Earth Horizon

Scanning the Security Horizon

Tue, 06 Feb 2018

Security priorities will vary from business to business, but there are common themes, and we can all learn from some of these calamitous failures.
 

Security is such a nebulous topic that it would be impossible to do justice to it in a single blog, but we can still touch on a some common themes, and maybe even have a bit of fun in the process.

In this article I plan to:

  • Take you on a helicopter ride for a quick 360o scan of the security horizon.
  • Mention a few "epic fails” to illustrate what might be at stake when we get things seriously wrong.
  • Discuss how creative use of your business systems can contribute to security in ways you may not have considered, and where Orchid’s modules might have a role to play.

Any owner or operator who is serious about the success and longevity of their business needs to make security their business, no matter what business they are in. Security shouldn’t just be a list of tasks to delegate, or a set of boxes to tick. It should be embedded into IT systems and infrastructure for sure, but also incorporated into the corporate culture and day-to-day operations.

The Helicopter View

What do you think of when you think of security, in the context of your own business? I dare say the outlook will be quite different when viewed through the eyes of a baker versus a banker, a gun store versus a government, or a stockyard versus a stock exchange.

That said, if we fly our helicopter high enough, the horizons flatten out and some common features start to emerge. I’ll hypothesize that just about any security consideration could be squeezed into one or more of these three broad categories:

  1. Physical: Let’s take this to encompass everything from the lock on the office or warehouse door, to the physical assets, documents and inventory held within.
     
  2. Technical: This includes all that stuff we should be paying IT and network security experts to advise us on. Add to that the checks and balances in our business software that can give us early warning of threats much closer to home - more on that later!
     
  3. Cultural: This is where it gets personal. Where does the corporate culture sit on the continuum between blind trust, and Big Brother? What example do our leaders set, and how lax are our internal processes? Is there a culture where theft, fraud or other security breaches are not just possible, but perhaps even implicitly tolerated?
A Deeper Dive (and some crash landings)
Plan Diving

Let’s expand a little on my three categories above, but also take a few diversions to see what can happen when things go seriously wrong.

Shame, or schadenfreude? Hilarity, or hubris? How we react to “epic fails” like those mentioned below will likely depend on how close we are to the epicentre of the disaster. Customer or shareholder, employee or executive, our perspectives will be very different. For those of us who run our own business, or are responsible for the security of someone else’s, a more appropriate response might be “There, but for the grace of God, go I.”.

What we can be certain of is that for every disaster that makes the international headlines, there are countless others that fly beneath the media radar, but have just as devastating an effect on those directly involved. It might serve us all well to take a step back and ensure we have our own houses in order.

Physical Security:

 

  • Access: Do you know exactly who has access to your premises? Are you able to control, monitor and review all comings and goings? Are you sure that ex-employees or contractors who no longer need access no longer have access? Is it ‘access all areas’, or do you need to control not just ‘who goes there’, but ‘who goes where’?

Epic Fail 1: Buckingham Palace break-in, 1982. An oldie, but a goodie. Michael Fagan makes a mockery of palace security, on two separate occasions. He rests on the throne, gets a maid to bring a cigarette, and ends up visiting Queen Elizabeth in her bedroom.
 

  • Inventory: How certain are you of what inventory you hold, and its exact location? How tight is the control you exercise over all movements in and out, or relocations of stock?
     
  • Other Assets: Do you have a register of all your computer hardware and other valuable business assets? Do you know where they are at any time? Do you have a policy on who can take what on and off the premises? If so, how do you monitor and enforce it?
     
  • Documents: Do you store physical copies of documents? How do you locate, secure and control access to them? Do you have processes to securely dispose of them when no longer needed?  Is the solution to move out of the physical realm, with all key documents digitized and securely stored, perhaps within the cloud?


Epic Fail 2: Cabinet Files scandal. Australia, 2018. A man buys 2 locked filing cabinets for $10 each at an ex-government furniture auction. They turn out to be packed with highly classified documents showing the internal deliberations at the highest level of successive Australian governments.

Technical Security:

 

  • Network Security: There are new external threats almost daily from malware etc. What about basic security steps, like password protection for PCs and critical applications, or virus protection on incoming emails? When’s the last time you had the experts in for a security audit?
     
  • Data Security & Privacy: An extension of the above, but your obligations take on a new dimension when protecting the personal data of your customers, suppliers or employees. And remember that not all security threats are external! Is personal data encrypted? Do only trusted individuals have access to it? What controls are in place?
     

