It’s 4:30 PM on a Friday. (Bad news always comes late afternoon on a Friday or holiday eve!) The Chief Technology Officer’s phone rings. It’s Tony. Tony has had a bad week. On Monday he was informed that someone had filed a harassment complaint against him. His supervisor, who informed him of the development, explained that Federal law and HR policy require him to avoid common work areas. He has to stay in his office. He, the supervisor, hopes to be able to provide details by the end of the week, Monday at the latest. The supervisory calls him at Noon, apologizes and says he will have to hold on until Monday. Tony informs the CTO:
“I just got what I thought was an email from the Acme Company (not a real name!) and, since I was expecting to receive a bid from them, I clicked on the attachment. I have been so stressed out about this harassment businesses that I did not realize that the email was from a .co and not a .com address. I am pretty sure it was a phishing email. I turned off my computer, followed the protocols, and am now calling you.”
Now this could be as innocent and understandable as presented. Or it could have been retaliation for the way the harassment charge was being handled. But Tony, in his defense, would say, “If I wanted to retaliate, after clicking on the link, I would have gone to the Men’s Room, waited until I packed my bag, and then shut off of the computer and never would have reported the incident. That would have given the hackers plenty to time to do whatever they wanted to do and this may not have been discovered for months.” Also a perfectly logical response.
Employees leaving under less than optimal conditions are threats to a company. Even an employee who seems to be leaving under optimal conditions could be a threat. You can never tell. So what’s an employer to do?
Before you fire someone, deny them access to your network. When you punish someone, limit their access to your network to only the areas that they need to do their work (which could be a good policy in any event!). It should be the same policy for someone who announces their resignation.
As has been well recorded, small businesses, subject to a cyber attack, can lose hundreds of thousands of dollars and the majority go out of business within six months. It’s not worth the risk to have a disgruntled, angry, or hurt employee having access to your computer network and corporate data. At a minimum, you must monitor everything your employees do on their computers, especially those who may be holding a grudge along with a mouse. It is not an invasion of their privacy; it’s protecting yours! And, it should go without saying, you have to have security protocols, policies and procedures, in place to protect your computers and network from malicious activity.
And it ain’t much better for job seekers.
You apply for a job on a job board such as Indeed, Zip Recruiter, Monster, or even LinkedIn (assuming, of course, that they have the best possible cybersecurity available) where you announce for all the world to see that you are “Open to Work” or “Looking for New Opportunities.” If you include your email address on the resume you upload to the sites, or on your LinkedIn contact information, everyone knows how to reach you…including the bad guys.
So they, the bad guys, see that you are (a) an accountant, (b) looking for work and (c) they know where you live. So they fake an email from a prominent company in your area. Or, they pretend to be with a recruiting firm. In either case, they compliment you, build up your ego, and attach a job description. You click on the job description and now you are the victim of a cyber attack.
Usually, the goal of a cyber attack is to get data and hold it hostage, or to gain access to a richer target through the computer of, let’s say, a smaller fish in the ocean that is the Internet. Yes, they can steal your money or your identity but, no offense intended, you’re not really worth the bother. But now they know that you are, I shall be diplomatic, unsophisticated enough to click on a link without checking the email address from which it came. And you are none the wiser. Eventually, you get a new job and post it on your LinkedIn profile. So the bad guys figure out your new corporate email, send you a message and, once again, you click on their attachment. Oops!
Or, I may be wrong. They make it a ransomware attack and freeze your computer and hijack all your data, and threaten to send embarrassing emails to all your contacts, including all of the employers to whom you have sent your resume. But, being the nice bad guys that they are, they’ll return everything to you for only $250. You pay. It’s worth it. They do it to a few thousands of people, and they have a very nice pay day.
The good news is that you can avoid all of this. First, remove your resume from all the job sites, along with any indication on LinkedIn that you are looking for a new job, once you have the new job. But, in the meantime, start using something called “Multifactor Authentication” or “2-Factor Authentication.” What that means is that you will receive a text message with a code whenever someone tries to send an email from your account. You can also purchase a security system from your email provider that will protect you if you click on that which should not be clicked! It takes very little time to setup, and doesn’t cost enough to think about.
Bottom line, whether an employer or job seeker, hope for the best but prepare for the worst. And when it comes to a cyber attack, the worst is really bad.
I don’t believe I have ever recommended a service provider before, but if you need help securing your network or email, I recommend contacting Peter Fidler, for whom I have provided recruiting services in the past, or Bob Michie, with whom I am a member of a New Jersey professional networking group.