The Threat From Inside

From the August 2008 Issue

Many accountants are familiar with the threats faced by our organizations from the outside — hackers, viruses, spyware, Trojans, and other various malicious software and people. However, many of us fail to think about the threat from inside the organization —employees, vendors, consultants and clients.

It is fairly easy to look at the security vulnerabilities outside the organization because it receives more coverage, but internal security vulnerabilities are often overlooked or ignored. We all like to trust our employees and believe that they are serving the best interests of our firm. While the vast majority of employees are honest and forthright in their dealings, there may be a time when we become victim to an insider threat.

What are the threats?
The threats come in many forms and have various degrees of severity ranging from fairly benign threats (such as an employee losing a client’s records) to more severe threats (such as an employee stealing client information and selling it to an identity thief).

Here is a list of some inside threats faced by an accounting firm:

• Losing client records
• Theft of client records
• Unauthorized discussions with third parties about client information
• Removing client records for personal use or for sale
• Using client information to commit a crime (theft of money or a client’s identity by employee or an associate of the employee)
• Theft of company information
• Sale of company information (sale of the processes used by the firm, most likely to a competitor)
• Misuse of position to obtain benefits from clients
• Misuse of position to obtain benefits from vendors
• Theft of company property whether electronic (software) or physical assets

Many other items could be added to this list. Take a few minutes to write down any that come to mind that might be specific to your firm.

What to do about the threats
One of the most important aspects in dealing with internal threats is through control. You want to control access to documents and ensure that only those who should have access are actually the only ones who do. Document control can take several forms including the following:

• Using passwords to gain access to network resources as well as within a document in order to secure sensitive information
• Using document management software to control access to documents
• Using the file security system built into the server operating system to secure documents in folders with access controlled to only those users who require access
• Rotation of duties to ensure that employees who might be thinking of leaving cannot take a group of clients with them because of unrestricted access
• Limiting access to only those documents required to complete the work assigned

Let’s take a closer look at each of these areas to gain some insight into how each will help bring about effective internal control over documents and threats from the inside.

Passwords
Use of passwords provides access control to documents and the network. By using passwords on document(s) and the network to either open or edit the document, you control the ability to prevent non-authorized employees from looking at or changing a document. Passwords address internal vulnerabilities, especially from employees who might desire to use the information for inappropriate activities. Passwords also provide means of controlling access to resources on the network. And by not having authorization to access a particular area, the user is prevented from obtaining information from that area.