This is a great case study, set in 2012, on the Verizon Business Security Blog.
An organization in the US, presumably as part of their employee engagement initiatives, started allowing it’s developers to telecommute from their homes on certain days. The organization used a VPN client to allow employees to log on from their homes to the organization network and even had a two tier authentication – username/password AND a RSA encryption fob (you know, the kind some banks give you for online access to your account).
The IT department of the organization, at some point, also started monitoring the logs from VPN connections on a daily basis (kudos). They were shocked to find something they never expected – an active connection to their network from Shenyang, China!! Now this was worrying- imagine finding a daily and active connection to your network, with a two tier security, using your VPN, from China!! The implications are scary, aren’t they?
The IT team called in the Verizon Risk Team to investigate further and identify the security breach. I mean, had to be a security breach right? The employee whose credentials were being used for the live VPN connection was sitting right there in the office at that minute. To find the breach, the Risk team acquired an image of the employee’s desktop and started sifting through the files.
And guess what they found – a bunch of invoices for development work done by a company based in… you guessed it… Shenyang, China! It turns out that the employee (mid-40s, proficient in C++, Ruby, PHP,Java, etc) was outsourcing his job to a consulting firm in Shenyang. The employee paid them about 20% of what he was earning to do his job.
Globalization at it’s best (or worst?) – individuals outsourcing their jobs on their own! Apparently, this employee had the same scam going on in other companies as well (I assume the other companies permanently allowed working from home). So while the employee paying the company in Shenyang $50,000 annually he was making several multiples of that amount. Even more amazing was that he (or I guess in this case the coder in Shenyang) was considered among the best developers on the floor.
According to the case study, his daily schedule was
9:00 am: arrive for work, surf reddit for a few hours. Watch cat videos
11:30 am: lunch
1:00 pm: ebay
2:00 pm: updates on facebook and linkedIn
4:30 pm: update to management
5:00 pm: leave for home
Now there was obviously a uproar and I assume the employee got sacked, but think about it – this is why outsourcing exists and is irreversible – great code at 1/5th the cost!
This employee might have inadvertently found a new outsourcing model – retain and outsource the same job!! I suspect the organization in question is looking to outsource work to Chinese firm themselves – they did do a great job.