Are your employees your biggest threat to internal security?

In protecting a business, it seems instinctual that one would set the alarm and lock the door when leaving. However, when it comes to valuable client information, an alarm system is not enough. Today, the greatest threat to a company’s security is already on the inside.

According to Deloitte’s annual security survey, the most significant risk to a company is its people. Intentional or accidental, because of human error or someone capitalizing on it, many organizations are closer to a breach in network security than they know. This is part of a growing phenomenon known as social engineering, which is the art of exploiting human error in order to gain access to buildings, servers or data.

For professionals such as accountants and lawyers, the consequences of such a security breach can be devastating.

From sensitive financial documents, to social insurance numbers to proprietary client information, all of this can be stolen in an instant, putting clients at risk and a company’s reputation on the line.

A walk past desks in an office may reveal several security violations. These include:

  • Passwords on a sticky note:Posting a password for all to see is like posting a PIN in plain sight. A password can provide access not only to personal files and contacts but also to the company server. Avoid obvious hiding spots in and around the desk.
  • Work documents lying around: Documents may contain sensitive or private information and the bottom of documents may also contain information about the UNC (universal naming convention) path, which can provide server names, folder structure, etc.
  • Applications left open on computer: It takes seconds for someone to get in and access the same information that an employee can access.
  • Unsecured laptops/computers: Regardless of whether the computer is password protected, if it is not locked down to the desk, it can be stolen easily allowing the thief to attack at leisure from home.
  • Wireless network open for other to use: Having a security key for the wireless network is not enough. It can be cracked depending on the level of encryption.

In a large office, these mistakes can be devastating because anyone can walk in and pretend to be a delivery person or a supervisor and gain access to passwords and confidential data right off of someone’s desk. Many of these risks can be easily avoided with proper precautions.

A common phrase in the IT industry is that “security is a moving target.”  This is apt and, as such, your approach to mitigating the risks must also be ever evolving.

Security measures to protect your systems, your data and your clients’ data must be a layered approach, combining robust security technologies (properly suited and configured for your environment and kept up to date), strict policies governing your employees’ conduct and standard operating procedures, and continuing and structured education for staff regarding risk recognition and mitigation.

Some points to consider are as follows:

  • There is no “one size fits all” in IT security. All types of protection are equally necessary and equally important. Invest in firewalls, intrusion detection/prevention technology, anti-spam firewalls and anti-virus software. Technologies such as these create multiple “roadblocks” that aid in stopping intrusions and malicious code at multiple levels within the IT infrastructure.
  • Set the service identifier on a wireless network to not broadcast. Every wireless access point has an SSID, which is the public name of a wireless network. By setting it not to broadcast, it will be hidden and not come up as an option for others to click on as a wireless network.
  • Lock down unused network jacks/ports in all areas of the building to avoid unauthorized access to the physical network.
  • Consider a policy for telecommuting employees to ensure they are not downloading programs/software that can jeopardize the network security.
  • Ensure all employees have a password-protected screen saver and that they always log off from the computer when away from the desk. Computers should be set up to log off after a set time of inactivity.
  • Ensure all data, mobile devices, memory cards, etc. are not only password-protected but encrypted.
  • Institute password policies in the workplace that are enforced to ensure staff do not leave them in the office space and do not use easy to guess phrases, such as their name or address. Ensure that passwords are changed on a regular basis.

In order to determine the potential security issues in a workplace, consider performing a risk analysis. This will help to identify how effective the security measures are and whether employees are adhering to the policies and procedures in place.

This remains a challenging activity as technology changes so rapidly, but there are tools and methodologies that can assist IT professionals in minimizing risk to an acceptable level. The steps involved are:

  • Understand the risks/threats that exist “out there.” These would include environmental threats, such as earthquakes, floods and power outages, and human threats, intentional or unintentional, such as errors or virus infections.
  • Understand the organization’s vulnerability (i.e. the flaws or weaknesses of the software or operating systems being used).
  • Determine the likelihood of being impacted by any of the risks discovered, and the scale of that impact on the organization.
  • Implement necessary changes to manage or eliminate the identified risks.

To aid in identifying vulnerabilities, consider performing a penetration test, also known as ethical hacking, to attack the network using known threats, comparing internal documentation on operational or management controls in the area of IT security to known “best practices” (i.e. ISO 17799) and then comparing the actual practices against the company’s documented processes.

When considering the security of an office, it is imperative not only to worry about preventing people from physically entering the building but to ensure that the data and systems inside are protected from intruders.

Neglecting to do this will not only put security of sensitive client or company information at risk, it could ultimately compromise the company’s reputation.

Lawyers Weekly, 4/20/12 Douglas W. Grosfield, Cambridge, Ont.

Quote - Contact Us

We would love to hear from you! Please call us at 877-5-ASK-ADS or complete this form and we will get in touch with you shortly.



My staff and I had the pleasure of participating in an ADS Consulting Shredding & Storage Workshop in April 2011.As a new business, it was critical for us to get off to a good start. The workshop provided us with useful information and practical applications that helped us do that. The ‘hands on’ training experience we received in a successful, working document destruction and storage business environment was invaluable.Renee and her staff were very personable and helpful and continue to be valuable business partners to this day.I highly recommend the ADS Workshop to both new and existing businesses

Rob Giannini, C.O.O.Commonwealth ...