Epic Fail 3: Coincheck theft, Japan, 2018: Coincheck, one of Japan’s largest digital currency exchanges, recently admitted to being hacked out of $534 million worth of the cryptocurrency, NEM, in the world’s biggest digital currency theft.
 

  • Data Integrity & Backups: Not all data losses have sinister root causes. Hardware failures and human error are just as likely, or more so. Do you have a well-considered and rigidly enforced backup, restoration, and disaster recovery plan? Have you tested it lately?
     
  • Fraud Detection: While a healthy security culture may be the best way to protect against internal fraud, clever checks and balances within our business systems can provide additional deterrence, as well as early detection. Read on.

Security Culture:

 

You can argue about whether fraud should be categorised as a security issue, but if the purpose of a business security regime is to mitigate financial or even existential risk, it fits the bill for me.

While we need to protect against external threats, the sad reality is that the main risks when it comes to business fraud are likely to be found inside the tent. Have a look at these sobering findings from the 2014 Global Fraud Study by the Association of Certified Fraud Examiners:

  • The typical organization loses 5% of revenues each year to fraud.
  • The smallest organizations tend to suffer disproportionately large losses from occupational fraud.
  • Perpetrators were most commonly working in accounting departments, followed by operations, sales, and executive/upper management.

Leadership by example and zero tolerance for dishonesty are taken as givens if you want to confront this head on, but there is also much that can be done in terms of policies and procedures to minimize risk. This Fraud Fact Sheet from the Australian Federal Police might be a useful checklist to start with.

For larger companies, the fact that senior executives figure disproportionately in the perpetrator rankings suggests that external or board oversight also has an important role to play.

Epic Fail 4: Enron Scandal, US, 2001: Texas giant Enron Corporation lived up to its “America’s Most Innovative Company” tag when the CEO and CFO found creative ways to keep huge debts off the balance sheet. It came unravelled big time, with Enron bankrupt, shareholders losing a cool $74 billion, Authur Andersen going down with the ship, and lots of other collateral damage.

Where Sage 300 & Orchid can help
Work Smarter with Orchid

While an ERP system like Sage 300 won’t lock the office door behind you or scan your emails for viruses, there are many ways it can be used to add layers of security to your business. This is especially true when it comes to maintaining the integrity of financial transactions and inventory control, or adding basic user-level access controls.

With the judicious use of 3rd party add-ons, you have the potential to take this much further. Here are just a few ways that selected Sage 300 add-ons from Orchid Systems may be able to contribute.

 

  • EFT Processing
    • Reduce risk of cheque theft/fraud by no longer printing or mailing physical cheques.
    • Bank account details can be stored in an encrypted form. You control who has the authority to view or amend account details.
    • If you still need to produce physical cheques, EFT Processing can still help reduce the risk of cheque fraud by creating ‘Positive Pay’ files for participating banks. (Banks using Positive Pay will only honour presented cheques that match details in the files they have received.)
       
  • Inter Entity Transactions & Trade
    • Automatically generating accounting entries for complex transactions not only increases accuracy and productivity, but also removes opportunities for fraud by taking this out of the hands of individuals.
    • The resulting transparency and visibility across entities increases the chances of early detection for any anomalies, which in turn creates a deterrent for anyone contemplating fraud.
       
  • Process Scheduler
    • Automated scheduling of integrity checks, reports etc.
    • Automated scheduling of database dumps (backups)
    • Automated scheduling of custom Extender scripts for managing exceptions
       
  • Extender
    • Logging and alerting of changes to sensitive data
    • Custom alerting of exception transactions, based on parameters you define. E.g. suspicious AR or inventory write-offs, long overdue invoices.
    • Custom (field level) validation and security, plus segregation of duties. E.g. employees enter transactions, but only their supervisor can post.
    • Trigger external validations, e.g. check company details for new customers or vendors.
    • Use in conjunction with Process Scheduler to regularly check and report on exceptions.
       
  • Return Materials Authorizations, Bin Tracking
    • Improved visibility of inventory locations and movements means more transparency, fewer stock losses/leakage, reduced write-offs.
       
  • Notes, Document Management Link, Info-Explorer
    • Staff have access to context-sensitive information and documents when and where it's needed.
    • Greater transparency increases the chance that anomalies will be picked up early.

 

About the Author:

David Lacey is Communications Manager at Orchid Systems. Before joining Orchid he spent 15 years working on IT projects in the Banking and Stock Exchange industries, followed by 20 years at Telstra Corporation, Australia’s largest Telco.

Latest

Trophy
Announcing Orchid's 2024 North American Award Winners
Thu, 28 Mar 2024
As TPAC North America wraps up for 2024 we congratulate this year's Orchid award winners.