To a certain extent, all companies can find themselves in a vulnerable situation, faced with either non-intentional or malicious acts committed by employees.
External threats are often taken more into consideration than internal threats and the measures to prevent them will be more rigorous.
However, it is important to protect against internal hacking as the consequences can be just as serious and damaging for business.
Whatever the source of risk to the security of IT and generally to the enterprise, consider the following equation to protect yourself :
There is an important distinction to make between involuntary acts and those which are deliberately commited to harm the company, as the means to fight against these types of action will be different.
Through the following examples of companies that have suffered acts of hacking, we share common mistakes to avoid and recommendations to protect against the risks of internal hacking.
How to reduce the risk of internal theft
Instilling trust in employees is important in business, but that does not mean at the expense of security. We have an example of a Canadian company that was robbed of several thousand dollars by an employee who had managed to get the application password to edit and print cheques. This employee issued several checks for small amounts to his name and forged the signature of the person authorized to sign checks.
He was not discovered for several months and was able to extort money regularly. It is only by doing a bank reconciliation that accounting identified the fraud.
In this case, what was discovered from this unsophisticated fraud was two lapses in security management can be easily corrected.
• Having the same password for everything: computer, email, software, ...
• Keeping the password written near the workstation
• Having passwords that are too short and not complex enough (with one or two types of characters)
• Keeping the same password too long
Best practices to implement:
• Set a Password per application and if needed use a password management tool
• Raise the level of complexity of passwords (capital letters, lowercase letters, numbers and special characters)
• Change passwords every 3 to 6 months
Access to confidential or sensitive documentsWhether electronic documents or paper, whatever is of a sensitive nature should be secured and access restricted.
• Giving the same levels of access to all users
• Not having a secure cabinet or leaving the keys on the cabinet
• Giving the management of a sensitive process to only one employee
• Secure access to key documents
• Segment the levels of access to applications and sensitive data
• Distribute the management of key processes to several people
How to protect against unintentional acts that damages the company's security
Identify acts of unintended hacking
• Clicking on links that install malicious software
• Connecting infected USB keys
• Bringing infected devices from the outside
• Leaving documents or devices within reach of visitors
Information to employees is the first barrier to prevent such acts.
Elements recommended to put in place in any business
• Document Destruction Policy
• End of day workstation organization
• Rules to be applied for meetings with outside visitors
• Equipping devices with remote location software
In 2014, large companies in several countries were victims of "the CEO scam". This scam is based on trust that people have in the security of e-mail communications. Although this is a fraud conducted by external cybercriminals, it was internal involuntary actions that enabled the success of the scam, which diverted millions of dollars.
Vulnerability to malicious or unintentional acts that jeopardizes the security of enterprises is not only present in small companies as demonstrated by the president scam. The best practices recommended here should be an integral part of corporate life to reduce risks.
© freshidea - Fotolia.com