

Man charged with abusing inside knowledge to damage old employer's network - mkr-hn
http://www.fbi.gov/newark/press-releases/2011/former-shionogi-employee-arrested-charged-with-hack-attack-on-company-servers

======
mkr-hn
How do HN readers account for the risks of firing people who carry sensitive
information?

~~~
wccrawford
The solution starts before you even hire the person. People shouldn't be able
to access things that aren't in their job description.

Shared passwords should be non-existent. When sharing a password is required,
there should be steps in place to change that password with minimal
interruption in service and at a moment's notice.

The person should be locked out of all systems (including the shared password
ones) the moment that a termination decision is reached.

The rest is pretty much up to the lawyers.

It should be noted that the only difference for when a person quits is when to
lock them out. Some companies have the person work until their notice (and
then follow the above), others terminate them immediately (and follow the
above), and others pay them a severance, but don't have them touch any
machines (and follow the above.)

Anecdote: Multiple companies have called me weeks or months after I quit and
asked me for passwords to their most sensitive systems. I still had the
passwords in my brain, and they still worked.

