Skip to main content

The Threat From Inside

Column: The eSecurity Advisor

From the August 2008 Issue

Many accountants are familiar with the threats faced by our organizations
from the outside — hackers, viruses, spyware, Trojans, and other various
malicious software and people. However, many of us fail to think about the threat
from inside the organization —employees, vendors, consultants and clients.

It is fairly easy to look at the security vulnerabilities outside the organization
because it receives more coverage, but internal security vulnerabilities are
often overlooked or ignored. We all like to trust our employees and believe
that they are serving the best interests of our firm. While the vast majority
of employees are honest and forthright in their dealings, there may be a time
when we become victim to an insider threat.

What are the threats?
The threats come in many forms and have various degrees of severity ranging
from fairly benign threats (such as an employee losing a client’s records)
to more severe threats (such as an employee stealing client information and
selling it to an identity thief).

Here is a list of some inside threats faced by an accounting firm:

  • Losing client records
  • Theft of client records
  • Unauthorized discussions with third parties about client information
  • Removing client records for personal use or for sale
  • Using client information to commit a crime (theft of money or a client’s
    identity by employee or an associate of the employee)
  • Theft of company information
  • Sale of company information (sale of the processes used by the firm, most
    likely to a competitor)
  • Misuse of position to obtain benefits from clients
  • Misuse of position to obtain benefits from vendors
  • Theft of company property whether electronic (software) or physical assets

Many other items could be added to this list. Take a few minutes to write
down any that come to mind that might be specific to your firm.

What to do about the threats
One of the most important aspects in dealing with internal threats is through
control. You want to control access to documents and ensure that only those
who should have access are actually the only ones who do. Document control can
take several forms including the following:

  • Using passwords to gain access to network resources as well as within a
    document in order to secure sensitive information
  • Using document management software to control access to documents
  • Using the file security system built into the server operating system to
    secure documents in folders with access controlled to only those users who
    require access
  • Rotation of duties to ensure that employees who might be thinking of leaving
    cannot take a group of clients with them because of unrestricted access
  • Limiting access to only those documents required to complete the work assigned

Let’s take a closer look at each of these areas to gain some insight
into how each will help bring about effective internal control over documents
and threats from the inside.

Use of passwords provides access control to documents and the network. By using
passwords on document(s) and the network to either open or edit the document,
you control the ability to prevent non-authorized employees from looking at
or changing a document. Passwords address internal vulnerabilities, especially
from employees who might desire to use the information for inappropriate activities.
Passwords also provide means of controlling access to resources on the network.
And by not having authorization to access a particular area, the user is prevented
from obtaining information from that area.

Document Management
Properly designed document management software provides a means for not only
managing the various documents in your environment, but also for securing them.
Most document management products make it very easy to assign rights to particular
documents or folders. By only allowing access to documents by employees who
need access, you prevent the ability of other employees to use that information
for inappropriate means. Document management software can also be used to track
who last accessed a file so you can determine the history of who was in the
file. The better document management programs track this so you can monitor
for inappropriate use.

File Security on the Server
Most accounting firms use Windows Server operating systems, but Linux and Unix
are also used on occasion. Each of these operating systems has built-in file
permission structures. While assigning file permissions on your server is not
as easy as it would be in a document management tool, it is a means for controlling
access to documents and preventing unauthorized use if set up properly. The
network administrator would need to build a folder structure to fit your organization.
Once set up, users would only be able to access the folders and files stored
within based on their permissions. This is similar to the document management
solutions except that it is done at the server level and users cannot easily
make security changes without the assistance of their network administrator.
Considerable thought also needs to be put into the structure to ensure that
users do not have rights to files they should not be able to see.

Rotation of Duties
We always advise clients to rotate duties to guard against stealing. The same
thing can be done in an accounting firm to prevent familiarity from becoming
a liability to the organization. Employees who are too familiar with clients
can (and sometimes do) decide to leave a firm and start their own. They often
take the clients with whom they are most familiar (or those clients follow them)
because of the personal relationship that has developed between them. One of
the easiest ways to prevent this type of familiarity from becoming a liability
for your firm is to rotate the employee’s work so that every two or three
years, they are working on a new set of clients. This provides stability for
the client relationship but does not allow it to become too familiar.

Limiting Access to Assigned Work
Many of the engagement tools available today have the means for assigning work
to specific employees and preventing other employees from accessing those documents.
By assigning only certain documents to certain employees, no single employee
can gain the full picture of the client’s financial state. This helps
to ensure that employees cannot engage in activities of an inappropriate nature
because they do not have enough information to undertake the inappropriate activity.
Collusion would be the only way employees could gain enough information to be
able to conduct an illegal activity. Breaking up work assignments can also be
an important deterrent. By only giving an employee a piece of the work, they
don’t have sufficient pieces to be able to create mischief. This could
be especially important to new employees who might be more prone to use information
inappropriately versus older, more senior employees who are more trusted. This
is no guarantee, however, as senior “more trusted” employees can
compromise procedures just as much as younger less-experienced employees.

Other Steps
Software monitoring tools can help monitor and lock down your internal network
from internal threats and look for inappropriate access and activities inside
the network. While these tools may make sense for a large firm of 100+ employees,
most smaller accounting firms are going to want to utilize the tools already
available as part of the existing software they are using and already own.

Just as an accounting firm looks at its outside security issues, it also needs
to look at its internal security issues. Employees might have many reasons for
wanting to take advantage of inadequate controls over client information No
matter what the reason, it is important for accounting firms to look internally
to ensure they are not providing a means for employees to utilize the information
in the organization in an inappropriate manner.