Last week without paying attention I scheduled this article to publish Monday morning, not realizing that in North America we would be celebrating Labour Day. Almost none of my readers were in the office, and many (including myself) were relaxing by a beach somewhere. As I expect the article was largely overlooked in lieu of late mornings and lazy afternoons, I decided to re-schedule it for this slot. Enjoy the article! -MDG
You have a job that gives you a computer. Maybe it’s even a laptop that they let you take home with you. It is probably better than the old computer that you’ve been using… and maybe there isn’t even a policy at work about using your corporate computer for reasonable personal use. Cool, right? You can let your old computer at home gather dust and use the company’s computer for everything.
This is a really bad idea.
If you work for a company like any of the ones that I have managed then you have worked with some pretty scrupulous (i.e.: HONEST) IT Professionals. However like every other profession, there are a lot of bad apples out there. Here is a scenario that I hope will haunt you… or at least scare you into segregating your personal computer tasks from your corporate laptop.
In my last article (Passwords: Beware) I wrote about some of the dangers of passwords, and especially of using catch-all passwords… in other words, the same password for many sites. Here’s how an unscrupulous IT admin can make all of that irrelevant.
You get your shiny new laptop from work. You use it for business… but you also use it to pay your bills, do on-line banking, connect to Facebook, and any of a thousand other tasks you do during the course of a normal week.
‘Don’t worry… your computer is secured with an Active Directory password which we forced you to make complex, and we cannot see your password or log in as you. Of course, we could change your password… but you would know that pretty quickly the next time you tried to log on to your system and your password didn’t work.’
In most cases this statement is true… and let’s assume for the time being that it is absolute (whether it is or not).
Times are tough all over, and you have not been selling as well as you were expected to. You are dreading that call into the boss’ office, but as you are preparing to leave the office on Friday you get the call. ‘Please come see me for a minute.’ You lock your computer (as you have always been taught), and walk over to his office.
Of course, s/he might tell you to finish out the month, but usually this conversation officially ends your employ. You go back to your desk to clear out your personal belongings, but if you do try to log in to your computer you will discover that your account has been locked out.
What happens next?
An honest IT Admin will back up your data, then wipe your profile and prepare the computer to be given to your replacement.
A dishonest IT Admin will change your password to something that he or she knows. He will log on as you (and remember, he doesn’t have to sit at your old desk out in the open to do this – he can do it quietly from the comfort of his cubicle). He will install a password recovery software (maybe the one he used to help you when you forgot your e-mail password last month). In seconds he will have a list of every website that you have visited, your username, and your password.
It won’t take long for him to order a new credit card in your name… and maybe buy some goodies on eBay with your PayPal account. I don’t know what else he might do, I am not that kind of guy. But I have met people who were… and they scared me straight.
So what happens now?
Any website that is business-related won’t matter… once you have left the company they have a right to whatever data you would glean from them anyways. If the IT Admin does anything on those sites with your credentials it will be easy to prove – ‘Hey, I was let go at 3:45pm on Friday the 13th, and that malicious post was written from my corporate laptop on Tuesday the 17th… four days after the laptop was taken from me.’
Anything that’s personal… well my friend, you should not have been using your business laptop to do your eBay shopping, or your on-line banking. You could file a criminal complaint and you might get your money back… but by the time the cops come to investigate (and they will almost certainly never do that) they dishonest but not stupid IT Admin will have wiped the laptop clean and there will be no record of wrongdoing.
So what do I do?
Once you are in the position you are already too late; what you need to do is separate business from pleasure at the very beginning. If you are already using your company computer for personal use then a) stop now, and b) from a personal computer change all of your on-line passwords now.
But would he really…?
I don’t know your IT Admin… Maybe he’s a good guy (or a good girl) who would never do anything like this. But why put yourself at risk? Take the temptation away from him or her and just don’t use your corporate computer for personal activities.
…Or you can take the risk, and then find out how frustrating it is to have to cancel credit cards and swear affidavits that the offending transactions were not yours in the faint hope that your bank will reverse the charges