Companies look inward
The top priority should be exploring data management, data leakage and activity monitoring tools to help identify unusual usage patterns. Prior to implementation, IT personnel can analyze operations to establish normal employee activity.
Employees should have only the authority needed for their current job. Also, require at least two weeks of core leave for employees who have client contacts, allowing reviewers time to examine their accounts and activities for anomalies.
Give office-bound IT equipment like desktops the same security protections as mobile laptops and BlackBerrys.
Require regular password changes or using more complicated passwords as a simple and economical security control.
Some security risk always remains, so be prepared. Damage recovery may depend on how an organization reacts to a breach.
Preserve all data immediately. General Counsel should issue a document preservation request for all related paper, electronic and other media records.
Engage an independent law firm with related industry experience in internal investigations and a thorough understanding of electronic data protection.
For privilege protection, legal counsel should consider engaging a professional forensic firm with evidence protection experience.
The business environment requires shoring up all controls to manage the risks of assaults from inside the organization. No defense is perfect, but a well-thought-out controls strategy with diligent supervision can help prevent, detect and respond to potentially harmful incidents in a way that can make recovery more possible.
Greg Bell is principal, KPMG's IT advisory services practice. Teresa A. Pesce, principal, KPMG, contributed to this piece.
From the - September 2008 Issue of SCMagazine »