[Thanks to Nerd Dennis Houseknecht for this post.]
Many of us have wanted “put a bullet” in a server or workstation from time to time – at least figuratively. This Salt Lake City employee had too much to drink and LITERALLY shot the server. This might be amusing, except for the costs involved – not to mention the danger of injury.
My first thought, of course, was how this sort of loss figured into the employer’s risk management plan. You might think that such a risk could never be anticipated or included in a risk management plan, but not so. The specifics of this incident may be unusual (or even bizzaare), but two categories of risk that should be included in any risk management plan are “intentional damage caused by employees” and “unintentional damaged caused by errors and omissions”.
Intentional damage by employees is a very real risk that is often underestimated. How do we deal with ths risk? The same way we deal with any risk. We have four choices:
- The risk accepted – that is, we just take our chances and do nothing
- The risk can be avoided – in this case that would mean having no employees
- The risk can be transferred – that is covered by insurance. This is where is pays to read the fine print. Does the city’s insurance cover intentional damage or acts of sabotage by employees? Are there limitations?
- The risk can be mitigated (but never completely eliminated) – some mitigation measures in this case might be:
- Hiring policies that require background checks (this employee may have had a history of erratic behavior)
- Policies prohibiting certain actions (well, in this case, the actions were criminal, but other, less dramatic, acts of intentional damage might be deterred by policy)
- Physical security – the article does not address the question of how this person gained access to the server, whether he required access as part of his job, or whether there was any physical security at all.
We cannot anticipate every possible risk, but every needs assessment should include some discussion of risk management an the types of risks small and medium enterprises face. The possibility of intentional damage, sabotage, or theft of property (or sensitive data) by employees is often an uncomfortable subject, but one that should not be avoided. A thorough evaluation of physical security is an essential part of ANY needs assessment.