Saving a Company from Sabotage

How We Supported a 120-Person Firm in Regaining Control of Their IT Systems

One Friday, we received an unusual request to meet with the CEO of one of our existing clients and a friend of theirs for an urgent discussion.

The colleague turned out to be the CEO of a 120-person company (referred to here as “The Client”), and they were facing a serious issue. During that meeting and subsequent discussions over the weekend, that CEO and a board member shared concerns about their IT Director, who had full control over the company’s systems. They suspected that their IT infrastructure was at risk due to recent system instability, underperformance, and troubling behavior from the IT Director. Although they lacked concrete evidence, they felt action was necessary to safeguard their operations.

—

Quietly Assessing the Situation

To address the issue, we began by discreetly evaluating their systems. Over the weekend, we conducted an initial review of their IT environment and formulated a strategy to address an existing technical issue, which we had subject-matter expertise in, to give us the access needed to investigate further over a period of time without raising suspicion.

During this process, we reviewed their internal security measures and identified several risks. The IT Director had extensive administrative privileges, which isn’t uncommon, but so did many other people! Combined with weak passwords, outdated protocols, and minimal cybersecurity in place, the IT director’s behavior wasn’t the only concern!

—

A Sudden Escalation

While we were still gathering information, the IT Director was caught red-handed attempting to sabotage a critical system. This lead to immediate termination and a quick escort from the premises, but he still had an unknown level of remote access to local systems and cloud services!

Fortunately, as we began uncovering more issues and realized there was definitely more than just plain ignorance at work, we had already prepared a worst-case response plan just in case something should happen while we were fleshing out a more nuanced strategy.

Upon his termination the time for strategy was over and we immediately executed on the only option available.

—

Rapid Response

In under 30 minutes, we locked down external access to both internal and cloud systems – all cloud services were IP restricted, site Internet was unplugged, even wifi was turned off!
Of course this had a tremendous impact on production, but the management team was already prepared for “a down day” if necessary, so once access was secured we focused on completing our assessment and strengthening their infrastructure.

Over the next 24 hours, we implemented several measures to restore stability:

• **Security Updates**: Addressed weak points in the system and updated configurations.
• **Access Revocation**: Changed administrative passwords, deactivated non-essential accounts, and refined permissions.
• **System Stabilization**: Isolated non-critical services for further review and ensured that key systems were operational and secure.

His termination happened mid-afternoon and by the end of the day the company was back to normal operations, with employees able to work securely while we continued monitoring and refining the systems.

—

Uncovering the Full Extent

A deeper investigation subsequently revealed that the IT Director had been subtly sabotaging systems for nearly a year as part of a scheme connected to a competitor. This effort appeared to be aimed at destabilizing the company during sensitive buyout negotiations, which had reached a critical point at the time he took more overt action and got caught. Fortunately this also let them suspend their M&A efforts temporarily and recover their footing. Ultimately, they proceeded with the sale to a much larger national company (who we now work with) under much more favorable terms.

—

Key Takeaways

This experience highlighted three important lessons:

1. **Shared Access and Oversight**: Critical systems should not be controlled by a single individual without checks and balances.
2. **Proactive Planning**: Having a response plan in place can minimize disruption during unexpected events.
3. **External Expertise**: Trusted advisors can provide valuable support during challenging situations.

—

Never underestimate the importance of being prepared when it comes to IT challenges…