Beware of Internal Security Threats

January 31, 2017 | Views: 4044

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Estimated reading time: 4 minutes

Are there any employees who work in their own little bubble in your organization where nobody else is aware of what they do, where they keep files or important documents? How much data do they have access to? Does anybody audit their access to the network, bank accounts or inventory? If not, how do you know if your employees are ripping you off or not? Organizations need security measures and policies in place to keep employees honest and reduce internal threats.

Besides external Cyber-security threats, there are other threats that are probably just as harmful, or even more so, than external threats. The problem with internal threats is that the people inside your organization have access because of the nature of the work that they do. They do not need to devise a scheme or write some fancy code to break in. They already have the keys. They just need to have the desire and the opportunity to rob the organization or take sensitive data. Employees can steal data, money, and inventory. Sometimes employees are just unaware of proper security measures. We recently had an employee inform our IT department that they lost their notebook where they stored all of their company passwords. Another employee gave their corporate passwords to their spouse so that their spouse could access a corporate system to use an application. These employees said they did not realize this was against company policy. It is very important to not only have these policies in place but to make sure all of your employees are aware of them and they understand and agree to them. Regular auditing of employee access is also important.

In my work, I have been assigned the task of uncovering unauthorized access to senior leadership data files, a CFO’s email account, an employee taking home sensitive information on a thumb drive that was not supposed to leave the office, unauthorized access to patient records and unauthorized access to other employees personnel records. All of these people were in a position of trust. They were managers, IT staff, accountants, medical staff and other positions with access to sensitive information.

Most breaches lead to immediate termination of the employee. In most cases, there were policies in place that were not followed that raised red flags. After this did a manager or someone in senior leadership to request IT to look into the employee activity. Having these policies in place saved the company money and/or kept them out of litigation.

In the news, there have been several reports of small businesses with a single bookkeeper who may be having financial problems or just a desire to steal money so he/she decides to use a company check or credit card to pay a bill one month. The amount is small and nobody finds out because nobody else looks at the checkbooks or reviews transactions on the checking account or credit card statements. Even if they do, a small payment to a credit card company or to a utility may go unnoticed. If the employee gets away with it, it is tempting to do this again. Over time the amount of money lost grows and grows. Sometimes the person becomes bold and starts taking out larger amounts of money. Sometimes they mean to pay it back but most times they do not.

Another risk to your business is phishing schemes that look like emails that are coming from an executive asking someone in accounting to transfer money to an external bank account. Unless there are checks and balances in place, your employee may go ahead and transfer the money not realizing the email they received was a fake. Of course, this type of theft is not done by maliciousness on the employee’s behalf, but it is due to the employee not being aware of such schemes. End user security awareness training is important. Employees should always have to follow up with someone in person before transferring money or assets to anyone. Someone else in the company should have to sign off on the transaction to show that it was approved.

The way to avoid all of this is to have company policies in place to avoid fraud and embezzlement. No one person should have all the access to money or information. When dealing with money and inventory, there should be two or more people keeping track of assets and any records on file in your organization. Perform regular audits and inventory of assets and who has access to what. Do not let important and confidential company data leave the office without some sort of security or file encryption. Creating the policies and training employees to adhere to these policies could save your business.

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. Would internal threats be less of a problem if potential perpetrators were incentivized to choose not to? Ex: Stressing the high chance of getting caught (or at least higher than most are willing to risk), emphasis on the creation of further problems requiring more effort than can be justified by the pay off, etc.

  2. It’s a sad state of affairs when internal threats are more frequent than external threats. I guess that’s why separation of duties and internal audits are crucial to today’s enterprises.

  3. Interesting post, and very informative.

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?