The LANAIR Connection

Lessons Learned From Bad Tech Hires
by Kim Komando
reprinted with permission from the Microsoft Small Business Center

For many small businesses, a key hiring challenge is finding the right person to care for your computers and networks.

These folks usually carry the title of network or system administrator. And as your business grows, you may need someone (or two) on staff full time to make sure your network and PCs are always functioning properly.

Frankly, I have not had good luck with this. But here are three lessons that I have learned. If you heed them, you might be able to avoid making the same mistakes.

1. Make the hire, but still maintain a close watch over everything. That brings me to Joe (not his real name). Joe was one of my
early system administrators. He was in his mid-20s, deeply into computers and the holder of paper certifications that proved he knew his stuff. At first, things seemed to be OK. It took some time for Joe to figure out the servers' configurations and the way our Web site worked. But I expected the learning curve, so I wasn't concerned. Several months after hiring Joe, I went to the server room to make a configuration change. As I mucked around in a server, I found Web sites there for things I had never heard of. Apparently, Joe had set them up for friends. And there were e-mail addresses on the mail server for people I did not know. Then I remembered my computer. I had found oddities on it, too, and now I suspected someone was using it. I set up a camera in my office. Sure enough, at 5 a.m., the culprit walked in and got on the computer. Need I tell you that it was Joe? When I had amassed all the evidence, I confronted Joe. He readily acknowledged everything. I sent him packing. The breaches were bad enough. But most disturbingly, he saw nothing wrong with what he had done. The server space was available, so he used it. Not anymore.

2. Realize when an administrator is in over his or her head. We have a fairly complex setup, with four T1 lines coming into the building and a mountain of routers as well as Web and file servers to handle it all. I thought that I had found a perfect addition to the staff with Steve (again, not his real name). He had his degree, came with great references and appeared to be a real team player. What I did not know was that he had never really worked on a system alone. He relied on a string of people in his past job at a major corporation to keep the systems running. So he had to learn on the job. In doing so, he made system changes that invariably brought the network and the servers to a screeching halt. But he would not just make one change. He would make three, four and maybe 10 at once -- so when the system failed, he was not sure what caused it. One morning after two weeks of this nonsense, I walked into the server room. There, I found him sleeping on the floor with a book resting near his head.

The book was titled something like "Hacking Made Easy." I woke him up and asked him, "What's going on?" Steve proceeded to tell me that he was up all night working desperately to get our networks operational for the day. He determined that our inability to connect with the Internet was not with our routers and firewalls. It was with the Internet service provider's T1 lines. And then he explained that the ISP would not acknowledge the problem, so he was going to hack into their corporate offices and fix it himself. Now, I was scared. Steve was terminated that day.

3. Establish company rules and make sure every employee knows them. Some time ago, I read about a 19-year-old who pleaded guilty to stealing sensitive data from DirecTV. The young man was working for an imaging firm that had a contract with a law firm. The law firm was doing work for DirecTV. The information stolen concerned DirecTV's customer access card. DirecTV is in a constant battle with hackers to keep its data secret. This information was so sensitive that DirecTV kept it encrypted on its own computers. The young man who stole it didn't do it for money. He apparently was looking for validation from his peers. He posted the information on the hacker sites.

My guess: He didn't even consider the fact he was stealing someone else's property. I don't know about the corporate fallout of his actions. I'll bet the imaging company lost that contract. There are many, many people on the Internet these days who think nothing of taking intellectual property. Millions of people swap music files electronically. So how does this apply to you? If your employees have access to the Internet, they could be misusing it. They could be swapping files from their desktop computers. If you have a server with Internet access, be careful. You should learn to explore that server to check for contraband. Some poorly socialized character could be setting you up for problems with customers. Worse, you could have legal problems. It's not just music files. Someone downloading pornography could create a hostile workplace.

Software counterfeiting also is big. Recently, the government busted a large ring of people swapping illegally copied software. They were using corporate computers, primarily. Since many people have trouble distinguishing right from wrong when it comes to the Internet, you should lay it out. Part of your computer policy should include a ban on misuse of the computers. Be specific. Don't assume anything. That would be a mistake. This goes double for system administrators. These are people who've been entrusted with access to every employee's computer. And they know the system inside and out. If you don't watch carefully -- and sometimes even if you do -- you may not realize there's a problem until the sheriff appears at your door.