Warning signs for business security breach

For purposes of this article business security breach is when unauthorised people or applications gain access to our IT based management information. It is also a business security breach when unauthorised people gain physical access to your business premises.  It is important to note that the purpose for gaining access is always for malicious or damaging intentions. I have often wondered whether business security breaches just happen or there are warning signs before it takes place. For sure there are warning signs   to alert management of the possibility of the security breach taking place so that preventing measures can be put in place.   The warnings   signs which alert management to act   are many and include some of the following;

Management attitude

The state of business security environment in your organisation very much depends on the management’s attitude towards business risk.  I have known some management teams that are not worried about business security as they are convinced in their mind that nothing can go wrong.  We all know the quality of output from a business security system   depends to the large extent on the investment in it. The level of investment however   will depend on the attitude of management towards business security.  You will not expect much from business security system if top management considers it as a waste of time and resources.

Information leaving the organisation

The main purpose of going into business is to attract, serve and retain customers for purpose of achieving the goal of your organisation of enhancing both the top and bottom lines results. Since you are in  the business of  making  money therefore  most of the communication should be between your  organisation  and your current and potential  customers and your key registered  suppliers and the known regulatory authorities.  Any outflow of information from your organisation to other organisations apart from the above should be reviewed for appropriateness. You should always ask yourself why information should leave your organisation to other organisations and people other than your customers, registered suppliers and known regulatory authorities.  Be on the lookout when staff send sensitive information to their private emails.

Type of information

There are categories of information you would not expect to leave the organisation unless formally authorised. This include information relating to  payroll , list of customers, strategic plan , minutes of meetings ,fixed assets register  , list of key suppliers among others.   You should always ask yourself why your trade secrets should leave your organisation. You should be very much concerned if your staff are disclosing to outsiders your business vital information.

Existence of over trusted class of employees

Some organisations have what I call over trusted employees who have the freedom to carry out any transaction from beginning to the end without any checks and balances.   It is very acceptable to trust employees but do not over trust them to the extent of relaxing the controls over the activities carried out by them.   Controls play a key role preventing and detecting any malpractices by staff.  Without adequate controls any good staff can easily develop immoral tendencies as the risk of being found out is quite low.

Staff working hours

You will find some staff that have interesting working hour habits.  Some report very early in the morning or others report quite late in the morning and they all work quite late into the night.  Their behaviour is often tolerated on the assumption they are hard working staff. Why should a staff sacrifice more time than the owners of the organisation? What is the incentive? Is it true that the staff are committed to clearing workload on the desks?  What exactly do these staff do when they are on their own in the business premises?

Staff who do not like going on leave

I have come across staff who will try their level best to avoid going on leave. They will create emergencies    to create a convincing reason to sale out their leave days. What is the incentive of working without a rest? Taking leave by staff should be compulsory and those who do not comply should forfeit their leave days. In my working life I have come across staff that do not care losing the leave days. Management should find out the motive  for   a given staff resisting to go  on leave. Are there any immoral acts that they want to cover?

Overriding of controls

There are staffs including members of management team who like overriding controls in the organisation. They emphasize more of trusting staff instead of relying on the controls. They will try hard to override the controls through creating an excuse for doing so. They always say that controls are  inhibiting their effort in attracting business to the organisation.  You should ask yourself why a given individual should be inclined to overriding the controls in the organisation all the time. It is always easier to carry out immoral activities without being promptly detected if the controls are quite weak.

Sharing of IT passwords

Business security of an organisation is compromised if there are no adequate controls over the use of passwords. The passwords should not be shared and should be changed on regular basis. If the password let us say for a  computer containing sensitive information  is shared by a number of staff, it becomes difficult to know who accessed  the information on the computer in case something went wrong.  You cannot pin the wrong doing on any one. The fraud can therefore be executed without knowing exactly who did it.

Lack of control on staff accessing premises during none working hours

I have known a number of organisations who have not instituted a control mechanism on the business premises for  monitoring movement of staff  during none working hours. It should not be free entry for staff after normal working hours.  The organisation should only give rights to access the building to only those who are required to access the business premises in order to carry out their authorized work. Research shows that many frauds are executed by either staff on their own or in collaboration with external parties.


As discussed above there are warning signs before most business security breaches take place. The challenge is often lack the of capacity on the side of management to identify and act on the warning signs. The above warning signs are just a few highlights of the many warning signs. Quite often managers  come to know  the warning signs earlier enough but fail to promptly act to prevent them.


John Muhaise Bikalemesa

Director: Big Drum Advisory Services Limited