By: Disha Shah, senior consultant, Cyber Risk Advisory
Organizations today are facing many security challenges and threats from internal stakeholders. Most recently, The New York Post’s website and Twitter account were hacked by an employee who posted unauthorized content through its content management system. Now, more than ever, businesses must be more cognizant of how they can protect their systems from not only malicious external users, but also from unauthorized internal users.
How do these businesses ensure they don’t fall victim to internal stakeholders committing such unauthorized, illegal, or unethical acts within their organizations? These five tips can help you become more secure to avoid falling into the same position:
- Conduct timely access reviews. Enforce a policy that requires periodic access reviews by management, which will identify any unauthorized users who need to be removed from the system.
- Share passwords on a need-to-know basis. For the shared service or system accounts which are capable of making critical changes to the system, management should share the password only with the users who need it to conduct their job duties. Keeping a record of who accessed these accounts, when, and for what reason the account was used will help management in tracing which employee is culpable, should a mistake or fraudulent act occur.
- Require multiple approvals from authorities. When critical changes need to be made within the system, management should require multiple levels of approvals before the changes are pushed to the system. This will help to prevent, detect, and avoid any changes that should not have been made in the first place.
- Maintain appropriate segregation of duties. By segregating duties, management can ensure no individual employee or group has too many critical responsibilities where they can commit an erroneous or fraudulent act. Employees and groups will always have the opportunity to collude and commit fraud even when duties are segregated, but this is when cultivating a security culture mindset comes into play.
- Maintain a security culture mindset. Management is in the best position to instill the concept that security is the responsibility of every individual associated with the organization. By rewarding the ones who uphold the highest security standards, companies can set the tone at the top for how valuable and important these security standards are. One way in which management can set this tone is by enforcing and adhering to strict policies that work best in their industry.
Are you ready to simplify your path to compliance and security? We’re here to help. Contact us for a free consultation.
Disha Shah, senior consultant, Cyber Risk Advisory
As a senior consultant in BARR’s Cyber Risk Advisory practice, Disha Shah is responsible for planning and executing information technology audits and client risk assessments for clients in various highly regulated industries.
Prior to joining BARR, Disha served as an associate in KPMG’s risk advisory practice. She holds a bachelor’s degree in accounting and management information systems from Northern Illinois University. Disha is quadrilingual, and can communicate in English, Hindi, Gujarati, and Sanskrit.