Present Blog-IT thought leadership in Canada

Enterprise Security: how to protect against internal hacking

Written by present | Jan 30, 2015 5:59:19 PM

This article has been around for a while now. We invite you to consult our most recent blog articles here to be on the lookout for all the innovations in cybersecurity.

 

 

 

 

 

 

To a certain extent, all companies can find themselves in a vulnerable situation, faced with either non-intentional or malicious acts committed by employees

External threats are often taken more into consideration than internal threats and the measures to prevent them will be more rigorous. 

However, it is important to protect against internal hacking as the consequences can be just as serious and damaging for business.

Whatever the source of risk to the security of IT and generally to the enterprise, consider the following equation to protect yourself :

There is an important distinction to make between involuntary acts and those which are deliberately commited to harm the company, as the means to fight against these types of action will be different

Through the following examples of companies that have suffered acts of hacking, we share common mistakes to avoid and recommendations to protect against the risks of internal hacking.

 

 

How to reduce the risk of internal theft

Instilling trust in employees is important in business, but that does not mean at the expense of security. We have an example of a Canadian company that was robbed of several thousand dollars by an employee who had managed to get the application password to edit and print cheques. This employee issued several checks for small amounts to his name and forged the signature of the person authorized to sign checks.

He was not discovered for several months and was able to extort money regularly. It is only by doing a bank reconciliation that accounting identified the fraud.


In this case, what was discovered from this unsophisticated fraud was two lapses in security management can be easily corrected.

 

Security Passwords

Avoid:

Having the same password for everything: computer, email, software, ...

Keeping the password written near the workstation

Having passwords that are too short and not complex enough (with one or two types of characters)

Keeping the same password too long

Best practices to implement:

Set a Password per application and if needed use a password management tool

Raise the level of complexity of passwords (capital letters, lowercase letters, numbers and special characters)

• Change passwords every 3 to 6 months

 

Access to confidential or sensitive documents
Whether electronic documents or paper, whatever is of a sensitive nature should be secured and access restricted.

Avoid:

• Giving the same levels of access to all users

• Not having a secure cabinet or leaving the keys on the cabinet

• Giving the management of a sensitive process to only one employee

 
Best practices to implement:

• Secure access to key documents

• Segment the levels of access to applications and sensitive data

• Distribute the management of key processes to several people

 

How to protect against unintentional acts that damages the company's security
Identify acts of unintended hacking

Clicking on links that install malicious software

Connecting infected USB keys

• Bringing infected devices from the outside

Leaving documents or devices within reach of visitors

Information to employees is the first barrier to prevent such acts.


Elements recommended to put in place in any business

• IT Charter that includes rules on the use of email, web browsing, the use of personal devices, BYOD (Bring Your Own Device) ...

Document Destruction Policy

End of day workstation organization

Rules to be applied for meetings with outside visitors

Equipping devices with remote location software

 

In 2014, large companies in several countries were victims of "the CEO scam". This scam is based on trust that people have in the security of e-mail communications. Although this is a fraud conducted by external cybercriminals, it was internal involuntary actions that enabled the success of the scam, which diverted millions of dollars.


Vulnerability to malicious or unintentional acts that jeopardizes the security of enterprises is not only present in small companies as demonstrated by the president scam. The best practices recommended here should be an integral part of corporate life to reduce risks.

 

 

© freshidea - Fotolia.com