David Anderson is principal of David Anderson & Associates, a Philadelphia forensic accounting firm that provides a full range of fraud investigation, forensic accounting, and marital dissolution services in Philadelphia and the Delaware Valley.

In this second of a two-part series, forensic accounting expert David Anderson of David Anderson & Associates, a Certified Fraud Examiner in Philadelphia, concludes his look at examples of security failures he has observed in his work.

As he noted last week, many businesses implement a wide range of policies and procedures to protect their property, assets, and data. However, even the best of policies and procedures are ineffective if employees don’t adhere to them. Here are several more such “tales:”

The unsecure data center: Anderson was engaged to evaluate the IT security controls at a medium-sized company based in North Carolina.  Their “secure” data center was an unlocked coat closet just off the lobby.  Besides having no air flow, which could have caused the servers to overheat, visitors could have easily entered the closet, and even walked off with the equipment.

Common user IDs and passwords: At the same company as above, each member of the accounting department accessed the company’s accounting system by entering “Accounting” as the user ID and “Accounting” as the password.  Although the company had experienced departmental turnover, including one individual who had embezzled funds, the company had never changed the common user ID and password.

Not changing locks and system access: At a medium-sized Philadelphia-area company, Anderson’s investigation of the IT and facility security controls noted that the firm issued employees an office key when they started their jobs, but never asked for the key back when the employee left.  Additionally, the company never deleted the user ID and password for these employees.

Although Anderson said he was able to persuade the company to remove system access for terminated employees, management did not want to incur the cost of changing locks and issuing new keys.  This problem was resolved several months later after a former employee, who had retained his key, entered the premises one weekend and stole computers and inventory.

Non-secret passwords: This is perhaps the most common “insecurity” Anderson said he has encountered. At many companies, he has seen passwords taped to the monitor, or tacked to a corkboard next to the computer, or taped to the desk underneath the user’s keyboard.  In several of the companies, the company itself was the cause of the “insecurity” because many employees accessed multiple systems which each required a new password every 60 days, and passwords could not be common across systems.

Executives who violate access rules: This is another “insecurity” Anderson said he has seen in multiple companies.  A busy executive provides his/her user ID and password to his/her administrative assistant/executive secretary to facilitate access to his/her e-mail and personal files.  Assuming the administrative assistant/executive secretary is a trusted employee, many companies do not consider this situation to be a problem, even though, as Anderson points out, it usually violates company IT security control procedures.

This situation becomes a problem when that trusted employee is out and must temporarily be replaced. For example, Anderson said he has seen such employees out on vacation, maternity leave, family medical leave, etc. This means one or more new employees – or even temporary employees – are granted access to the executive’s e-mail and personal files.  Now, because the executive does not want to change user IDs and passwords, no such change is made.  This means other employees or temporary employees could continue to access the executive’s e-mails and personal files.

In each of the above cases, the employee’s failure to adhere to the established policies and procedures resulted in security lapses. To avoid the “insecurity” failures Anderson detailed both in this last column and does so again this week, he makes the following recommendations:

• Engage an outside expert to review your company’s security/control policies and procedures to identify potential failure points and provide solutions.
  • For example, changing multiple passwords across multiple systems every 60 days is likely excessive. The expert can suggest alternatives, such as using the same password across multiple systems; increasing the number of days between password changes to 120 or 180 or even annually; or providing a password management tool.
• Ensure all employees are provided with, and acknowledge receipt of, company security/control policies and procedures.
• Conduct training on a regular basis, at least once a year, to remind to remind employees of the policies and procedures, and why they need to be followed.
• Encourage employees to follow the guideline “if you see something, say something” with regards to unauthorized visitors and employees who violate company policies and procedures.

If you want to learn how a Certified Fraud Examiner from an experienced firm that provides forensic accounting services in Philadelphia and the Delaware Valley can help you steer clear of such security issues, please contact the Philadelphia forensic accounting firm of David Anderson & Associates by calling David Anderson at 267-207-3597 or emailing him at david@davidandersonassociates.com.

About David Anderson & Associates

David Anderson & Associates is a Philadelphia forensic accounting firm that provides a full range of forensic accounting services in Philadelphia and the Delaware Valley.  The experienced professionals at David Anderson & Associates provide forensic accounting, business valuation, fraud investigation, fraud deterrence, litigation support, economic damage analysis, business consulting and outsourced CFO services.  Company principal David Anderson is a forensic accounting expert who has more than 30 years of experience in financial and operational leadership positions and is a Certified Public Accountant, a Certified Fraud Examiner, and a Certified Valuation Analyst.