Businesses spend a fortune protecting themselves from outside security threats, but too few recognize that their biggest threat is from those already inside the security fence - i.e. their own staff. While 99.99% of staff are honest (give or take the odd dubious “sick day”), now and again someone on the company payroll may do some damage. The biggest corporate thefts are perpetrated by insiders - from simple pilfering (women’s fashion retailing notoriously suffers badly from staff theft) through bogus invoicing all the way up to stock option manipulation.
One area of risk that’s often overlooked is IT. The widespread use of outside suppliers and contractors is ripe for fake invoicing and kickbacks. Malicious programming which steals a cent here and there over time can cost millions. Disgruntled employees can do nasty things to your systems, e.g. stealing your data, corrupting it, or building “logic bombs” to bring down your systems.
While you can manage most of these risks, there is one group of IT staff that is almost impossible to monitor - your system administrators. They have the keys to unlock everything - because that’s what they need to do their jobs. They can read your emails, payroll files and personnel records. They can access your payment systems. They can install spyware behind your firewall. And they can cover their tracks easily, because their tools enable them to change just about anything that is recorded electronically.
I’ve heard many times that ”our people wouldn’t do that”. In most organizations, that is absolutely correct. Most system administrators are decent, hardworking, honest people. Many have a deeply ethical approach to their role. However, you never can be absolutely sure.
There’s no magic bullet for this problem. Some organizations only use long-term trusted employees as system administrators. Others vet new hires very carefully before appointment. Smart businesses carefully screen and select staff, manage and reward them well, look after them, deliberately cultivate an ethic of trust and integrity, oversee change processes very closely, and randomly audit transactions and processes. But in the end, you still rely on your staff’s personal ethics and the alertness of other staff.
Don’t kid yourself; the risk may be lower, but the risk is still there.
First posted January 10th, 2008
One area of risk that’s often overlooked is IT. The widespread use of outside suppliers and contractors is ripe for fake invoicing and kickbacks. Malicious programming which steals a cent here and there over time can cost millions. Disgruntled employees can do nasty things to your systems, e.g. stealing your data, corrupting it, or building “logic bombs” to bring down your systems.
While you can manage most of these risks, there is one group of IT staff that is almost impossible to monitor - your system administrators. They have the keys to unlock everything - because that’s what they need to do their jobs. They can read your emails, payroll files and personnel records. They can access your payment systems. They can install spyware behind your firewall. And they can cover their tracks easily, because their tools enable them to change just about anything that is recorded electronically.
I’ve heard many times that ”our people wouldn’t do that”. In most organizations, that is absolutely correct. Most system administrators are decent, hardworking, honest people. Many have a deeply ethical approach to their role. However, you never can be absolutely sure.
There’s no magic bullet for this problem. Some organizations only use long-term trusted employees as system administrators. Others vet new hires very carefully before appointment. Smart businesses carefully screen and select staff, manage and reward them well, look after them, deliberately cultivate an ethic of trust and integrity, oversee change processes very closely, and randomly audit transactions and processes. But in the end, you still rely on your staff’s personal ethics and the alertness of other staff.
Don’t kid yourself; the risk may be lower, but the risk is still there.
First posted January 10th, 2008