Читать книгу Security Awareness For Dummies - Ira Winkler - Страница 45

A proper accounting program protects an organization from financial loss. Accountants study financial processes and determine where losses can occur and how to control them through processes.

In much the same way as safety scientists figure out how a person comes into the position of a potential injury and proactively tries to remove that potential, accountants try to put processes in place to proactively remove the opportunity for financial errors. This involves proactively tracking financial and tangible resources. It means that there is categorization of all resources. This is why there are so many annoying processes apparently in place in many businesses.

Likewise, a person has to endure many processes when they’re in the middle of a financial transaction, and follow detailed operational guidelines for how transactions are to be performed. For example, when I travel and have to file an expense report, I have to meet specific requirements for the level of documentation required. In some cases, I can just ask for a flat amount for all meals. In other organizations, I have to categorize every expense I want to be reimbursed for and then provide a receipt for any charge. In one case, I left out the receipt for a $4.53 Frappuccino, and the complete expense report claiming more than $3,000 was rejected until I could find the receipt.

Though I of course cursed the accounting department, I recognize that they’re just following the rules. Those rules were put in place because of the historical fraud that occurs whenever people submit fraudulent expenses. Clearly in this case, the organization expended more in lost labor costs between my time to redo the expense report and the time spent by someone in the accounting department to review the report thoroughly — twice. However, the processes were put in place to prevent what could become a large amount of fraud in aggregate.

Similarly, time tracking is critical for paying employees inside organizations. If people don’t properly enter and certify hours worked, they may not be paid. Therefore, people enter their information accurately and timely.

Note how nobody argues about most accounting processes. Nobody argues that it’s unfair to the user to not pay them if they don’t complete the time card properly. Nobody argued on my behalf for my organization to pay my travel expenses without the required documentation. Essentially, these accounting practices are a must-do item, not a should-do item. When you want cybersecurity practices to be a must-do and enforceable, you can use these examples that the organization already penalizes employees for not following other critical processes.

After the user has satisfied their business responsibilities, accountants then have review and audit processes in place to ensure that information is accurate, with no discrepancies. For example, I worked in a fast food restaurant where they tracked the number of servings of expensive foods. The restaurant served fried clams, and because the point-of-sale system could track every order, the store manager had to count the available servings at the beginning and end of the shift, and they had to ensure that sales matched the difference in available servings.

Though the clams were a specific example, all mature organizations track just about everything in and everything out. The accounting process looks to ensure proper tracking of financial resources. Some of it is to ensure proper financial reporting for taxes and investors. They look for any deviations in expectations. The reason for deviations don’t matter.

In cybersecurity, you have to apply these lessons and use behavioral analytics, review log files, and otherwise look for evidence of violations of security procedures. Though this is a critical response issue, reviewing this information can also tell you where user behaviors need to be improved.

Much like an accountant’s job is to identify deviations — whether the deviation is caused by error, accident, or malfeasance — when a user deviates from defined practices, the system should not care. It should be identified and investigated. Your organization should detect an action regardless of motivation. For example, if a user attaches a sensitive file to an email, it should be stopped regardless of whether it’s an accident or the user has malicious intent.

Whenever a deviation occurs, the type of deviation drives the follow-up process. It’s possible that forms, such as an expense form, will be returned for revision. If something valuable appears to be missing, it might inspire an investigation. In extreme cases, there might be a need for forensic accountants to complete a detailed investigation.