A reader writes:
Do you have any experience or stories about firing an I.T. Director? That office has the keys to everything. It’s not like another position where when someone is let go, we disable their account and that’s it; they’re disabled and can’t get in.
Excellent question. When I’ve had to do this, there have always been other I.T. staff who I’ve been able to coordinate with to help with the process ahead of time, but your I.T. director does indeed hold the keys to the kingdom and if you didn’t have other I.T. people around to help you, you’d need to worry about basic logistics at a minimum and potential sabotage at worse. I turned to our regular commenter and I.T. expert extraordinaire Jamie, for an answer to this one. She says:
“Ideally there is a protocol by which the passwords were stored in a secured database, because even lone ITs get hit by busses, and a company has to be prepared for that eventuality. There should also always be redundancy for the important tasks, either on staff or with an outsourced consultant — again, so that you aren’t completely lost when the bus hits. One of these tasks is changing passwords — it’s a simple process.
So in the ideal situation, you’d give the passwords to someone trained to change them before you go into the meeting in which the I.T. Director is being let go. Once the door shuts, they are signaled to make the changes before the meeting is over. (This isn’t as James Bond like as it sounds; it’s best practice when letting someone with network access go.)
Unfortunately, people aren’t always dealing with best case scenarios, and far too often you only have one person with the keys to the kingdom. In that case, have someone else on hand who knows how to change passwords and get them before the person leaves. They need to give them to the company, just like they would turn in their company-owned phone or laptop, and having someone on site to change them means that you can verify they are correct before the person leaves.
And don’t forget to change all the passwords. It isn’t just the network and the servers, but everything from Twitter to online applications, firewall support, corporate accounts, etc. Even a small business will have 100+ passwords, and it’s a tedious process.
If they won’t turn them over, get a network consultant to come in and change them manually. You’ll pay for it, but they will be able to do it and will do so in order of importance, security-wise.
And when you hire a replacement (which you should have lined up, if possible, because this is a position you really don’t want vacant) make sure they are documenting the passwords properly so this doesn’t happen again. No IT professional with any integrity would balk at documentation … because good ITs don’t need to build in job security by holding passwords and information hostage.”
I asked: “If you end up having to have a consultant come in manually to change passwords, and/or the exiting I.T. person refuses to give them to you, is there anything you can do to protect against sabotage in the interim?”
“Preventing sabotage is key (it’s unlikely as the majority of fired people aren’t crazy, but it’s frequent enough to prepare for it, and in this position the damage can be catastrophic). They should take the network down for the brief time it takes to manually reset the passwords. It’s just a blip in uptime. Make sure to clone the drives before you begin the recovery -– so you’ve got your data preserved if something goes awry.
The key to remember is that the only power the person has is to make it more inconvenient for you to change the passwords. They can’t bring you to a halt for more than a little downtime to do it manually. If you do think they are attempting to sabotage after termination, make sure you check your logs to see if someone is trying to access the system. Unlike many things in the workplace, this is indeed illegal.
And if any disgruntled ITs think this would be a good idea, they need to think again. It’s a position that has serious ethical requirements for a reason — because of global access — and sabotage or withholding information would ruin your reputation faster than anything else. Those are career-ending moves.”