A friend needs to fire her IT guy, what passwords/access should she ask him before firing him?

[freedonX]

I have a very good friend who trusts me a lot , who is about 70 years old and has a business with about 40 employeess needs to fire her IT guy. It's just 1 one guy who manages all IT/computers related to her office. From fixing iphones, configuring emails on each PC of each of the employees, upgrading ram.....you get the point. She of course being 70 years is not a technie. 

He of course manages the companys email, also the domain, and what not.

She looked me up because she was suspicious of his work as of late. We've been talking and in a nutshell I told her that he s a terrorist who has her files as hostage because he won't even tell her straight about problems. He's been her employee for over 10 years, so he has access to everything.

 

She of course realizes he's  not a good person, so she'll need to fire her.

But she's worried he has access to the important stuff  and the day he gets fired he'll damage/change/hijack the information.

So I'm telling her she'll need to ask him for certain passwords.

THat's my question.

 

I can only think of the domain, the email server , other servers  (backup server, windows server , etc), and microsoft accounts that are used. What else should she ask for before firing him. 

 

[Nick H. Supervisor]

My first thought is, how do you expect to ask the IT employee for those passwords without the employee getting suspicious?

 

My next thought would be that there should always be two administrator accounts for just this reason. Your IT guy has one set of administrator credentials and someone else (in this case, the boss) should have the other set. That way you don't need to ask the IT guy for his credentials if you need to get rid of him. You can use the other credentials and block his accesses.

 

Finally, I would assume that he is on a contract? Surely there is something in the contract about the handling of company data? Also, he would have to realize that if he were to do anything with the company data or systems, he would not be able to find another job in the IT industry. I know of someone who did something similar and they have ruined their career because of it.

 

Note than none of the above is advice from a security or legal expert. I'm literally just thinking off the top of my head about the situation and what I would do. Others around here might have some safer/better advice to give.

[adrynalyne]

Yeah...this situation  should have never occurred. No one employee should be a single point of failure like this. 

 

Your friend needs all the passwords (asking for specific ones is just asking for suspicion). Have them explain that they are creating a central password repository so that all passwords in the company are stored on case of a tragedy or emergency and someone needs to to step in unexpectedly. Of course, to make it less suspicious, it should be a company-wide policy now. Which is how it should have been since day one.  
 

 

[neufuse Veteran]

first thing you do, hire 2nd IT person as "expanding" the depatment... get them completely up to speed... then make the move......

 

you should never have one person know all the passwords... it should always be stored somewhere that the owner has full access to in some type of corporate password manager or something

[REM2000]

I know theory and real life are different however, 

 

If after the IT Guy is fired he damages / deletes / otherwise disrupts business, in the uk (not sure about the states) this is seen as a criminal act and he can be prosecuted, again this is the theory, you will of course need to prove this etc.. 

 

If it doesn't hurt everyone involved what caused the suspicion? Is he slacking off, is he stealing? Is this something that cannot be resolved with a roundtable discussion. Seems to be a big jump for someone who has been working for 10 years, I assume everything is working ok? 

 

Personally I would rip the plaster off, I would ask for the passwords and give him his notice. Of course he might retain that information or not be willing to share it. However you will just have to accept this damage. I say this as if a person has been working for 10 years for an organization and you have moved to fire the individual i assume the reason is pretty severe, therefore would you want to continue to employ him? Of course if it's not as severe then the above suggestions of hiring a second IT person might be plausible but then i would go back to my question of why are you moving to fire someone?

 

I would hire a good IT firm, not cheap but an organization with a good support team behind them for two reasons, you of course will need someone to run the IT systems after the previous IT person is gone. The second is that a good support organization will be able to recover / reset passwords. There are systems which may be very difficult such as firewall, the company may have to suffer the pain of having the firewall rebuilt etc.. 

 

Other services such as your domain should be purchased under the company name, proving who you are with letterheads should then give you access to the domain and if they host your DNS that access too. 

 

The most important objective which goes without saying is the reset of passwords across all systems, a complete audit to ensure that there are no back door accounts and then documentation to ensure the long term running of the systems, your friend may then continue to employ the company supporting her or she may feel they want to hire another IT person in which case the work done above will be invaluable. 

