Before you click away, let me tell you a story…

I went to a conference recently and got a few pens and a couple of Hershey’s chocolate minis. I put it in my pocket and went my merry way.

When I reached home, I pulled out the pens from my pocket only to find some brown stuff on one. My immediate thought was that it was the chocolate melted and leaked out onto the pen.

To test this theory, I licked it, and… let’s leave it at that for now.

I could have just smelt it, or not bother and wipe it off, but I chose to taste it instead.

I say this not to gross you out, but to say, that no matter how smart you may think you are, you do some really stupid things sometimes.

The same thing happens with emails with seductive subject lines. Or links that promises something good if you click it. Things that lead to only bad things for users, and your data.

You would think that incidents such as these would never happen?

After all, you’ve spent loads of time training users. You’ve handed out lots of information about being safe on-line. You’ve shared instances of breaches due to human error.

But they do.

We should know better. It should be an automatic feeling that clicking that link or opening that attachment is a bad idea.

But we do it anyway.

That is why I say that awareness training is part of an arsenal that you have to stave off malicious attacks. But there’s bound to be some human error sometime, and you have to be ready for that.

So you have to have proper and updated anti-virus and anti-malware software. You need to put in that next generation firewall protection on the corporate network, and more firewall protection on PCs. You must have properly functioning backup systems in place to protect your data.

Technology needs to get better. Law enforcement needs to be stronger.

You still need security awareness training, and if the human being was perfect, then awareness training may be all that was required to protect your data.

But we are not.

As for that brown stuff… it was chocolate. But what if it wasn’t?… EWWW!

Original article: Why we can't totally trust people with information security'">Stupid people and data security Why we can't totally trust people with information security

©2025 Interxect Services Limited. All Rights Reserved.

I recently was called in by a non-profit saying that there was an issue with their file server, and they suspected malicious intent by somebody on the inside.

After a short investigation, I found the issue was the CryptoLocker ransomware. The malware encrypted all the files in the servers, which were shared via mapped drives.

I explained that it was not sabotage by anyone, but an unfortunate mistake by one of their users.

There was little I could do as they took too long to seek help. The time to get the files decrypted had passed and they couldn’t pay the money. Their only option was to restore from backups.

What is Ransomware

Ransomware is malicious software that when executed proceeds to extort money from you in some way. Examples of ransomware include:

• Fake antivirus scanners that claim to have found malware on your PC and demands money from you to clean them up. If you don’t pay it annoys you with pop-ups or may even prevent you from using your PC.
• Fake alerts that claim that your machine has been locked by federal police for illicit content on your PC and says that you need to pay a fine.
• Encrypting ransomware is the worst of the bunch. It encrypts certain files like files in your documents folder and on mapped drives, and then demands payment to decrypt it. CryptoLocker demands a payment of anywhere from US$500 to US$1500 in Bitcoin to decrypt your files. The use of Bitcoin makes the transaction difficult to trace.

You can remove the first two types using tools from reputable anti-virus makers and pose little risk other than a headache.

Encrypting ransomware like CryptoLocker, however, is the most dangerous. It uses public/private key encryption, which makes decryption impossible without the private key.

The ransomware scourge is truly frightening and I saw firsthand the effect it can have. Larger organisations may have the technology to reduce the risk, but how can smaller organisation do that?

Several organisations, when faced with the CryptoLocker malware, paid the ransom. This cost less than it would to restore from backups, which can takes days, and cost thousands more in downtime and overtime costs.

All authorities say that you should not pay the ransom, even for the CryptoLocker malware.

I agree.

Paying the ransom money only encourages these criminal organisations to continue their enterprise. It also goes towards financing the development of even worse tools.

Protecting your Business

So how can organisations protect themselves from this risk?

