By Ettiene Retief, Chairperson of the National Tax and SARS Stakeholders Committees at the South African Institute of Professional Accountants
When it comes to cyber-crime, companies are most focused on the external threat from hackers. But given that business is largely digitised these days, and that fraud is so frequently an inside job, cybersecurity must include a strong inward focus.
The target for cyber-attacks, internal or external, is usually data. Data thus represents a considerable risk for all organisations, but particularly professionals like accountants, lawyers, bankers and the like, who will hold large amounts of highly sensitive client information. Recent high-profile data hacks, such as HSBC Swiss leak, were the work of insiders, and it’s possible that the anonymous source of the so-called Panama Papers was an employee of the law firm concerned.
Internal Security Measures
So, while the external security measures like firewalls and other access control and tracking measures remain of greatest importance, companies need to take specific precautions to protect their data from internal threats. The following six principles will assist:
• Maintain segregation. As in the paper world, multiple officials must be involved in every transaction to create checks and balances. This can be problematic in smaller companies which lack resources. Whenever one person has too much access there is a potential high risk.
• Educate staff. At the most basic level, this means ensuring they understand what constitutes a strong password, and how to safeguard passwords. Enforcing regular password changes is advisable. Staff should also be educated about what to look out for, and what the correct company security protocols are. Let not forget that many Trojans or viruses infect networks and spread to other computers from a single source/entry point (which is not only from the internet or e-mail attachments, but could be a USB drive an employee inserts on a work computer).
• Undertake a thorough risk analysis. Given that data is the target, it’s essential to understand what data you have, where it is, how and by whom it’s accessed, and what type of risk it represents for the company. As part of this analysis, it is necessary to understand what the regulatory requirements might be in terms of how the data is used, retained and disposed of (such as Protection of Personal Information Act).
• Create a record. Use logs to track who is doing what as regards company data. That automatically creates a certain barrier for internal fraudsters, but it is also invaluable in tracing how any leaks did occur, or to take action against people that are not adhering to company policies.
• Be aware. Too often, particularly in smaller organisations, the owner or CE can leave financial affairs too much to the bookkeeper or accountant, or the payroll to the payroll administrator. Ensure that regular reporting and internal testing is done. For small businesses, make a regular meeting at which the accountant takes the owner through the books and controls. The director(s) and managers need to constantly know what is happening in the business. Just the sense that an interested person is “keeping an eye” changes things.
• Adopt a zero-tolerance attitude, and follow through. All employees should be held to the company’s ethical code, and any transgression should have consequences. The bank employee who steals pens or toilet rolls is not a fit person to have in an environment where trust is critical, for example. By the same token, a mechanism for employees to report unethical conduct without fear or intimidation or other adverse consequences is necessary—and has proven to be successful.