 

Sorry im afraid the road ahead is a little hard and it is going to be expensive, however its important to be decisive depending on what the IT person has done to warrant them being let go, if for example it's snooping on peoples emails then the HR fallout along with staff issues would be more than enough to push for the painful on the spot firing.

 

(I also hope that if this is the case of the IT person going bad and snooping through emails that she of course is not communicating any of this via email to you). 

[jnelsoninjax]

I am wondering if there is a roundabout way of getting the info without him getting suspicious, i.e. IT guy, I was thinking that it would be a good idea to have all of the passwords/important data stored in a safe spot in case I need it and you are not here at the time. Or tell him that you need the passwords for audit purposes, and like @REM2000said, make sure that you do all communication in person or via SMS, do not trust that he is not watching the email.

[PsYcHoKiLLa]

I agree with the "get a 2nd guy in"

[zhangm Supervisor]

Yeah, you're going to need to onboard a replacement or contract out to an external service to take over their duties and also ensure that no retaliation is occurring. But in general an IT person would be understanding of the importance of redundancy and resilience, so they shouldn't have any issues coming up with a system to securely share credentials. Maybe approach them with a concern over losing access to passwords, etc, and ask him to look into a solution? "Is there a secure way of digitally sharing our credentials with one another?" "How are our account credentials being stored? Is it safe?" etc.

 

Best to do it while they're still around to pass the torch, and also think of a diplomatic way to sever ties (let me guess, no HR person?). When you fire the guy and change the passwords, that won't magically make him forget confidential information that could be misused.

[freedonX]

 

9 hours ago, Nick H. said:

My first thought is, how do you expect to ask the IT employee for those passwords without the employee getting suspicious?

 

My next thought would be that there should always be two administrator accounts for just this reason. Your IT guy has one set of administrator credentials and someone else (in this case, the boss) should have the other set. That way you don't need to ask the IT guy for his credentials if you need to get rid of him. You can use the other credentials and block his accesses.

 

Finally, I would assume that he is on a contract? Surely there is something in the contract about the handling of company data? Also, he would have to realize that if he were to do anything with the company data or systems, he would not be able to find another job in the IT industry. I know of someone who did something similar and they have ruined their career because of it.

 

Note than none of the above is advice from a security or legal expert. I'm literally just thinking off the top of my head about the situation and what I would do. Others around here might have some safer/better advice to give.

 

First  thought...that is a good question. One I've been thinking as well. Because like in any IT related things, the moment you fire someone, you need to delete/change their access. Which, the problem here, my friend doesn't know 

second thought, definite I agree to hire someone else. Though that'll be for the future.

 

About the contract. I highly doubt the contract says anything about that. You'll be surprised how micro/small business are managed here in Mexico. Heck, with my parents (who are the owner of the business). I'm the one looking into that. They didn't even realize that.

Appreciate the advice

 

7 hours ago, adrynalyne said:

Yeah...this situation  should have never occurred. No one employee should be a single point of failure like this. 

 

Your friend needs all the passwords (asking for specific ones is just asking for suspicion). Have them explain that they are creating a central password repository so that all passwords in the company are stored on case of a tragedy or emergency and someone needs to to step in unexpectedly. Of course, to make it less suspicious, it should be a company-wide policy now. Which is how it should have been since day one.  
 

 

I know this should had never happened...but it is what it is. She's an expert on her field (30+ years experience) but computers was never her thing.

Creating a central password repository is a great idea!!!

 

6 hours ago, neufuse said:

first thing you do, hire 2nd IT person as "expanding" the depatment... get them completely up to speed... then make the move......

 

you should never have one person know all the passwords... it should always be stored somewhere that the owner has full access to in some type of corporate password manager or something

I have my doubts about hiring a 2nd person, this person is the jealous type. I haven't worked with him, just talked with him. I have no doubt he'll be suspicious. He has been the sole IT guy for 10 years. Even though my friend is the owner, he knows her well she isn't the type of person who has a IT-future -vision.

 

 

5 hours ago, REM2000 said:

I know theory and real life are different however, 

 

If after the IT Guy is fired he damages / deletes / otherwise disrupts business, in the uk (not sure about the states) this is seen as a criminal act and he can be prosecuted, again this is the theory, you will of course need to prove this etc.. 

