How hard is it to get robbed?
There are a number of software products that can help you protect your network from both internal and external attacks. Protecting the network with these tools is, relatively speaking, the easy part. The hard part is to design security policies and ensure these are followed by your employees.
The human element in security is always the tricky part. But how hard is it really for a malicious person to steal from an organization? Unfortunately, at times it is not hard at all. The story of publication company, Conde Nast is a good example. It all started with Andy Surface who registered a business called Quad Graph and opened a bank account for this business. Andy then allegedly sent an email to Conde Nast who used Quad/Graphics Inc for its printing service to start sending payments to Quad Graph’s bank account instead, together with an EPA (Electronic Payment Authorization). The person who got the email didn’t think there was anything amiss with the email and processed the instructions provided, filled the EPA and faxed it back to the number specified on the form.
This deception went unnoticed until Quad/Graphics complained that over a month had passed since it received payment from Conde Nast. By then eight million dollars had been sent to the scammer.
Another interesting story is that of XYZ Corp. in Miami. An ex-employee of XYZ Corp., who was in charge of paying the credit card company’s balances for those credit cards used by employees who left the company and failed to pay back their remaining balance, abused his position in order to get paid for personal expenses.
To do this, Jerry used to pay for his personal expenses using his company credit card. At the end of the month, he would send a request to accounts payable with fictitious requests to cover fake balances for people who had left the company but did not have any real pending balance on their card. Jerry would request that the checks be sent directly to him. He would then issue the check with his credit card number which would in fact cover his own personal expenses rather than the fictitious cases he fabricated. Using this scheme, Jerry made over $88,000. He would have probably got away with the scam if he had not been greedy. After he left the company he wanted one last payout and tried to get reimbursed for a conference he had booked but not paid for before he left.
In both cases, the perpetrator did not have to employ complex network attacks or go to great lengths to scam the companies – and very little effort was needed. These scams were possible because of inadequate security policies. If the companies had policies which required separation of duties and proper validation, such attacks would most likely not have been possible!
If people want something badly enough to try and take it, then they’re capable of doing anything, moreso if they feel some kind of animosity toward their employer. It’s important to trust the people you put in charge of financial operations, but it is just as important to audit company activity regularly to detect any kind of peculiar behavior. Most companies don’t have to worry about people coming in with ski masks and guns demanding the petty cash, but somebody who processes transactions for the company has constant access to move money where they might see fit, and you don’t want to get caught losing your money this way.
That’s why security tools should be user-friendly and have intuitive interfaces. The effectiveness of a software can be determined by how it complements with the users. But then again this is on “as is” basis. Large multinational corporations have different applied systems compared to small and medium-sized enterprises.
Usually, SMEs have so much trust with each other. That’s why you seldom hear cases of company breach in small companies with less than 20 employees. This is not the case of big corporations. They have a very complex system and most of the time they’re too bureaucratic.
The issue here is not trust, it’s security. We should keep them apart because the two don’t apply to the same system. It does not mean that if you trust someone, your organization is safe. This is one of the biggest mistakes a company makes – completely disregarding security protocols because of trust.
All these stories illustrate that even the most sophisticated software and hardware can’t protect you against con artists – external and internal. Unfortunately, even the strictest and most precise business rules that are in place to prevent such misdeeds are easy to hack and hard to catch.
Tools are meant to help enforce policy. No tool is going to detect a con artist dealing with a sales person via the phone.
However, let’s say you have a policy that states no portable storage allowed, if you have software enforcing that policy and a con artist convinces someone with access to copy a confidential document for them, that software will stop the con artist.
There has to be a balance between the two.
But you’re right, software alone will not do the trick – you need to think about the risks and use software as a means to secure that risk