- How many of your staff know why you have implemented internal control systems?
- Why do you require people to come early at work and sign in the attendance register?
- Why do you require staff to sign a form that makes them acknowledge having ‘received, read and understood’ respective policies and procedures?
- Why are visitors required to register at the reception their laptops model, serial number and color, if they visit your office carrying private laptops?
- Why are staff required to provide accountability for money when they return from a trip?
Any company that implements controls and fails to explain why the controls are necessary will experience a high risk of override of controls or deliberate non-compliance. Many staff will see the controls as unnecessary inconveniences.
On 18th July 2019, I visited one of the government offices. Two people I found on the queue had computers that they had removed from their backpacks. One of the men was furious as he was writing the serial number in the book. “You waste our time. I am late for the appointment and you are asking me to register my laptop serial number. Why do you need it?”
The security guard, a tall man, about 38 years, looked calm and just told them, that is the procedure. “If you want to go beyond this point with your computer, we have been instructed as a requirement for all people to register their computers. That is the order.”
And that is where the challenge comes.
Every control that is put in place has a reason. It is the responsibility of management to create awareness not just about the controls, but the justification for the controls as well.
Why register personal laptops at company receptions
One of the biggest threats to any organization is intellectual property theft, espionage, and data loss. The three main objectives of data security are
- confidentiality (prevent non-disclosure of confidential information),
- integrity (protect systems and data against unauthorized modifications and changes) and
- availability (keep the company systems and computers up and running i.e. avoid system downtime).
Data leakage or theft of confidential documents is one of the biggest threats that companies must avoid. More than before, the new law in Uganda, Data Privacy and Protection Act, 2019, puts more responsibility on ALL organizations to protect data.
One of the attack vector hackers or fraudsters or criminals use to steal confidential data is by physically stealing the computers that keep the data. Laptops, by their nature, are mobile devices which exposes them to risks of theft.
A story is told of a competitor who wanted to know the business secrets – source code and other similar intellectual property of the company like strategic plan and list of clients and partners. Five computers of the key people in the company of interest were profiled. The criminals approached one of the staff who was successfully compromised. Considering that the majority of staff offices do not have CCTV cameras, the criminals did what hackers call “footprinting and reconnaissance’ where they study the behavior of their target, understand their times of coming to the office and when they leave work. And the type of laptop they use.
How the scheme to steal intellectual property works
The criminals then bought the same laptop type and model exactly similar in color to the one of their target. So, during a normal working day, the compromised staff came to the office with the brand new laptop. Entered the office, exchanged the computer. He took the executive’s laptop with all formulas, source code, and intellectual property and left the new look-alike machine on the desk.
The following day when the executive returned, he found a new laptop. It was too late to activate security mechanisms and to track access controls and what could have happened.
The fix
To prevent such a scheme from ever happening again, the company instituted new controls. The first control was to require any visitor carrying a laptop MUST register it at the reception including the serial number, laptop type, and color – items which are unique to each laptop. The security guard is told the why of the control – to make sure that any staff or person taking out a laptop matches EXACTLY with the one they entered the office with – whether staff or visitors. That way, if someone is taking out a computer, they must have come with it as long as the serial details match. If not, the person cannot take the laptop.
If the company had told the security guards the why of registering laptops as a measure to prevent people from stealing company property, by coming with old used laptops, and exchanging with new company computers or bring new machines and exchange with servers or top management laptops which have a lot of intellectual materials and resources, everyone at the reception would be alert and on the lookout to prevent bad things from happening.
Next time you want to easily implement a control, start by explaining to all concerned the ‘why’ of the new control or policy.
Why is the best tool for organizational transformation? Use it.
Copyright Mustapha B Mugisa, 2019. All rights reserved.