In 1993, dinosaurs came to life. We were assured they were in a controlled environment. Dennis Nedry was the underappreciated system administrator/programmer/network engineer/aspiring dinosaur cloner. Paid less than he thought he was worth, Dennis struggled to make a living. Eventually, he turned on Jurassic Park owner John Hammond and stole prized dinosaur embryos, intending to sell them to a rival theme park owner who had failed to clone his own.
To facilitate his crime, Dennis leveraged his unique position to shut off the security controls that protected the park. He was the only one with the knowledge to control the system. If Dennis had not possessed a criminal mind and to preserve the security of the park, he should have been required to do two things:
1. Document his processes.
2. Educate his coworkers.
As a business owner, you may like risk. Risk means opportunity. But sometimes risk also means, well, risk. If, on the other hand, you DON’T like risk, you may also dislike change. But “change averse” does not equate to “risk averse”. Change is good when your current business practices carry unseen and unprofitable risk. One unseen risk that should be glaringly obvious is an employee who knows all the intricate workings of a spreadsheet, a system, or a network, and is unwilling or unable to share the knowledge (Nedry, dressed like a loyal minion).
One critical best-practice in cyber security is job rotation. Job rotation is just that. Rotating employees through different jobs on a somewhat regular basis. While it’s different for each company, it may be as frequent as every two weeks, or as far out as every few months. A challenge with this procedure for small businesses is your staff may be so small that everyone wears many hats, thus you are rotating by default; or the complexities of each role may make it prohibitively burdensome to train everyone sufficiently to have each person proficient in each role. It may seem like tiring work, but the security and productivity benefits will pay off. Such a goal will make everyone more valuable to you, yet none will become irreplaceable. In truth, some employees are really valuable, while others do little more than execute their own self-preservation strategic plan. They are nothing but a bottleneck between you and successful growth.
Self-preservation is an inherent human trait. It is inherent in every living thing, really. You need to be aware of the risk this can pose to your business. You may have an employee who is acting out of self-preservation instead of looking out for the success and growth of your business.
According to a Forbes article, there are ways to spot the self-preserving employee:
They are embroiled in drama.
They complain — about everything.
They seek attention.
They don’t simply perform their jobs without a need to draw attention to their professional or personal challenges.
They see a need to remind others of how challenging the task might be.
They call attention to the fact that someone else didn’t complete their task.
I’m not suggesting you have a self-serving Dennis Nedry lurking among your IT staff. But experience has proven over time that having a single point of failure in the form of an irreplaceable employee is no less concerning than a cloned T-Rex run amok. For Jurassic Park, the warning signs were there. Ignoring them resulted in a business disaster. Implementing a job rotation procedure could have mitigated the threat.
Article co-written by Dan Gavin and Tom Jewkes. The cyber guys from CyberEye.