The privileged executive
Her trick
The privileged executive feels responsible for every aspect of the organization, and compelled to control it. She wants to know everything about every department and project; demands root access to systems and applications, and sufficient rights to act on others' behalf -- including sending e-mail using other employees' accounts. Naturally, she objects to the logging of her own activities while demanding stringent audit of everyone else.
Your treat
Forward articles on prosecution of executives for insider trading, misusing data, and Sarbanes-Oxley Act violations, particularly ones that detail how malfeasance got pinned on the corner office because of too much access. Follow up a few days after each prying event by hinting to IT that it ought to look into apparent audit discrepancies, and suggesting to internal auditors they ought to look into IT control logs. Send monthly updates about how you're working hard to make sure the execs aren't exposed to excess risk; make plausible deniability your mantra.
Idle owner
His trick
When the king of the roost doesn't have enough operational responsibility, his functional understanding of technology accompanied by an assumption of anonymity can develop into a penchant for mischief, porn and control issues that fall just short of true megalomania. Sooner or later, the idle owner eventually does something really stupid -- storing very personal videos on company servers, downloading bootlegs of competitor's products, sending threatening e-mails to his ex, or downloading media you'd rather forward to law enforcement.
Your treat
Strike up a conversation about how it's great that your ISP logs all network traffic to adjust the quality of service, and alert you to employee misbehavior. Marvel over how the ISP itself is notified by the FBI's mysterious Carnivore system, and how it seems to be effective at tracking nefarious e-mail and downloads to specific computers even through networks using NAT. Discreetly throttle network bandwidth to accounting or production when he's on a downloading jag, and suggest that your audit team might have to look into it. If the activities might reflect back on you, quietly move his office to a separate DSL line for his pernicious personal proclivities.
An angry god
His trick
Your systems administrator was running your network before dirt was invented. He's always had root or administrator accounts for his daily work, and he's not going to start using sudo now. In fact, he's insulted that you suggested it, and is withholding access rights from the only other senior administrator. One of the R&D departments claims that a bunch of its data is now inaccessible, and now your guy is asking for a raise.
Your treat
A hardware keystroke logger (available for PS/2, USB or even this bogus but plausible rig for a laptop) is your best friend when digging a shallow grave is not an option. Read up on rules of evidence and chain of custody, get authorization from the CEO to tape your conversations, install a stand-alone security camera, and unless he's sleeping at his desk, unload the contents of the keylogger every night. Be patient; if he thinks he's bulletproof, he's bound to do something juicy you can hold over his head. When you do make your move, make sure you've replaced the firewall, wireless and VPN configurations before he's escorted from the building.
The accumulator
His trick
Perky and hard-working, this young twentysomething has a meticulous collection of software license keys, passwords, system addresses, versions and other information that might come in handy if you should terminate his employment. Or pass him over for a promotion, make him mad or fail to wave in a friendly way. His iPod is full of bootleg software from companies that rabidly track every copy, and he's already given your credit card database to his buddy in a former Soviet state.
Your treat
With a good change management policy and asset inventory, you might convince the accumulator that it's more accurate than it really is. Come by at inventory time and make it clear that you have per-seat person-specific license keys for software (even if you don't), and suggest that the license key a former employee gave his friend resulted in a RIAA-style shakedown for the cost of several hundred copies. Inform his manager that you received a call -- an informal warning shot -- from a software company requesting payment of a $10K license fee for software unrelated to his job. (The manager won't pay or follow up, and is likely to take care of your problem for you.)
The janitor
His trick
The graveyard shift custodian has keys to every nook and cranny, and codes for every secure area. He's probably going to school and plans to work as an IT security specialist for your competitor, borrowing your books and data as material for his lab classes. He frequently finishes his rounds early, takes advantage of the network connection, uses your technical books as a lending library, dropping doughnut dust as he reads printed materials left out on every desk.
Your treat
Work with the facilities department to assign specific cleaning crews to specific areas, and require that they sign in and out. Tell them you're increasing security in the area, and paint a few smoke detectors shiny black so they look like smoked glass security camera bubbles at night. If the department isn't cooperative, find out where the custodian parks himself for study hour by asking who keeps finding their ergonomic chair frequently readjusted and network cable looped up onto the desk. After hours, leave a small pile of soiled bandages and rumpled printout on necrotizing fasciitis at that station, and see if he really wants to be caught lounging there again.
The receptionist
His trick
Our happy receptionist takes the open-door policy a bit too far. He leaves the visitor log unattended for hours at a time, and dutifully signs people out at the end of the day. Even worse, the corporate ID badge-making machine is located on his desk in a public area. Every morning he logs in as "Administrator," then leaves for the first of the day's half-dozen coffee breaks.
