Beware of Internal Security Threats

Estimated reading time: 4 minutesAre there any employees who work in their own little bubble in your organization where nobody else is aware of what they do, where they keep files or important documents? How much data do they have access to? Does anybody audit their access to the network, bank accounts or inventory? If not, how do you know if your employees are ripping you off or not? Organizations need security measures and policies in place to keep employees honest and reduce internal threats.Besides external Cyber-security threats, there are other threats that are probably just as harmful, or even more so, than external threats. The problem with internal threats is that the people inside your organization have access because of the nature of the work that they do. They do not need to devise a scheme or write some fancy code to break in. They already have the keys. They just need to have the desire and the opportunity to rob the organization or take sensitive data. Employees can steal data, money, and inventory. Sometimes employees are just unaware of proper security measures. We recently had an employee inform our IT department that they lost their notebook where they stored all of their company passwords. Another employee gave their corporate passwords to their spouse so that their spouse could access a corporate system to use an application. These employees said they did not realize this was against company policy. It is very important to not only have these policies in place but to make sure all of your employees are aware of them and they understand and agree to them. Regular auditing of employee access is also important.In my work, I have been assigned the task of uncovering unauthorized access to senior leadership data files, a CFO's email account, an employee taking home sensitive information on a thumb drive that was not supposed to leave the office, unauthorized access to patient records and unauthorized access to other employees personnel records. All of these people were in a position of trust. They were managers, IT staff, accountants, medical staff and other positions with access to sensitive information.Most breaches lead to immediate termination of the employee. In most cases, there were policies in place that were not followed that raised red flags. After this did a manager or someone in senior leadership to request IT to look into the employee activity. Having these policies in place saved the company money and/or kept them out of litigation.In the news, there have been several reports of small businesses with a single bookkeeper who may be having financial problems or just a desire to steal money so he/she decides to use a company check or credit card to pay a bill one month. The amount is small and nobody finds out because nobody else looks at the checkbooks or reviews transactions on the checking account or credit card statements. Even if they do, a small payment to a credit card company or to a utility may go unnoticed. If the employee gets away with it, it is tempting to do this again. Over time the amount of money lost grows and grows. Sometimes the person becomes bold and starts taking out larger amounts of money. Sometimes they mean to pay it back but most times they do not.Another risk to your business is phishing schemes that look like emails that are coming from an executive asking someone in accounting to transfer money to an external bank account. Unless there are checks and balances in place, your employee may go ahead and transfer the money not realizing the email they received was a fake. Of course, this type of theft is not done by maliciousness on the employee's behalf, but it is due to the employee not being aware of such schemes. End user security awareness training is important. Employees should always have to follow up with someone in person before transferring money or assets to anyone. Someone else in the company should have to sign off on the transaction to show that it was approved.The way to avoid all of this is to have company policies in place to avoid fraud and embezzlement. No one person should have all the access to money or information. When dealing with money and inventory, there should be two or more people keeping track of assets and any records on file in your organization. Perform regular audits and inventory of assets and who has access to what. Do not let important and confidential company data leave the office without some sort of security or file encryption. Creating the policies and training employees to adhere to these policies could save your business.