How do I protect my company from my IT guy? [closed]

security best-practices

I'm going to hire an IT guy to help manage my office's computers and network. We're a small shop, so he'll be the only one doing IT.

Of course, I'll interview carefully, check references, and run a background check. But you never know how things will work out.

How do I limit my company's exposure if the guy I hire turns out to be evil? How do I avoid making him the single most powerful person in the organization?


You do it the same way you protect the company from head of Sales running off with your client list, or the head of Accounting embezzling funds, or the Stock manager from running off with half the inventory, largely: Trust, but verify.

At the very least, I would require that all passwords for all Administrator accounts on systems and services under IT be kept in a password safe (either digitally like KeePass, or a literal piece of paper kept in a safe). Periodically you will need to verify that these accounts are still active and have appropriate access rights. Most experienced IT people call this the "if I'm hit by a bus" scenario, and it's part of the general idea of eliminating points of failure.

At the one business I worked at where I was the sole IT Admin, we maintained a relationship with an external IT consultant who handed this, primarily because the company had been burned in the past (by incompetence more than malice). They had remote access passwords and could, when asked, reset the essential administrator passwords. They did not have direct access to any company data, however. They could only reset passwords. Of course, since they could reset enterprise admin passwords, they could take control of the systems. Again, it became "Trust but Verify". They made sure they could access the systems. I made sure they didn't change anything without us knowing about it.

And remember: the easiest way to make sure a person doesn't burn your company is to make sure they're happy. Make sure your pay is at least at the median value. I've heard of too many situations where IT personnel have damaged a company out of spite. Treat your employees right and they'll do the same.


How do you keep your bookkeeper from embezzling from you? How do you keep your sales staff from taking kickbacks from your suppliers?

Non-IT people have a misguided notion that we IT people practice a black art that we wield from the line bordering good and evil and that on a whim we will resort to some nefarious machination soley for the purpose of "bringing down the pointy haired boss".

Managing an IT employee is like managing any other employee.

Stop watching movies that depict those of us who take the responsibility of our positions seriously as if we're rogue agents hell bent on world domination and/or destruction.

Related

How to unify package installation tasks in ansible?
Does each server behind a load balancer need their own SSL certificate?
How to apply a filter to real time output of `tail -f `?
How can I find the path to an executable in OSX
ssh connection takes forever to initiate, stuck at "pledge: network"
How do high traffic sites service more than 65535 TCP connections?
How do I grep through binary files that look like text?
memcache vs memcached?
AWS RDS connection limits
Centos 7 save iptables settings
logrotating files in a directories and its subdirectories
protocol version mismatch -- is your shell clean?