July 11, 2011, 10:32 AM — For many small companies, the IT staff is a single person or even a consultant brought in to handle the business's computing upkeep. Either way, the question of what your IT person knows about the inner workings of the company is well worth asking--because the IT person may know far more about your company, employees, and personal information than you ever thought possible.
Take a look at your server room or server closet, and you'll probably see a bunch of white, gray, and black boxes, lots of wires, and a swarm of blinking lights. If one box was surreptitiously monitoring every piece of data that entered or exited your Internet connection--phone calls, video chats, AIM messages, and so on--could you identify that piece of hardware? What if it was the size of a wall-wart-style power supply, like the one for your home DSL router? What if it wasn't in that room at all, but was tucked above a ceiling tile?
It's easy for an IT person to come to work in the morning, plug a small portable hard drive or SD Card into a tiny embedded system, and run a packet capture of everything moving across the network--or perhaps just the Internet traffic--and then pocket that data at the end of the day. At home, the IT snoop can reconstruct everything that went through your network and sift through it as time and inclination permit.
One of the few ways to protect your sensitive Internet traffic from being sniffed and reconstructed is to use SSL-secured websites, especially for logins. If you happen to hit http://somewebsite.com and log in during the day, someone snooping on the network will know your username and password. If you use https://somewebsite.com or if the site is smart enough to force logins through SSL, that information will be encrypted. However, many other Internet activities have no SSL option, and they'll remain open for inspection.
When an IT person works on your PC while you're at lunch, it's a snap for them to install a software or hardware keylogger that records and relays to them, via any number of methods, every character you type. No form of encryption can defeat this type of snooping.
The Real Deal
By using those simple methods, a nefarious and skilled IT pro can easily collect data on every transaction that crosses your network. In fact, the same device could also run code that fishes through company file shares--password-protected or not--for keywords and email messages of interest to someone offsite.