And about that ceiling tile--would you know if a Wi-Fi access point with a hidden SSID was tucked up there? Such a setup would enable a person to park across the street and access the Internet through your corporate Internet connection and wreak all kinds of havoc without leaving a trace. Having the feds show up to ask about child pornography traced to that location isn't something that any business wants to endure, but it's amazingly simple for a malicious IT person to execute that very scenario in just about any business that has an Internet connection.
That's why you need to be able to trust your IT person or team implicitly. There's simply no way for a nontechnical business owner to know what the company's IT folks are actually doing with their network and servers.
The point of this warning is not to sound a hysterical alarm and spread fear or uncertainty; it is simply to note the truth. The scenarios described above are extremely easy to implement, and they are undoubtedly happening in businesses all over the world right now, without anyone else in the company having any inkling of what is going on. Usually, sinister IT practices are uncloaked only when a different IT person or consultant arrives without warning to the treacherous IT person.
Many stories detail the misbehavior of IT people who have gone rogue and done everything from stealing and selling company data, to planting logic bombs in company servers that permanently cripple a business. The latest public example came out just a few weeks ago when disgruntled IT admin Walter Powell used keylogger data to hack back into his previous employer's network and inflict some $80,000 worth of damage, including causing a pornographic image to appear on the conference room television during a PowerPoint presentation at a board meeting.
You hear about the incidents where the perpetrators are caught; but for each of those, there are dozens that are never publicized, and more that simply aren't detected.
Trust but Verify
The only way for a small company to protect against this type of internal threat is to use an outside consulting group to audit its network regularly. Many large and small outfits perform this type of work, with wildly different costs, skill sets, and degrees of effectiveness. You can always call IBM or EDS, or go with a budget-friendly smaller firm. As when hiring any other prospective services provider, it pays to get plenty of references first.