“When Trust Is Not Enough”

When you invest other people’s money like Mike Scarborough does, you know risk. But when it came to his growing company’s computer systems, risk was the last thing on his mind — until a trusted employee sabotaged the company files. Scarborough learned that even state law offered him no protection, and he decided it would never happen again.

Scarborough launched The Scarborough Group Inc. in Annapolis, Md., in 1989 to provide 401(k) plan management for individuals. Today, the company has over 7,000 clients in 49 states and 15 countries and manages assets in excess of $2 billion. With revenues slightly more than $10 million and 58 employees, the firm has an impressive growth rate. In 1995, when the rogue employee struck, the company was much smaller, serving 2,500 clients.

The candidate Scarborough hired to handle his information systems — we’ll call him Bob — seemed to have all the right credentials, including a master’s degree in management information systems. The company trusted Bob, giving him charge of the passwords and allowing him access from his home computer.

But soon, Scarborough says, Bob was over his head. "When it became apparent to him that he wasn’t going to be an employee anymore, he locked up all the code to our operating systems and encrypted all our files, keeping us from all the past history of our clients. That’s not a big deal, unless you’re in the investment industry."

After the initial shock, Scarborough thought he’d take Bob to court, forcing him to give up the codes and unzip the files. But then he learned that actions like Bob’s were illegal in Maryland — unless you’re an employee. In the first 10 days after the sabotage, a judge ordered Bob to give up the codes that unlocked the computer system. But he was never forced to unzip the company’s files.

"To this day, we still don’t have access. We can’t tell those 2,500 clients their rate of return earlier than 1994." Though the missing information hasn’t stunted the company’s growth, it frustrates Scarborough. He lobbied for a bill, now law in Maryland, which would make actions like Bob’s illegal — whether committed by an employee or not. He also overhauled hiring and information management policies at his company.

"I think that’s an Achilles heel to many small businesses. It’s one thing if you’re hiring a bricklayer. But I just didn’t have the skill set to really determine whether the IT people we hired could do what they said they could do."

Safeguarding Assets

Today, the human resources department does extensive background checks. It administers a personality test that measures stability, loyalty and work ethics. If Scarborough is still in doubt about the technical skills of a potential IT employee, the company will hire an outside consulting firm to review the candidate’s technical skills. Additionally, new employees are on six months’ probation, and company policy prevents any kind of file encryption.

Though Bob was the only one with access to codes, now administrators can review the actions of network engineers. Transaction logs now are retained, showing when an employee uses a file. And several copies of every file are archived.

Additionally, despite the popularity of work-from-home flexibility, The Scarborough Group keeps everyone on site, and no one has external access to the company’s computer system. Should someone be dismissed, they’re escorted to the door immediately.

Granted, there are still some risks, says Scarborough. "If someone decides to sabotage you, he will." But he’s making it a lot tougher.

Writer: Kathy Dimond