 

If it doesn't hurt everyone involved what caused the suspicion? Is he slacking off, is he stealing? Is this something that cannot be resolved with a roundtable discussion. Seems to be a big jump for someone who has been working for 10 years, I assume everything is working ok? 

 

Personally I would rip the plaster off, I would ask for the passwords and give him his notice. Of course he might retain that information or not be willing to share it. However you will just have to accept this damage. I say this as if a person has been working for 10 years for an organization and you have moved to fire the individual i assume the reason is pretty severe, therefore would you want to continue to employ him? Of course if it's not as severe then the above suggestions of hiring a second IT person might be plausible but then i would go back to my question of why are you moving to fire someone?

 

I would hire a good IT firm, not cheap but an organization with a good support team behind them for two reasons, you of course will need someone to run the IT systems after the previous IT person is gone. The second is that a good support organization will be able to recover / reset passwords. There are systems which may be very difficult such as firewall, the company may have to suffer the pain of having the firewall rebuilt etc.. 

 

Other services such as your domain should be purchased under the company name, proving who you are with letterheads should then give you access to the domain and if they host your DNS that access too. 

 

The most important objective which goes without saying is the reset of passwords across all systems, a complete audit to ensure that there are no back door accounts and then documentation to ensure the long term running of the systems, your friend may then continue to employ the company supporting her or she may feel they want to hire another IT person in which case the work done above will be invaluable. 

 

Sorry im afraid the road ahead is a little hard and it is going to be expensive, however its important to be decisive depending on what the IT person has done to warrant them being let go, if for example it's snooping on peoples emails then the HR fallout along with staff issues would be more than enough to push for the painful on the spot firing.

 

(I also hope that if this is the case of the IT person going bad and snooping through emails that she of course is not communicating any of this via email to you). 

 

In a nutshell, the IT guy has bene slacking a lot. It's not only about performance, it's the awful attitude and constant lies about working on the files and configuration. Yesterday I was beside my friend, and she had her speaker on the phone and I could realize this guy is doing the impossible to delay anything he does (why?? dunno!).  It's a lot of small things that add up. He does lie a lot. For example, out of the 40 employess, about 35 are working from Home. About 20 have email problems. He blames each of their own ISP. (I counted like 5 different ISP betweeen some employees). That's to give you the idea. Of course he being the only IT person, no one questions his knowledge.

 

5 hours ago, jnelsoninjax said:

I am wondering if there is a roundabout way of getting the info without him getting suspicious, i.e. IT guy, I was thinking that it would be a good idea to have all of the passwords/important data stored in a safe spot in case I need it and you are not here at the time. Or tell him that you need the passwords for audit purposes, and like @REM2000said, make sure that you do all communication in person or via SMS, do not trust that he is not watching the email.

Yeah I agree, that was a great idea about having all the passwords stored in one place.

 

5 hours ago, PsYcHoKiLLa said:

I agree with the "get a 2nd guy in"

I have my doubts, like I replied to @neufuse

 

5 hours ago, zhangm said:

Yeah, you're going to need to onboard a replacement or contract out to an external service to take over their duties and also ensure that no retaliation is occurring. But in general an IT person would be understanding of the importance of redundancy and resilience, so they shouldn't have any issues coming up with a system to securely share credentials. Maybe approach them with a concern over losing access to passwords, etc, and ask him to look into a solution? "Is there a secure way of digitally sharing our credentials with one another?" "How are our account credentials being stored? Is it safe?" etc.

 

Best to do it while they're still around to pass the torch, and also think of a diplomatic way to sever ties (let me guess, no HR person?). When you fire the guy and change the passwords, that won't magically make him forget confidential information that could be misused.

Don't know if she has an actual legal/HR department. I know the "HR department" hires folks, but it's more of the salesman type. Maybe it's more of a casual term than actually being an HR department with all the procedures. Will check with her.

