You have a thriving business that you are proud of. Maybe you have found the secret formula to serve up a product or service and make the most of a demanding market in your area. Whatever it is that makes your organization work, that secret ingredient to your special sauce, that is something of incredibly high value. Not just to you, but also to your competitors or anyone else who would like to break into your niche.
One would be amiss if they weren’t concerned about the potential theft of their trade secrets. Corporate espionage isn’t just for large companies. Successful small businesses all have their own unique way of doing things that makes them stand out from all the rest. In business, you cannot rely on your reputation and good looks as the only things to make you successful. You must offer something that people want but aren’t getting somewhere else. There must be something original about your way of conducting business. If customers can get it somewhere else, they will.
What do you have to lose?
Trade secrets aren’t the only thing worth stealing, though. Companies handle all sorts of valuable assets such as personal information about their customers, company finances, and even administrative credentials to the organization’s computers and other IT resources. These are all things worth stealing.
While it might be tempting to fear the unknown outsider who might want to steal from you, a significant amount of fraud and espionage involves insiders; an organization’s own employees. Whether your employees are unwitting accomplices or malicious actors, as many as 49% of security professionals are more concerned about their own employees than they are about outsiders and 87% say their organization’s employees bend rules and put their organizations at risk. Take, for example the recent event where an employee at Southern Oregon University unwittingly assisted a malicious actor in stealing $1.9 million dollars that was intended for an expansion contract on the small campus.
Common insider fraud threats
Entrepreneur recently published an article addressing the five most common types of fraud that effect businesses. Payroll fraud, cash theft, online banking, false invoicing, and invoice email were all identified as being of serious concern to businesses, large and small. The article notes that in small businesses that report having experienced fraud, the median loss was $150k.
It is important to understand that most of these threats require the participation of at least one insider. Employees trusted with handling sensitive financial maters and people who have access to financial systems but shouldn’t are the very people who enable these costly crimes to take place.
Preventing loss
Fraud and other forms of theft are especially difficult challenges to address for small businesses. They are a challenge for any organization, but small businesses usually do not have the financial and personnel resources needed to manage full-fledged security programs that would address these sorts of activities. There are, however, a few simple practices that can greatly reduce the likelihood of insider events.
Separation of duties
If any single person has enough access to critical resources that they can single-handedly control the fate of those resources, your organization is at risk of that person deciding to use it for their own benefit and to the detriment of the organization. Separation of duties is a method of limiting the power held by any single person so that it would require collusion between two or more employees in order for fraud or significant theft to take place.
In implementing this practice in your organization, the goal is to divide up decision making, transactional, and administrative authority between multiple people. Each person can only affect part of the process. In IT this could mean that one administrator might manage your desktops, while another manages the servers. For financial matters, one person might manage the financial obligations, while another approves disbursement of funds.
Least privileged principle
Another area of concern and opportunity for fraud and abuse by employees is when their IT privileges extend beyond their responsibilities. A systems administrator who has access to your accounting and payroll software has the potential to meddle in your finances. Alternatively a finance manager who’s computer account allows them to make changes and install software could introduce unauthorized or even malicious software to your network.
The principle of least privileged user states that no single person, or “user” should have more access and privileges than what is absolutely necessary to perform their duties. This means restricting non-administrative personnel to having only “user” type accounts. It means controlling access to applications and systems so that only those whose job it is to use them have access.
Even administrators do not perform administrative duties 100% of the time. The least privileged user principle states that administrators should have two accounts; one with administrative rights for performing administrative functions, and another with only user-level rights for everything else.
Role-based access control
A technical method of controlling access to systems that can help to implement both the least privileged principle and separation of duties is role-based access control. This involves creating roles or security groups either on each individual computer or in your directory services, if you have it. Each role is used to grant access to resources or various levels of permissions.
Some ways roles can be used to limit and control access:
- Grant administrative rights
- Control access to a network directory
- Limit access to some applications
- Limit who is able to download files from the Internet
When you have defined your roles and created the security groups, you can easily grant or remove access to your individual user accounts by adding that role to their account. An added benefit is that the roles themselves can be updated to support changes in the organization, affecting all users assigned to that role without having to modify each account individually.