We all know someone who plays the part of the office ‘Refusnik’ and ignores all the Health & Safety advice, stays at their desk when the fire alarm goes off, and generally flaunts authority. But what if that person does the same to your office IT security policies? Would you know? How would you stop their behaviour before it became dangerous?

In this cautionary tale I interviewed a woman who should have known better. Her story is told in her own words. If this sounds all too familiar there is some great advice at the end of this article to make sure you too don’t end up losing your job!

In her own words

It all started when I landed a job at Virtually Direct. From day one I realised accountancy didn’t really float my boat but, with mum on my case, at least it gave me shopping money. On my first day at the office I was shown to a desk in the corner, piled high with invoices that I had to input onto the system but, as you’d expect with an up and coming ecommerce business, at least my PC had super fast internet access. Result, I thought, I could update my Facebook status.

The guy that worked opposite me – was alright, but he had his face stuck in a spreadsheet most of the time. He didn’t even look up when I asked him for help with my spreadsheet. Bored doesn’t even begin to describe those first five minutes, so I thought I’d update my blog.

The morning passed in a bit of a blur, well so did the next few months if I’m honest. I’d spend most of my time surfing the internet, doing a little virtual shopping, updating my status, posting on my blog, emailing my buddies about the awful people I had to spend the day with and sharing pictures of the hot guys I met in the evenings – sometimes in the buff! The work was mundane and boring but most of the time I just didn’t do it. No one seemed to notice or care!

Thankfully my online diary was a hit and I did consider becoming a writer. My updates about how archaic everything was were really popular. The post where I complained about our lack of antivirus software, because I’d introduced a virus into the network by opening a nude picture of Brad Pitt, had thousands of hits and I started to get a regular following.

Well, I couldn’t leave my public wanting, so I would tell them about funny complaints from customers, the weirdly worded messages I’d get in pop-ups about ‘patches’ or directing me to various ‘policies’ and ‘practices’ that I should read, that sort of thing. Claire’s ‘secret formula’ for creating new un-crackable passwords was another entry that spiked – people couldn’t get enough of me.

Then one morning – on my four month anniversary – I arrived at work to find my PC logged on, which I thought was a little strange but soon forgot all about it. A little later that day I passed Roy, the Big Cheese, in the corridor and he asked about my phobia of invoices. Now, I know I hadn’t told him about it – mainly because I’d never even spoken to him before, so I deduced he must be one of my followers and was referring to my recent update “Why working sucks” – Kudos indeed!

Just before home time, and I’m still not sure why I was telling my online disciples how phallic Roy is, I realised he was standing behind me so I switched screens rather snappishly. Thankfully, I hadn’t spoiled the surprise but I wish I could have seen his face when he read it later online!

One of my mates suggested I contact my local paper and tell them about the thousands of people that were following my online diary. So, on Monday morning back at my desk, I researched who our local reporter was and sent her an email. I wasn’t sure it was ‘news’, but nothing ventured and all that – perhaps it would be my big break into journalism.

I was thrilled when Doris gave me a bell and told me her editor loved my online diary – especially about the workings at my company, and that it would be in this week’s issue. She needed a photo so I poked her on Facebook and told her to choose one from my album. I’d have preferred if they hadn’t used the image of me on an anti-capitalism rally, or the headline asking if I was a security risk, but there’s no such thing as bad PR, is there?

I suppose it all went wrong the morning I saw an advert for a job in the communications department. I thought I’d be perfect, especially with how well I’d developed my online community. Roy was bound to give me a glowing recommendation. I mean – I was always at my desk on time, admittedly I didn’t do anything all day but no-one had noticed, and he obviously liked my blogs! I had to submit my application online, which was a little tricky as I couldn’t remember my login details for the accounts server, so I asked IT if they could remind me.

Derrick in IT did seem a little surprised that I didn’t know it, especially as I should be using it everyday, but I put it down to a heavy night and he seemed to accept that. Gullible doesn’t even begin to describe our IT team – I have to say that was one of my better blogs! To make sure I didn’t ‘forget’ again I wrote the password in indelible marker on the underside of my keyboard – genius!

The last thing I did before I left the office that evening was respond to an email from Derrick, asking me for the username and password for our bank account. I mean, he’d given it to me when I’d first started so he was obviously thicker than I’d given him credit.

I was thrilled when I got a call from Susan in HR, although a little annoyed that she’d called me at home, inviting me to an interview in the morning. I thought the communications gig was in the bag.
Security met me the next morning and took me up to HR. Alarm bells probably should have gone off then but I just thought Susan was so keen to talk to me that she wanted to make sure I didn’t get lost. It’s fair to say it went downhill from there.

Roy and Derrick were with Susan, with big thick dossiers in front of them, and they’d left their happy faces behind. To cut a long story short, Roy wasn’t so thrilled with my blog entries after all. He didn’t like the blogs criticising the company, but it was the complaints from customers who’d been scammed from my revelations that he kept banging on about.

Derrick, the turncoat, had printed off emails I’d sent to my friends and even had pictures of the bloke I’d met at the anti-capitalism eco-tent minus his kit. I tried to argue that he wasn’t that intelligent himself having asked me for the bank details and he turned purple. How was I supposed to know that it was a scam and our bank account had been breached!

I’m not sure what’s next for me. Gross industrial misconduct doesn’t read so well on my CV! Here are some simple IT security rules to observe unless you want to replicate our hero’s experiences!

  • Don’t include easily-guessed information in your passwords such as birthdays, family and pet names.
  • Don’t use easily guessed words or common words such as `password’ and simply replace characters such as “a” with an “@” or “o” with a zero. Hackers know this strategy and their software knows it too.
  • Don’t use the same passphrase for multiple logins – and in particular don’t mix personal passphrases with business ones. Keep everything separate so that even if one account is compromised, the rest are secure.
  • Never give anyone – including IT staff – your password. If an administrator truly needs your passphrase, change it before disclosing it, then change it back when they no longer need access and ensure you are present when they are using your account.
  • Don’t click links in emails from unknown senders, no matter how attractive or urgent they seem. And if your browser starts displaying pop-ups with unusual frequency or appearance – no matter where you are browsing – close your browser and scan your system for malware and adware.
  • Even when logging onto websites, use passphrases that are 15 characters long whenever allowed. This can help safeguard your account on sites whose administrators may not be protecting stored passphrases by disabling vulnerable hashing algorithms.
  • If you do online banking, be sure to logout after each session. This invalidates the login session stored on your system. Then CLOSE all browser windows before leaving your machine. If you are using a tabbed browser, simply closing the single tab is NOT enough.
  • Don’t allow browsers to store your passphrases for you, as not all browsers store your logins in a secure fashion.
  • Never configure a computer to automatically log you on. If your system is configured for auto-logon, Windows may actually store your passphrase in clear text within the registry of the system in one or more well-known locations.