Blog

Tales of Business “Insecurity” – Part 1

David Anderson is principal of David Anderson & Associates, a Philadelphia forensic accounting firm that provides a full range of fraud investigation, forensic accounting, and marital dissolution services in Philadelphia and the Delaware Valley.

Many businesses implement a wide range of policies and procedures to protect their property, assets, and data.  However, according to forensic accounting expert David Anderson of David Anderson & Associates, a Certified Fraud Examiner in Philadelphia, even the best of policies and procedures are ineffective if employees don’t adhere to them.  The following is Part 1 of a two-part series featuring examples of security failures Anderson has observed in his work:

When Security Badges Aren’t Effective:

Many businesses require employees to wear a security badge and “swipe” it to gain access to facilities.  In one case, a just-fired employee returned to the company that had fired him and waited by the security access door. Other employees who had seen him around (and didn’t know he had been fired), held the door open for him (not noticing he didn’t have a security badge).  He then entered the building, proceeded to pull out a hammer, and vandalized several desktop computers until he was stopped by security officers.

In another case, Anderson said he was visiting the IT department of a large Philadelphia business to conduct an evaluation of its IT controls.  He was standing outside the secure data center when an employee with a large cart full of equipment swiped his security badge to enter the data center.  The employee was struggling to hold the door open for his cart and, seeing Anderson, asked him if he would hold the door (neither Anderson nor the employee had seen each other before, and Anderson was wearing a visitor badge).  Anderson helped and continued to hold the door open until the employee entered the data center and out of view. Anderson, now in center himself, went over to one of the terminals, and, if he had been malicious or interested in stealing data, he said he easily could have entered the necessary commands to do so.

When Terminals or Desktop Computers Aren’t “Secure:”

When conducting an IT security evaluation, Anderson wandered into the accounting department of another large Philadelphia business.  He observed an employee tell another he was going to lunch, and then watched him get on the elevator and leave.  Anderson walked over to the now-empty cubicle and noticed the just-departed employee had not logged out of the company’s accounting system.  Anderson said he sat down at the vacant desk and proceeded to access the accounts payable and general ledger applications.  No one challenged him, he said, or even appeared to notice he was there.  Again, had he wanted to, Anderson said he could have caused major damage to the company’s accounting system.

When Confidential Records Aren’t Secure:

When Anderson was a junior auditor (before the days of electronic medical records), his first assignment was on the audit of a large hospital.   One of his assignments was to make sure that selected patient records had been properly entered into the hospital’s accounting system (to facilitate billing).  He said he was unable to locate one patient’s file, and after investigation, learned it was because the patient was still in the hospital (and the records were at the nurse’s station on one of the patient floors).  He said he went up to that floor, and requested the patient’s chart (He said he was not wearing a badge and didn’t identify himself, but was dressed in a business suit).  The nurse handed the requested documents to Anderson, saying, “Here’s the chart, doctor.”

Taking Secured Data Files Home to an Unsecured Computer:

At one medium-sized company, Anderson was called in to investigate when their system became infected with a rather nasty virus.  It turned out the Controller had taken certain budget files home (on a thumb drive) to work on over a holiday weekend.  Unbeknownst to him, his high school son had been using the same family computer, and had unknowingly downloaded a virus.  When the Controller used the computer, the virus was transferred to his thumb drive and then to the company’s system.  What made this worse was that the Controller was responsible for updating the virus protection for the company’s system, but had failed to download three years of updates.

Becoming Victimized by E-Mail Spoofs:

Hackers had obtained confidential names, addresses, social security numbers and other salary information of the employees of a small subsidiary of a larger Philadelphia company.  Anderson said his investigation determined the company’s systems had not been penetrated, but instead, the Accounting Manager of the subsidiary had been victimized by an e-mail spoof.  She had received an e-mail, purportedly from the parent company’s Controller, informing her there was a problem with the subsidiary’s W-2 forms, and requesting she prepare and send to him an Excel spreadsheet of the subsidiary’s W-2 information, allegedly so the home office “can correct the problem.” The local Controller failed to notice the requesting e-mail came from an e-mail address that was similar to but not the same as the corporate Controller’s actual e-mail address.  She prepared the requested spreadsheet and attached the spreadsheet as she replied to the original “spoofed” e-mail.

In each of the above cases, employee failure to adhere to the established policies and procedures resulted in security lapses.  Next week, Anderson will continue with more examples of such failures, and offer some tips for avoiding them.

If you want to learn how a Certified Fraud Examiner from an experienced firm that provides forensic accounting services in Philadelphia and the Delaware Valley can help you steer clear of such security issues, please contact the Philadelphia forensic accounting firm of David Anderson & Associates by calling David Anderson at 267-207-3597 or emailing him at david@davidandersonassociates.com.

About David Anderson & Associates

David Anderson & Associates is a Philadelphia forensic accounting firm that provides a full range of forensic accounting services in Philadelphia and the Delaware Valley.  The experienced professionals at David Anderson & Associates provide forensic accounting, business valuation, fraud investigation, fraud deterrence, litigation support, economic damage analysis, business consulting and outsourced CFO services.  Company principal David Anderson is a forensic accounting expert who has more than 30 years of experience in financial and operational leadership positions and is a Certified Public Accountant, a Certified Fraud Examiner and a Certified Valuation Analyst.