Your treat
Duplicate his badge with the photo of Adam Yahiye Gadahn (California's own contribution to al-Qaeda), and use it for door access to sensitive areas for a week. Send it back anonymously through interoffice mail. Wait a few days, then ask to review the logs because of an apparent anomaly. Suggest that a supernatural event might have occurred when you recall a visitor having a heart attack and near-death experience on premises, yet "5pm" appears in the OUT column on the visitor log.
The librarian
Her trick
Buried under a mountain of paper and requisitioning another file cabinet monthly, the librarian prints out each revision of every sensitive document. She steadfastly refuses to shred old confidential documents, yet can't find the key to secure the drawers full of today's secrets and yesterday's liabilities.
Your treat
Arrange a visit from the records management department, and suggest there might be unlabeled information from former business partners mixed in with other sensitive information in contravention of information classification policies. (Be sure to buy them a beer afterwards.) For sheer meanness, file a request for a slightly smaller desk, or surreptitiously modify a section of the cubicle wall so that additional cabinetry and shelves won't fit.
MacGyver
Her trick
The office's most resourceful paranoiac, she installs every tool possible to secure her data, from laptop drive encryption to booby-trapped boot CDs with drive-wiping scripts. The most benign information is triple-encrypted and obscurely stored, and backup is regarded as an excessive security exposure. Work in her group grinds to a halt during vacation as they discover locked files and blocked processes, fomenting hard feelings among her coworkers about even basic security.
Your treat
Work with management to compartmentalize her work into a single "silo" in order to minimize work process impact when she's gone -- or present. Provide an outlet for encrypted overkill by diverting her attention to a special security project, alpha testing new security technologies on "company secrets" (test data). Better yet, make her a team lead on a corporate extranet PKI project -- the Big Dig of security -- and you'll never hear from her again.
Keeper of the keys
His trick
The middle-management loon demands that his direct reports each disclose their passwords to him. When confronted with policy to the contrary, he insists that this is necessary to ensure access to work files if an employee were to leave.
Your treat
Stage an intervention through mock misbehavior of one of his direct reports (later to be dismissed as spyware activity). Ensure that HR makes a public point of including him as a suspect in the malfeasance because of his access to the accused's log-on account. If the opportunity presents itself, arrange an interview with "The Bobs."
Ecoterrorist
His trick
The office environmental saboteur is never satisfied with the temperature, humidity or workspace lighting. On cold days, he plugs in space heaters to the clean power, and on hot ones he props open doors to secure areas. He's rumored to be the one who keeps turning up the thermostat in the data center, and tapes over the cooling vents on critical systems because they're too noisy.
Your treat
Switch his cube to a 5-amp circuit breaker if you can find one, or put him on an at-capacity circuit with his manager or a few co-workers and wait for it to blow. Present a "golden heater" award at the next division meeting for the most productivity lost due to an overloaded circuit. If doors remain propped open, a well-crafted spurious theft report may prompt intense questioning from security guards. If facilities management is game for some Pavlovian conditioning, see if they'll wire up a nearby unused thermostat to an alarm that sounds if it's changed up or down.
Cave dweller
Her trick
Like any hard-core Luddite, the cave dweller hates any hint of change, and discussions on improvement are accompanied by the expression usually reserved for consuming slices of lime. She doesn't trust her computer, but clings ferociously to her highly customized Windows ME desktop brimming with spyware. Every critical document is kept on floppy disk, and network backup ('it deleted one of my files once') is disabled by pulling the network cable out at night.
Your treat
Bring a torch and burn some paint off the sides of the old computer, then regale her with tales of successful data recovery as you introduce the new terminal. Consider switching to a Linux virtual machine with FVWM95 or QVWM if the spyware problem persists. Since the floppy drive won't work with a terminal, install a non-functional external hard drive enclosure and map a network drive to the backed-up workgroup server -- because you're sensitive to her need for personal control of important files.
The lackey
His trick
The lackey is an invisible grunt in your organization, but his blog is closely followed by your competitors. He records intricate details of his travails -- including running commentary on competitive strategies and nuggets of intellectual property -- through his Wi-Fi-enabled smart phone, all while answering customer calls or stocking pens in the supply room.
Your treat
Google his blog. Forward the link to your public relations office, with thanks for authorizing it. "Isn't it cool that we're getting free publicity? I'm glad we're using viral marketing to get this information out to the public." Note that "this early release marketing campaign sets a new and aggressive direction for us, and has our competitors really nervous." Ask if he needs a mobile video feed.