I'm going to hire an IT guy to help manage my office's computers and network. We're a small shop, so he'll be the only one doing IT.
Of course, I'll interview carefully, check references, and run a background check. But you never know how things will work out.
How do I limit my company's exposure if the guy I hire turns out to be evil? How do I avoid making him the single most powerful person in the organization?
You do it the same way you protect the company from head of Sales running off with your client list, or the head of Accounting embezzling funds, or the Stock manager from running off with half the inventory, largely: Trust, but verify.
At the very least, I would require that all passwords for all Administrator accounts on systems and services under IT be kept in a password safe (either digitally like KeePass, or a literal piece of paper kept in a safe). Periodically you will need to verify that these accounts are still active and have appropriate access rights. Most experienced IT people call this the "if I'm hit by a bus" scenario, and it's part of the general idea of eliminating points of failure.
At the one business I worked at where I was the sole IT Admin, we maintained a relationship with an external IT consultant who handed this, primarily because the company had been burned in the past (by incompetence more than malice). They had remote access passwords and could, when asked, reset the essential administrator passwords. They did not have direct access to any company data, however. They could only reset passwords. Of course, since they could reset enterprise admin passwords, they could take control of the systems. Again, it became "Trust but Verify". They made sure they could access the systems. I made sure they didn't change anything without us knowing about it.
And remember: the easiest way to make sure a person doesn't burn your company is to make sure they're happy. Make sure your pay is at least at the median value. I've heard of too many situations where IT personnel have damaged a company out of spite. Treat your employees right and they'll do the same.
How do you keep your bookkeeper from embezzling from you? How do you keep your sales staff from taking kickbacks from your suppliers?
Non-IT people have a misguided notion that we IT people practice a black art that we wield from the line bordering good and evil and that on a whim we will resort to some nefarious machination soley for the purpose of "bringing down the pointy haired boss".
Managing an IT employee is like managing any other employee.
Stop watching movies that depict those of us who take the responsibility of our positions seriously as if we're rogue agents hell bent on world domination and/or destruction.
Wow - really? gutsy question to ask on serverfault, don't be alarmed if some are offended by your question, though I do understand.
Ok, practical solutions; you could insist on (and frequently test) having your own administrator/root equivalent accounts on everything, randomly take one of the off-site backups home and restore it, obviously try to recruit from people you know/trust or spend a great deal of time employing them.
My strongest suggestion would be to hire two people - both reporting to you, not only will they keep each other honest but you'll have cover for when one is on vacation or sick.
Do you have an HR person? Or an accountant? How do you keep your HR person from being evil and selling everyone's personal information? How do you keep your accountant or finance people from stealing everything the company owns out from underneath you?
For all positions, you should have procedures in place limiting how much damage a person can do. Your default position should be that you trust the people you hire (if you don't trust them, don't hire them or don't keep them), but it's reasonable to have checks and balances.
Even for a small company, you shouldn't have just one "IT person" who is the only one who knows anything. (the same as you shouldn't have just one person who can deal with payroll - what if that person gets sick?). Someone else needs passwords, needs to check the backups, etc.
One thing you can do is to make documentation a priority. Make sure you give the person you hire time to document how things are set up and discuss documentation when you interview candidates - ask what they've done in the past to document their network, ask to see a sample.
It's my habit to always put together a "Systems Guide" that more or less documents everything - what equipment we've got, how it's set up, procedures we follow, etc. etc. It's obviously a constantly-evolving document (series of documents and files in most cases), but at any time you can take a copy and get an idea of how the IT guy has set things up and what critical information someone else needs to know in case the IT guy is hit by a bus. If you really want to be prepared, you could get an outside consultant to go through the systems manual and tell you what they'd need to step in if anything happened to the IT guy.
Or, if you're really paranoid, you could get the outside consultant to come in and compare what's in the systems manual with what they see if they look at your systems. Is there other software installed? Are there extra admin or remote access accounts?
It's hard, since failure brings pain ( How do you search for backdoors from the previous IT person? ). If you're small enough that you don't already have an IT presence, the sort of compartmentalized structures that can limit exposure is really, really hard to put into place. Unless you have someone else to do all the high trust activities like things requiring Domain Admin credentials, you'll have to give it to your new hire.
You're hiring someone who will have high trust placed upon them so you need to trust them in return, so if you're not 100% certain, don't hire them. Background checks can help. Insist on personal recommendations of character not just competence; if they have a LinkedIn profile, ask some of their contacts or insist on contacting them.
Yes, this will be very intrusive. If you really have doubts about someone, then it is entirely worth it due to the cost to the business in case the worst does happen. When they start, work with them very closely. Get to know them. Let the entire company interact with them. Watch how they work with people.
Once the new-job glow has worn off, watch how they handle unexpected setbacks. Do they get resentful and surly, or do they shrug it off and deal? If your office is the type to do casual hazing of new people, see how they react; subtle and quiet with much embarrassment on the revenge-target, overt and flashy, or laughter and shrugging it off? These are some of the clues that can help identify a potential revenge-saboteur.
