All too often when companies experience the slightest downtrend, rumors start to fly around the office. Corporate IT technicians, being employees, start wondering about their job security. The temptation to look at sensitive executive emails and HR documents may be all too great. And if your IT employees are accessing information they shouldn’t, there is no way for you to know. A CEO recently asked us, “How do I know if my IT person is reading my emails?” Our response was, “If they are good at their job, you won’t. Your relationship with IT employees requires explicit trust that they will have the access they need to perform their job duties but won’t abuse that access.”
Unfortunately, in order to properly manage your network and company data, your internal Corporate IT Department requires full access to all of your digital files – emails, digital personnel information, trade secrets, sensitive corporate financial information, etc. After all, they are responsible for making sure data is fully backed up each night. It is critical to hire employees you can trust and that have a high level of integrity, but even more so when they have access to all of your data. All companies run the risk of internal Corporate IT employees using sensitive information for less than official reasons.
One poll conducted by Cyber-Ark, an information security company in the U.S., found that one out of three senior IT professionals admitted to using or knowing a colleague to use administrative passwords to access confidential information at their company. This information includes colleagues’ salaries, personnel information, private emails and files, confidential customer data and board meeting minutes.
Another study from Clearswift uncovered that thirty-five percent of employees would be willing to risk their jobs and legal prosecution to sell the private company data if the price was right.
“While people are generally taking security more seriously there is still a significant group of people who are willing to profit from selling something that doesn’t belong to them,” Heath Davies, Clearswift’s Chief Executive Officer, stated in a press release on July 29, 2015. “This information can be worth millions of dollars. A case in point of the true value of data is the recent Ashley Madison hack, where user data was accessed by a member of their extended enterprise (part of their technical services team) according to the site’s CEO; the effects of which have been monumental. The site announced earlier this year that it hoped to raise $200 million in an initial public offering this year and it may have lost out on this opportunity reducing the value of its entire business. This attack has also had a ripple effect on its sister sites. It is important for companies to understand the risk and address it appropriately – this research can help them do that.”
What can I do about it?
Outsourcing your Corporate IT to a Managed IT Service Provider (MSP) can help alleviate these issues. An outside MSP has no conflict of interest with their IT staff wanting to know about your sensitive Human Resource documents or executive communication. They also are not at risk of being out of a job when your business is experiencing a slowdown. A Managed Service Provider also recognizes that every employee of your company is their CUSTOMER – not their peer – so Corporate IT issues are treated with a higher level of customer service.
Tips for finding the right Managed IT Service Provider
1. Make sure the MSP does criminal, drug, and credit background checks on all of its employees.
2. Find out if the MSP provides a layered security solution to ensure everything is being done to protect your company’s data.
3. Visit the MSP’s facilities to observe their dedicated Service Desk Team and operation maturity level. You don’t want to be stuck in the same situation by using a “Man-in-a-Van” IT service provider.
4. Ask about certifications the MSP holds.
5. Check to see if their CIO services include Technical Business Review meetings at least once per quarter to properly align your business goals with IT and mitigate risks.
6. Find an MSP that follows proven processes and procedures to ensure you receive consistent results.
7. See if the MSP is currently managing IT infrastructures in multi-locations throughout the United States and the World.
8. Make sure the MSP is financially stable and has a strong reputation with long-term clients.
9. Look for a provider that has a defined Management Team and Advisory Board.