 

Thank you everyone for your replies. I did tell her to hire a firm, and not only 1 guy for future to avoid these situations

 

 

[kcbworth]

I'd quietly hire an IT security consultancy to help advise on this. Firstly the business owner work with them directly to express concerns, then they make and execute a plan (which might include sending in a "2nd IT guy") and then they can participate in the "firing" and ensure that all access is appropriately transitioned

[CloudEngineer]

yes agree with above, play it out like an audit, highlight the risks and take back control over your assets prior to making any moves on terminating employment

[sagum]

Realistically no one is going to give you existing passwords on a sheet of paper or something like that.
Even if they did, unless you've got the IT guy to hand over the 2 factor auth, and changed all the reset email addresses etc, for the accounts he could come back in several months and just damage your systems as easily as the day you fire him.

 

Don't fire the IT guy until you have another IT tech on site.
The new IT tech will take on the problem to acquire access to the required security and accounts as part of the handover process. 

Have the new IT Tech audit the entire system and document it. You're probably still not going gain the passwords for the services directly, but at least if you need to then fire any IT staff, there will be a procedure in place to recover the accounts accordingly.

[Dick Montage]

Another tactic may be to bring in an external party  under the guise (real or otherwise) of an audit. Identify the single point of failure and then setup a policy that outline how and where passwords and other such information be documented, stored and accessed.

[techbeck]

Really dumb to allow one person to have that much control of your company.  A techie or not, this is common sense.  This should never even gotten to this point.  And when the person is fired...DO NOT let this person go back to their desk unsupervised and DO NOT let this person use any computers either.   And if this person damages company property, they can be sued and held liable for it.  Even if it is not in their contract. 

 

After the person is terminated, you need to have a company come in and do an audit of your system inside/out.  If this person is shady, I would be concerned they would have additional accounts setup to gain access to the system if their main account was disabled.  Like VPN or other domain admin accounts.  I would also make sure that there is a valid backup of all company data secured in case they happen try and delete the data.    And have the company make recommendations going forward.  Best practices, dos and donts...that sort of thing.

 

I am sure the person being fired will be suspicious no matter how things are handled so not sure if what may happen can be covered up.   Maybe make up an excuse that the company is being audited by the government and they they will need full access to all systems.  I don't think there is  a perfect way to handle this part.

 

 

 

[astropheed Veteran]

24 minutes ago, techbeck said:

A techie or not, this is common sense.

No, it isn't. I assure you "computers" and "common sense" are so distantly connected that it's more appropriately common sense to imagine no common sense will be applied. I know businesses who have 1 IT Guy. I'm personally friends with 1 Director of a 90 employee, multi-state, company. He had 1 IT guy up until recently. People don't understand computers, or the risks associated with them, AT ALL. That's common sense.

[+InsaneNutter MVC]

I’ve been the sole IT guy for the company I work for since 2014, my boss retired, I got his job (which I was basically doing anyway) and here we are in 2020. In smaller companies I suspect a sole IT person is more common than you’d think.

 

To help migrate risk of one person having access to everything I’ve implemented 1Password for teams: https://1password.com/teams/ which has various shared vaults in for different teams. Theirs also a vault that contains sensitive accounts only myself and the general manager have access to, so at least I’m not the sole person who can access this.

 

In addition, also made a point of putting the recovery key for my 1Password account in the company safe. Our general manager (who is essentially running the company) can also get access to the domain administrator account.

 

If I was to leave the company I’d have our general manager disable my VPN access and suggest he should change the password of anything cloud based I’ve got access to. I feel I’ve done my best to do right by the company, no one person should be the sole person with access to everything.

 

You could suggest the owner do an audit of the company, then bring IT up as a potential risk and then work to rectify these issues, possibly implementing some of the things I’ve done above. If no documentation exists, also specify this as a risk and part of IT’s job to create and maintain this.

[Dick Montage]

32 minutes ago, InsaneNutter said:

I’ve been the sole IT guy for the company I work for since 2014, my boss retired, I got his job (which I was basically doing anyway) and here we are in 2020. In smaller companies I suspect a sole IT person is more common than you’d think.

 

To help migrate risk of one person having access to everything I’ve implemented 1Password for teams: https://1password.com/teams/ which has various shared vaults in for different teams. Theirs also a vault that contains sensitive accounts only myself and the general manager have access to, so at least I’m not the sole person who can access this.

 

In addition, also made a point of putting the recovery key for my 1Password account in the company safe. Our general manager (who is essentially running the company) can also get access to the domain administrator account.

