For purposes of this article business security breach is when unauthorised people or applications gain access to our IT based management information. It is also a business security breach when unauthorised people gain physical access to your business premises. It is important to note that the purpose for gaining access is always for malicious or damaging intentions. I have often wondered whether business security breaches just happen or there are warning signs before it takes place. For sure there are warning signs to alert management of the possibility of the security breach taking place so that preventing measures can be put in place. The warnings signs which alert management to act are many and include some of the following;
The state of business security environment in your organisation very much depends on the management’s attitude towards business risk. I have known some management teams that are not worried about business security as they are convinced in their mind that nothing can go wrong. We all know the quality of output from a business security system depends to the large extent on the investment in it. The level of investment however will depend on the attitude of management towards business security. You will not expect much from business security system if top management considers it as a waste of time and resources.
Information leaving the organisation
The main purpose of going into business is to attract, serve and retain customers for purpose of achieving the goal of your organisation of enhancing both the top and bottom lines results. Since you are in the business of making money therefore most of the communication should be between your organisation and your current and potential customers and your key registered suppliers and the known regulatory authorities. Any outflow of information from your organisation to other organisations apart from the above should be reviewed for appropriateness. You should always ask yourself why information should leave your organisation to other organisations and people other than your customers, registered suppliers and known regulatory authorities. Be on the lookout when staff send sensitive information to their private emails.
Type of information
There are categories of information you would not expect to leave the organisation unless formally authorised. This include information relating to payroll , list of customers, strategic plan , minutes of meetings ,fixed assets register , list of key suppliers among others. You should always ask yourself why your trade secrets should leave your organisation. You should be very much concerned if your staff are disclosing to outsiders your business vital information.
Existence of over trusted class of employees
Some organisations have what I call over trusted employees who have the freedom to carry out any transaction from beginning to the end without any checks and balances. It is very acceptable to trust employees but do not over trust them to the extent of relaxing the controls over the activities carried out by them. Controls play a key role preventing and detecting any malpractices by staff. Without adequate controls any good staff can easily develop immoral tendencies as the risk of being found out is quite low.
Staff working hours
You will find some staff that have interesting working hour habits. Some report very early in the morning or others report quite late in the morning and they all work quite late into the night. Their behaviour is often tolerated on the assumption they are hard working staff. Why should a staff sacrifice more time than the owners of the organisation? What is the incentive? Is it true that the staff are committed to clearing workload on the desks? What exactly do these staff do when they are on their own in the business premises?
Staff who do not like going on leave
I have come across staff who will try their level best to avoid going on leave. They will create emergencies to create a convincing reason to sale out their leave days. What is the incentive of working without a rest? Taking leave by staff should be compulsory and those who do not comply should forfeit their leave days. In my working life I have come across staff that do not care losing the leave days. Management should find out the motive for a given staff resisting to go on leave. Are there any immoral acts that they want to cover?
Overriding of controls
There are staffs including members of management team who like overriding controls in the organisation. They emphasize more of trusting staff instead of relying on the controls. They will try hard to override the controls through creating an excuse for doing so. They always say that controls are inhibiting their effort in attracting business to the organisation. You should ask yourself why a given individual should be inclined to overriding the controls in the organisation all the time. It is always easier to carry out immoral activities without being promptly detected if the controls are quite weak.
Sharing of IT passwords
Business security of an organisation is compromised if there are no adequate controls over the use of passwords. The passwords should not be shared and should be changed on regular basis. If the password let us say for a computer containing sensitive information is shared by a number of staff, it becomes difficult to know who accessed the information on the computer in case something went wrong. You cannot pin the wrong doing on any one. The fraud can therefore be executed without knowing exactly who did it.
Lack of control on staff accessing premises during none working hours
I have known a number of organisations who have not instituted a control mechanism on the business premises for monitoring movement of staff during none working hours. It should not be free entry for staff after normal working hours. The organisation should only give rights to access the building to only those who are required to access the business premises in order to carry out their authorized work. Research shows that many frauds are executed by either staff on their own or in collaboration with external parties.
As discussed above there are warning signs before most business security breaches take place. The challenge is often lack the of capacity on the side of management to identify and act on the warning signs. The above warning signs are just a few highlights of the many warning signs. Quite often managers come to know the warning signs earlier enough but fail to promptly act to prevent them.
John Muhaise Bikalemesa
Director: Big Drum Advisory Services Limited