nefarious machination soley for the purpose of "bringing down the pointy haired boss".

Managing an IT employee is like managing any other employee.

Stop watching movies that depict those of us who take the responsibility of our positions seriously as if we're rogue agents hell bent on world domination and/or destruction.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
  • 13
    My bookkeeper audits my sales staff. My CPA audits my bookkeeper. Who audits the IT guy? It has nothing to do with movies, it has to do with mitigating the risks of doing business. – Jesse Jun 24 '11 at 19:44
  • 3
    @Jesse: I hear you. There's a little bit of hyperbole in my answer but in then end you need to manage your IT staff like you do the rest of your staff. If you need someone to audit your IT staff then you need to take on that responsibility yourself or hire someone to take it on. – joeqwerty Jun 24 '11 at 19:50
  • 3
    sadly many outside of IT have th idea that every IT person is only out to crack into their systems and run off with the company secrets and the passwords to the bank account. They never even consider that we're just another bunch of people just like the rest of their employees, and that those others already have the means to do just that without needing to crack into anything at all because they've access to that data as part of their regular job. – jwenting Jun 27 '11 at 06:22
21

Wow - really? gutsy question to ask on serverfault, don't be alarmed if some are offended by your question, though I do understand.

Ok, practical solutions; you could insist on (and frequently test) having your own administrator/root equivalent accounts on everything, randomly take one of the off-site backups home and restore it, obviously try to recruit from people you know/trust or spend a great deal of time employing them.

My strongest suggestion would be to hire two people - both reporting to you, not only will they keep each other honest but you'll have cover for when one is on vacation or sick.

Chopper3
  • 100,240
  • 9
  • 106
  • 238
  • 1
    ...I wonder how the hire can trust a non-tech person to be watching over his shoulder. This question reflects issues for any business. But the IT guy will have power to do all sorts of nefarious things. He HAS to have it in order to do his job effectively. – Bart Silverstrim Jun 24 '11 at 19:15
  • 2
    I kind of cringe at having accounts to everything for a non-tech user. There should be policies in place to make sure these aren't there for the non-tech to use them unless there is an actual need...i.e., the admin being fired. Not because the non-tech people feel the need to start poking around the mail server or do something not in their jurisdiction, so to speak. – Bart Silverstrim Jun 24 '11 at 19:17
  • 1
    A competent admin will balk at being required to provide non-technical users with admin passwords except in emergencies. People who don't know what they're doing WILL be tempted to mess around with stuff they shouldn't. *Seal* them and lock them in a safe. – Paul McMillan Jun 25 '11 at 01:04
  • 3
    Actually, I run into this a lot, small one man or two man shops that are just milking small businesses for ridiculous gobs of money for very unprofessional work. I think this is a great question. – SpacemanSpiff Jun 26 '11 at 14:37
11

Do you have an HR person? Or an accountant? How do you keep your HR person from being evil and selling everyone's personal information? How do you keep your accountant or finance people from stealing everything the company owns out from underneath you?

For all positions, you should have procedures in place limiting how much damage a person can do. Your default position should be that you trust the people you hire (if you don't trust them, don't hire them or don't keep them), but it's reasonable to have checks and balances.

Even for a small company, you shouldn't have just one "IT person" who is the only one who knows anything. (the same as you shouldn't have just one person who can deal with payroll - what if that person gets sick?). Someone else needs passwords, needs to check the backups, etc.

One thing you can do is to make documentation a priority. Make sure you give the person you hire time to document how things are set up and discuss documentation when you interview candidates - ask what they've done in the past to document their network, ask to see a sample.

It's my habit to always put together a "Systems Guide" that more or less documents everything - what equipment we've got, how it's set up, procedures we follow, etc. etc. It's obviously a constantly-evolving document (series of documents and files in most cases), but at any time you can take a copy and get an idea of how the IT guy has set things up and what critical information someone else needs to know in case the IT guy is hit by a bus. If you really want to be prepared, you could get an outside consultant to go through the systems manual and tell you what they'd need to step in if anything happened to the IT guy.

Or, if you're really paranoid, you could get the outside consultant to come in and compare what's in the systems manual with what they see if they look at your systems. Is there other software installed? Are there extra admin or remote access accounts?

Ward - Reinstate Monica
  • 12,788
  • 28
  • 44
  • 59
6

It's hard, since failure brings pain ( How do you search for backdoors from the previous IT person? ). If you're small enough that you don't already have an IT presence, the sort of compartmentalized structures that can limit exposure is really, really hard to put into place. Unless you have someone else to do all the high trust activities like things requiring Domain Admin credentials, you'll have to give it to your new hire.

You're hiring someone who will have high trust placed upon them so you need to trust them in return, so if you're not 100% certain, don't hire them. Background checks can help. Insist on personal recommendations of character not just competence; if they have a LinkedIn profile, ask some of their contacts or insist on contacting them.

Yes, this will be very intrusive. If you really have doubts about someone, then it is entirely worth it due to the cost to the business in case the worst does happen. When they start, work with them very closely. Get to know them. Let the entire company interact with them. Watch how they work with people.

Once the new-job glow has worn off, watch how they handle unexpected setbacks. Do they get resentful and surly, or do they shrug it off and deal? If your office is the type to do casual hazing of new people, see how they react; subtle and quiet with much embarrassment on the revenge-target, overt and flashy, or laughter and shrugging it off? These are some of the clues that can help identify a potential revenge-saboteur.

sysadmin1138
  • 131,083
  • 18
  • 173
  • 296