November 2016 – Christmas ‘Presence’ – The Threat Within

Christmas can be an expensive time of the year and with an uncertain financial climate a lot of people are feeling the pinch. This presents a security threat to companies as people who are struggling to make ends meet may be tempted to consider illicit ways to get extra money.

Where’s the Threat?

While the following threats may be present throughout the year, companies often change their routines around the festive period and security measures may be neglected. It’s important to continue good security practice to prevent these threats from becoming incidents.

  • Company data may be at risk of disclosure, for instance from a call centre worker selling customer information to a competitor to give them a competitive advantage.
  • Malicious damage could be caused to systems and data.
  • Equipment may be stolen, along with any data contained within.
  • With online shopping increasing over the festive period, phishing emails may be harder to detect as people receive ‘PayPal’ notifications that they think are related to a purchase.
  • Temporary staff may not be subject to robust security checks.

In addition to these threats there is a greater vulnerability at this time of the year as people start to wind down for Christmas and staffing is reduced to minimal cover. An employee looking to steal or maliciously damage data or systems may find it easier to do so at Christmas than at other times of the year.

What can be done?
It is important to be aware of the risk and make plans to manage this. Consider the following:

  • If there is reduced cover over the Christmas period, key senior personnel should be included to ensure that activities are monitored.
  • HR and review processes should be utilised to identify individuals who pose a greater risk.
  • If there is an individual identified as posing a threat to the organisation, that individual should be monitored.
  • Temporary staff should be subject to the same security and background checks as permanent employees.
  • System controls can be implemented such as ensuring all desktop machines are locked down and USB ports/CD writers cannot be used unless specifically authorised by senior management.
  • Access to the internet can be restricted and email messages can have a maximum message size applied.
  • Segregation of duties should be considered in systems ensuring that there are approval points built into any system to make it harder for a sole individual to authorise activities.
  • Access control is crucial, ensuring access to the systems is the minimum required and account details are not shared.
Finally provide employees with a timely reminder of security awareness through training, posters, meetings or emails to reinforce the message that security is everyone’s responsibility.