With the continuous inventions in technology, cyber-security is becoming a concern to many companies. One of the biggest risks facing companies in this era is advanced persistent threats. Companies, organizations and government agencies are increasingly being hacked, representing a growing threat to companies’ information security. To manage and mitigate cyber risk, companies are developing best practices, and insurance market is developing coverage to limit the impact of breaches (Anderson & Rainie, 2010).
Separation of Duties
It is imperative that organizations implement policies to mitigate the threat of an insider taking part in an advanced persistent threat. Separation of duties is an important concept in internal controls, though sometimes difficult and costly to implement. This objective is achieved by allocating tasks and associate privileges to multiple people for a specific security process. Separation of duties in the IT organization is fundamental and it’s the mandate of firms to apply it for regulatory purposes (Backhouse & Dhillon, 2000). As a result, IT organizations should lay more emphasis on separation of duties in all their functions, especially security.
Separation of duties achieves two objectives in relation to security. First, it prevents conflict of interest, wrongful acts, errors, fraud and abuse that occur in case of conflict of interest (Backhouse & Dhillion, 2000). The other very important objective is the detection of control failures including information theft, security breaches and by-pass or bending of security controls.
Organizations put up security controls to safeguard information systems from attacks against integrity, confidentiality and availability of IT systems, networks and the data they use. These measures are put in place after assessing the risks relating to a security system. Implementing these security controls restricts the power or influence held by any one individual (Guttman & Swanson, 1996). Separating duties in the proper manner is designed to ensure that employees’ responsibilities do not conflict and that they are responsible for reporting on themselves or their superior.
To avoid the problem of advanced persistent threat, the person responsible for designing and implementing security should not be the same individual responsible for testing security, neither should he be responsible for conducting security audits, monitoring, as well as reporting on security. For the same reason, the reporting relationship should not be directly to the chief security officer. By using the policy of separating duties, fraud would require the collusion of two or more parties, thus reducing the likelihood of crime (Guttman & Swanson, 1996). Organizations structures should be designed in such a manner that no individual acting alone is able to compromise security. To ensure that security controls are not compromised, there are various options available to companies.
Rewards and recognition have been recognized as important tools in motivating and improving the performance of employees. Some rewards have a cost attached to them, while others are completely non-monetary. Those non-monetary rewards, either formal or informal acknowledgment, are also very effective (Allen & helms, 20002). Indeed, they are the most vital components of job satisfaction leading to motivation, as well as employees’ retention. This is because it is hard to pay people as much as they would like, but give them more of the non-monetary rewards to motivate them.
These non-monetary rewards include opportunities for training, increased role in decision making, and assignment of more enjoyable job tasks. Non-monetary rewards are very motivating, since they help in building confidence and satisfaction among workers (Keller, 1999). Evidence shows that recognition and rewards are key factors in retaining top performing employees in a company (Jimenez, 1999).
For reward systems to produce the desired results, they should be closely aligned to organizational strategies (Allen & Helms, 2002). Research indicates that employees appreciate recognition when it comes from those they work for. Timely praise from managers and supervisors is also very motivating to workers. According to Allen and Helms (2002), it is important for managers and leaders to express appreciation regularly as this encourages employees to reach strategic goals. This type of performance behavior is also likely to recur again if employees are appreciated.
Providing workers with development opportunities such as assigning them special duties is a powerful form of non-monetary recognition. Being selected to work on a task team to achieve a company goal is motivating, since it gives a person an opportunity to acquire new skills and experiences and add variety to an individual’s work (Jimenez, 1999). Such an opportunity also demonstrates trust in the abilities of the workers which is important in building their confidence. Positive recognition by managers and peers effectively motivates a person’s job performance to a higher level (Keller, 1999). Personalizing non-monetary rewards is a creative way to reinforce positive behavior and improve employee performance and retention. These forms of recognition and rewarding are not costly, but are priceless once received.
This is a process and mechanism employed by organizations to assure that budgeting is linked to the program of operations. These links eliminate the risk of acting on decisions that could be based on flawed information and mismanaging resources. Internal audits are very important to an organization since they guide the implementation of budget and policies. They are directed towards the economical, effective and efficient accomplishment of the entity’s initiatives (Torok & Patrick, 1997). Internal audits reflect whether an organization is adhering to laws and regulations, as well as to the management policies. They are important tools in safeguarding assets and information and are key components in preventing, detecting fraud and errors. This process enlightens the management on the quality of their accounting records and the production of reliable financial and management information (Craig & Philippe, 1993).
The wide variety of mechanisms reinforces the proper execution of budgets and policy decisions; appropriate use of resource; minimize or entirely avail fraud, waste and mismanagement; and ensure the timely and reliable availability and maintenance of information for decision making (Torok & Patrick, 1997). Audits are essential in managing any organization, and help in eliminating the problems involving inadequate training and supervision of workers, lack of separation of duties and incomplete or non existence of records and documents.
For an auditing strategy to be complete, it should be timely, well defined and effective in tracking the effectiveness of an entity’s defenses and identify any attempts to circumvent them (Craig & Philippe, 1993). The audit strategy should provide useful tracking of data on an organization’s most important resources, activities and potential risks. It is also increasingly expected to provide proof that IT operations are compliant with regulatory and corporate requirements.
Since computer systems are increasingly being used within organizations, audit standards should be improved to reflect this complex integration. Some of the ways where these systems are applied is collecting, evaluating, reviewing and storing data (Sayle, 1997). Organizations are also incorporating computer systems to protect data and intellectual property. Additionally, the systems enable administrators to track, specify and identify the permissions that were used in accessing a particular object of security event.
Creating audit standards that are all encompassing is a difficult thing to achieve. Industry specific audit standards make auditing easier and have allowed auditing to make remarkable strides from the dark ages (Sayle, 1997). Sector specific standards are necessary, since some industries deal with specialized materials that undergo complex processes to make products. The generic specifications in all encompassing audit standards can only be used in creating a quality management system to effectively address niche markets, such as edible products and pharmaceuticals.