Friday, February 15, 2013

Corp Security - Part 4 - Post-spai recovery

Eve Online Corporation Security

Part 4

Post-spai post theft recovery

So you've been hit. Despite of or maybe because of your preparations or lack of, your corp has been struck by a corp thief, or has a spai(or more than one), and damage has been done. This post isn't going to be very much ABOUT security, more about how the reaction to the threat or actions of the thief matters.

How much damage, or rather how much the damage is allowed to spread is largely defined by the leadership or leading members of the corp.

One might ask - "Well, how is that possible, they just got away with "X" stuff, or isk, or intel, or ships!"

This is Eve, if every corp gave up after their first theft, there would never be any corp that lasted beyond the 35 person stage of development. FYI "studies" show that most corps will be hit with their first thief between 30-50 users. When the corp is small enough that leadership positions are still easily available, but big enough that strange activities usually get overlooked, and big enough to provide the isk and assets looked for in most thefts.

So in short, almost every corp, despite the precautions taken, WILL BE ROBBED. Sorry, now you can't say, "But LOGAN! I did everything you suggested in your articles and we still got robbed/ganked/spys!!!" It's my obligatory get out of jail free card.

With that said, the reaction of a corp as a whole and most specifically the corp leaders will determine the future course for that corp. Be that straight into the ground OR full recovery. First, a few things must be acknowledged after a theft.
  • You were robbed, it happened and they got away with : Whatever. (this is a prompt to go figure out what exactly they got away with)
  • Admit if mistakes were made. IE ships traded to one player and lots of trust placed in just one person, everyone has a price. Apologize, but don't overly apologize every time it comes up.
  • Do the corp's level best - even if it means having no isk or assets left for the corp - to replace member losses. Happy members stay with the corp and will rebuild it. Keeping the corp assets up won't.
  • Identify the cuprit if possible. If not possible, scale back all member access to the base essentials.
Understand the joining a corp and leaving a corp mechanics. Now I can't say that these will forever be true... but here is some of the stuff I know.

If a corp member has any roles, even if you want to kick them for being a dirty rotten thief, it will still take 24 hours before you can force them to leave the corp, and only IF they dock up and let you kick them out. I'm not sure on the in-space mechanic for kicking people out of a corp anymore, but this used to hold true, the member could stay in space and you could not kick him from corp. Sometimes a petition could be used by nice GM's to remove the offending member even in space.

While the thief remains in corp, Corp chat is pretty much useless, so setting up a new channel and explicitly allowing your corp to join that channel while explicitly blocking that individual (blocks take priority over allows) is the way to go. Alternatively you can setup a new channel and directly invite people in the mean time. Send out a corp mail identifying the thief, labeling them as potentially dangerous.

One common tactic is to corp theft and then jump in a combat ship and locate other corp members on the map, travelling to and killing them if at all possible. Re-iterate this risk to your corp members. If you see him join local, dock or fight.

The 24 hour period can be a good time to get them "back" if at all possible, but it usually isn't. That's not to say you don't want to try, but often times a thief will take your stuff, end up in space and then at their lesure dock up and leave the corp or be kicked.

Once the thief has left the corp;

  • get full API keys, once again, 'account,' not character, from everyone in the corp. This is a matter of course, members who are suddenly unwilling to share their keys or are slow in doing so I would consider suspect.
  • Look at the API's and try to find links between the thief and any current members. Thief's often become more sloppy once they enter the corp, leaving ties between their other alts and themselves in the corp. Scrutinize members who engaged in direct trades with the thief, contracts with them. I said scrutinize, not kick. Explain to them that leadership is worried about more losses of assets.
  • If the thief is blatantly identified, ie they start shooting stuff, make sure his name is advertised and his roles stripped. Send out a corp mail, warn the alliance  do all the smart things you should be doing, don't expect someone else to do them or have already done them.
Be aware that you'll never quite feel safe again. Well, let's be honest, if you ever thought the corp was "safe" in the first place you have problems. The corp should never be considered "safe" because even if you had one thief attack, that doesn't mean that there isn't another one already in your corp waiting for his chance to make a break for it.

Importantly, as a leadership team;
  • Don't give up and walk away
  • Don't 'witch hunt' but as a leader you have to accept that it happened and move on.
  • Take your lump and learn from it. Figure out if the action was avoidable, or unavoidable. Place safeguards on the corp.
  • Follow up with members who lost assets, pay them back, reward loyalty in the corp.
  • maintain vigilance, corp theifs strike, they only really win when their theft causes a storm that brings down the corp behind them.

1 comment:

  1. Great advice. Almost text-book from when I had to handle my corp getting robbed.

    When you get robbed it really is sink or swim time. This is where the CEO and Directors have to shine and show they are doing all they can to secure the corp. Doing nothing will most likely kill your corp.

    When you get robbed, treat it as a challenge to recover from and take pride in succeeding.