I hope you answered “No” to the question, otherwise, you could be in for a big surprise! Let me explain….
Companies spend far too little on protecting their sensitive data. Typically 10% of your total IT budget is allocated to digital security. That is barely enough to build and operate your defense mechanisms, and certainly not enough to implement the proper vigilance on odd behavior.
Unless you keep your money under the mattress, you trust your bank to keep your cash safe, right? Of course, they no longer keep a pile of notes in a vault, and most of the transactions consist of bits and bytes. Sometimes crooks get their hands on your assets, but the banks are good at discovering this and covering any losses. That’s not too difficult, because it’s pretty obvious that something has gone missing. Back at the office, you put your valuable information (like trade secrets or tomorrow’s quarterly results) in your company computer systems, safe in the knowledge that your servers and networks are managed by trusted professionals who are loyal employees of your firm. If something went missing, you would know immediately, wouldn’t you? But that’s the fundamental issue with cyber security – nothing goes missing, and everything is still exactly as you left it. There is no broken glass or forced locks, and no evidence an intrusion, so of course you do nothing. Meanwhile, the thief has copied the data and can exploit it or sell it without fear of being discovered.
But they are vetted for that role?
Of course, they are vetted. Sometimes by amateurs in your HR department, sometimes by professionals in third party vetting companies, and sometimes by government agencies. But it doesn’t matter, because one-time screening will not find someone who shifted his allegiance from his employers over some time. Could your company re-screen its employees (and contractors) in these roles several times a year? I doubt many IT professionals would tolerate that sort of intrusion, and they would go to work for a more reasonable employer.
So what should we do?
Beyond an integrated approach to cyber systems, process, and education for employees, a best practice also calls for a segregation of duties, where it would take at least two people in a position of trust to perpetrate fraud. The accounting profession has invested significantly in “Separation of Duties” because of the understood risks accumulated over hundreds of years of accounting practice. For example, many corporations found that an unexpectedly high proportion of their internal control issues came from IT, and so they insisted on the Separation of Duties for that aspect of their business. Separation of Duties is now becoming the norm in large IT organizations so that no single person is in a position to introduce fraudulent or malicious code or data without detection.