What do I mean by that? For one thing, I’ve read several industry security reports lately that all say that company employees are the largest single reason that networks are getting compromised. Many companies now have pretty good firewalls and so hackers are no longer trying to break directly into company networks. Instead they are using techniques that get your employees to let them inside.
One of the primary new hacker tools is spoofed email. They will get valid email addresses for somebody inside the company, and then create fake and infected emails from that person to others in the company. Their hope is that somebody inside the company will open and download a file containing a virus from an infected spoofed email. Generally, once they see the structure of your email addresses it’s not that hard to figure out other email addresses inside the company.
The other way that hackers get in is with the older techniques of having somebody inside a network go to a web site that’s infected. I just reported in a recent blog that Menlo Security tested the top million websites (by traffic volume) and found that 6% of them contained malware of some sort. Much of this malware is just tracking spyware that isn’t too harmful, but some of it can be the deadliest malware on the web.
Cisco said last year that malware from web advertising is possibly the biggest new security threat. And malware is no longer just on suspicious web sites but can be found on very mainstream websites. This is due to the very odd system we have for getting advertising to websites. I discussed this in a blog earlier this year, and such malware is just as likely to come from a major news site as it is from someplace more suspicious.
The main defense against these kinds of problems is to continuously talk about these issues so that your employees are aware of them. The interesting thing is that employees are far likelier to open or download a file from an infected email at work than they are at home. For some reason employees are not as cautious with suspicious emails at work as they are on their home computers. If something is spoofed to look like it came from somebody inside the company they are likely to open it.
The other issue that brought this to mind recently is that I have several clients who have been the victims of embezzlement by employees. Of course, this is a crime that has been around forever and almost every time this happens people are shocked that it could happen to them. My first college degree is in accounting and I had several courses that dealt with these issues since it’s something that auditors are supposed to look for and uncover.
Accountants understand that there are two primary kinds of embezzlement. There is the loner who finds a way to write checks to themselves or to a bogus vendor they have created. This kind of embezzlement is almost always due to lax financial controls. If every check that is written must be approved by somebody who is going to make sure that a payment is legitimate, then it’s very hard for somebody to pull this off. Generally companies get into this kind of trouble when they have somebody with the sole authority to write checks or where people can somehow bypass the controls. Sadly, the temptation to steal is just too much for some people.
The other kind of embezzlement is a lot harder to catch and comes when a number of employees collude together to commit fraud. In that situation they are often able to bypass even the best internal controls. For instance, one employee can ask for a payment to a bogus vendor while another employee cohort can vouch that it’s legitimate. I remember a huge case of this when I worked at Southwestern Bell many years ago where a large group of employees at the company colluded to buy huge amounts of telecom cable and electronics and have it delivered to a fake company warehouse.
It’s a shame that we live in a world where you have to worry about these sorts of things, but it happens to a lot of companies sometime during their corporate life. Almost invariably the person who is stealing from the company seems like the least likely candidate and surprises everybody.
I didn’t write this blog to cause you to be suspicious of your employees or staff. But it never hurts once in a while to think about these things because, sadly, one of your biggest weaknesses really can be your employees. And that can really hurt.