 

If I was to leave the company I’d have our general manager disable my VPN access and suggest he should change the password of anything cloud based I’ve got access to. I feel I’ve done my best to do right by the company, no one person should be the sole person with access to everything.

 

You could suggest the owner do an audit of the company, then bring IT up as a potential risk and then work to rectify these issues, possibly implementing some of the things I’ve done above. If no documentation exists, also specify this as a risk and part of IT’s job to create and maintain this.

Add one step - audit the opening and closing of the safe or key usage.  Then again, 1password may do this?

[techbeck]

11 hours ago, astropheed said:

No, it isn't. I assure you "computers" and "common sense" are so distantly connected that it's more appropriately common sense to imagine no common sense will be applied. I know businesses who have 1 IT Guy. I'm personally friends with 1 Director of a 90 employee, multi-state, company. He had 1 IT guy up until recently. People don't understand computers, or the risks associated with them, AT ALL. That's common sense.

Protecting your business is common sense.  And if you are not a techie and know that part of the business, then there are companies you can hire to oversee/audit things.   Not letting one person control a major part of your business is common sense...whether it be an IT person, or an accountant.  A business owner should know what is going on in their business.

[freedonX]

Good ideas everyone. 

Instead of quoting everyone, which would be a big chunk of text, . In summary I see the idea of having an audit (real or fake) to be the most viable solution.

Thanks!

[freedonX]

3 hours ago, techbeck said:

Protecting your business is common sense.  And if you are not a techie and know that part of the business, then there are companies you can hire to oversee/audit things.   Not letting one person control a major part of your business is common sense...whether it be an IT person, or an accountant.  A business owner should know what is going on in their business.

I don't think it'll be any different US to Mexico, but small business (3-10 employees) when they start to grow, don't change the things that aren't broken. Until someone sues them, they get a good lawyer, until they lose a good deal, they get a salesperson, until vital digital information is lost, they get a good IT. And so forth.

Owners don't invest on things they don't need. They see it as a cost and not an investment.

Again I don't think it's any different US than Mexico (or any part of the world). Small 3--10 business start growing without a backbone structure.

Not saying that shouldn't happen...but that's what happens. All that investment requires cash for a new area. 

Try talking to an owner they need to invest on something as a prevention, you'll have a very hard time to convince them 

 

[+DonC Subscriber²]

17 minutes ago, freedonX said:

Good ideas everyone. 

Instead of quoting everyone, which would be a big chunk of text, . In summary I see the idea of having an audit (real or fake) to be the most viable solution.

Thanks!

A real audit would be the most convincing route forwards. A fake one could backfire if you're found out.

 

In the case where the IT guy is fired and causes damage. The report from a real independent audit can be used to demonstrate that he had the access to do so.

 

It would also make him think twice about doing damage if he has been recently interviewed and had to explain in detail what he has access to.

[+primortal Subscriber²]

19 hours ago, freedonX said:

First  thought...that is a good question. One I've been thinking as well. Because like in any IT related things, the moment you fire someone, you need to delete/change their access. Which, the problem here, my friend doesn't know 

What's the remote access like, cause my tinfoil hat response is making sure there's not any ghost admin accounts that are unknown.

[freedonX]

29 minutes ago, primortal said:

What's the remote access like, cause my tinfoil hat response is making sure there's not any ghost admin accounts that are unknown.

I have no idea, but I don't think there is much.

Even though "IT guy" is a general term, I think this guy is a basic computer-fix employee. I know my friend's business and they don't need special software. The most "special" software is Office, Acrobat reader and some insurance web based programs to send quotes to customers, maybe printers and scanners. He also manages the webmail, which my friend showed me her webmail access and the latest update is from 2014.  (forgot the name of the email platform). I also assume he manages the domain.

So all in all, I don't think there is any remote access. Heck I know he used Anydesk to troubleshoot fellow employees problems.

[shockz]

It sounds like she actually does need to do a security audit for real at this point. 

 

Domain admin accounts, administrator accounts, remote access, firewall settings? Any cloud services? VPN access? That's just to start. 

 

Onboarding someone is not just going to magically hand over accounts and passwords, and in fact would probably be met with resistance or limited access. At the very least I'd have him create an administrative account for her to secure and reference.