With so much talk of cyber crime, hacktivism, cyber terrorism, massive data breaches through the Internet and other high-tech incidents, it’s easy to forget that to be successful, a compliance program shouldn’t be defined by what is covered in the mainstream media. Yes, criminals have added powerful, high-tech ways of stealing money and data to their arsenals, but don’t ever forget that they still rely on good old-fashioned criminal methods as well.
Consider, if you will, the case of a Silicon Valley software startup that called us, saying they had a data breach. When our team got onsite, we found out that, indeed, all of the data in their database server – which contained their entire program library – had been taken.
This was very evident, because the thieves had broken into their unoccupied office over a weekend, and literally stole the entire server. What was worse, they also stole the backup tapes, which happened to be the only way the company could recreate its work. They had stored them on top of the server, they told us, for convenience.
Looking around, we discovered that it wouldn’t take a master thief to have perpetrated the break-in. There was no alarm system. The front double doors were installed with a gap that permitted the lock to be bypassed with nothing more than a credit card or a piece of wire. All internal doors, except for the file server room, lacked any locks. The file server room had a lock on the door, but they admitted that on weekends they propped the server room door open to provide better temperature control.
The company didn’t survive the incident.
Perhaps this is an extreme example, but we find that compliance officers often seem blind to physical security issues that can turn into compliance nightmares. Can people gain uncontrolled entry into your offices? Are package delivery drivers or couriers stopped at a reception area, and are employees then required to come to reception to retrieve the delivery? How about vendors visiting your premises? Are they stopped to assure the employee knows that they are coming? Are confidential documents containing either company proprietary information or sensitive customer or other personal information properly locked up when not in use?
Looking across hundreds of instances of compliance problems, we see example after example of cases in which physical security – if properly implemented – would have stopped or mitigated compliance problems.
In one case involving an online commerce company, a systems programmer figured out a way to repeatedly beat the system and steal a fortune. But it required him to enter a series of commands into a specific computer to implement the fraud. The programmer came into the office on a Sunday to pull off his scheme, and it worked like a charm. He stood to gain several million dollars. Unfortunately for him and his accomplices, reviews of the funds transfer made officials suspicious and they withheld payment. During the investigation, we used several physical security tools that were present and working, but had been ignored.
To enter the premises, the rogue employee used a key card. We found out that any key card could open any door at all times. To get the log to determine who had been in the office, we literally were handed the manual for the security system and told to help ourselves. No one at the victimized company had ever created a report. Similarly, when we saw security cameras, we asked for access to the recorded images, and discovered that no one actually knew the password for the camera system. It was maintained by a vendor, and they had never used it for any active purpose.
All of this sounds simple – maintaining effective physical security as part of an overall corporate security function – but without oversight, even the best security program can fail.
As a compliance officer, what can you do to keep the physical security aspects of your controls working properly? The simple answer is to show an interest and let managers know you’re paying attention to physical security as well as other aspects of the control and compliance environment.
When was the last time you met with your physical security manager? If you are not getting together on a quarterly basis to review incidents and problems and recommended changes, how can you know whether the system is operating properly? If tests aren’t run regularly, how can you assure the security systems work?
It is easy to spot potential security issues that are not being addressed. For example, if you walk through the office during off-hours, is sensitive material locked up or lying around on employees’ desks? Are there sufficient shredders or security trash containers for sensitive but unneeded records, and are they locked and regularly put to good use? Is there any form of clean-desk or locked-door policy, and who enforces it?
If you can see problems and know that there is no simple mechanism for addressing them, it’s pretty strong evidence that there are physical security risks that should be mitigated, and the best way to do so is with a watchful eye. Proper management oversight of physical security is the only means of assuring effectiveness in your company’s compliance program.
Alan E. Brill is senior managing director of Kroll Advisory Solutions.