1. Use anti-virus software as a preliminary defence. AV software offers some level of protection from known attacks. Heuristic detection for unknown attacks is also getting better. But AV may still be ineffective against new versions of ransomware software, otherwise called zero-day software.
2. Be cautious of email, even from known people, asking you to open files or run software to view something. Scrutinise grammar and salutations. For example, if someone you know consistently calls you John, but the email addresses you as Jonathon, or Mr Smith, that should raise red flags. As a default, you should not open any files unless you are expecting it, or you call the person first to verify that it is legit.
3. Change your operating system preferences to show the entire file name, including extensions. This will help you determine if a file is an executable. Executable files have .exe or .com extensions. Malicious files often come with names such as document.pdf.exe, or spreadsheet.xls.com with icons that show up as a pdf or excel file. If you “hide extensions of known types” then the files will show up as document.pdf or spreadsheet.xls, making it difficult to identify it as a malicious file.
4. Heed warnings of anti-virus software or operating systems whenever you try to open a file. With user access control (UAC) on Microsoft Windows enabled, users are prompted if they want to run a particular application. Or an AV firewall may ask if you want to allow a particular file or application to access the internet. If you didn’t intend to run a file or application, then click no.
5. Configure your firewalls and antivirus to block email attachments with executable files if it is able to. There should be no reason for executable files to be sent to you via email. If someone has to send you an executable file, let them use ftp or a Dropbox link or similar, and then call the person to find out if they intended to send you those files.
6. Train your users to recognise threats. I admit that this is becoming increasingly difficult to do. I’ve seen some examples of malicious sites that were hard to discover as such. And I’m a security expert, far less a chance for the typical computer user to figure that out. However, awareness training for users helps reduce risks of those sites that they can identify, so it’s still worth doing.
7. Avoid mapped drives. This is hard for some organisations, but many malicious applications (not just Crypto Locker) scans all local drives, and will see the mapped drive as a local drive. If mapped drives are not used, then they can’t be attacked. This is not to say that another version of CryptoLocker won’t be released that will scan the network and enumerate files, but for now, eliminating mapped drives can mitigate the risk.
8. Use the principle of least privilege. This means that users are given the privileges to only do what they are required to do, and no more. This involves the creation of “whitelists” of what applications they can run. So if they accidentally try to run a malware nothing will happen.

Beyond these steps, there is little else any organisation can do. It’s up to the authorities to take down these criminal organisations, which are often on the other side of the globe.

The internet can be a dangerous place, but you can safely use it for personal and business benefit once you take the proper precautions.

Be safe out there.

Original article: 8 things you can do to protect yourself'">Protect your business from Ransomware 8 things you can do to protect yourself

©2025 Interxect Services Limited. All Rights Reserved.

I don’t consider big data the ‘new oil’, but it does have consequences – good and bad – for the future of society and business, so I thought I’d dedicate some time on the topic.

What is big data?

There is no standard definition of what big data is, but the general consensus is that big data should conform to the 3V’s:

• Volume – There is a large amount of information amounting to Terabytes, or Petabytes of data.
• Velocity – The data is not only coming in very quickly, but should also be processed very quickly too.
• Variety – the information is coming from several different data sources, often in differing formats.

There are other V’s that have been suggested, but these are the ones that I choose to stick with. It’s important to note, is that big data requires different tools than what has normally been used (such as relational databases) for analysis.

Big data has always been around, with companies having these large data warehouses and now wanted to figure out how to use them to their advantage. This is further complicated this time by the addition of new sources of data – mobile and smart devices.

The Opportunities

The greatest opportunity available from big data is possibility of solving many of the biggest problems we have in the world.

Present and historical medical data coupled with genome mapping can help us find solutions to diseases or genetic disorders. Environmental data can help us predict climate changes, and used to improve farming methods.

Businesses can use big data to help make better business decisions. Business may be better able to predict market conditions and how well a product is doing, and decide to scale up or scale down production. It may be able to find defects much faster within their production line. Big data has even helped make better hiring decisions.

Big data can help us fight crime by gathers intelligence and evidence against criminal activity. It may help us to also take a proactive approach to security threats by picking up trends that indicate illegal or terrorist activity.

At a social level, big data along with crowd sourcing can help solve everyday problems. Waze, for instance, uses data coming from thousands of mobile devices to better predict traffic and help choose the best driving routes.

The Threats

The main threat is privacy. Lots of these data are personally identifiable information (PII). While the data may not have your name exactly, with proper analytics, you can create an eerily accurate profile of someone with it.

When the NSA surveillance news was broken earlier this year, the NSA stated that only phone metadata was being recorded. Phone metadata has no names, but many people went on to show how that data can tell a lot more that you think.

Target was one of the first companies that used big data and data analytics for marketing; in particular, it used its data to determine if a customer was pregnant and then sent targeted marketing to that customer about baby products. There were many questions about ethics at that time, particularly, whether customers would be okay with Target knowing about their reproductive cycle. Nowadays, you can hardly find a large retailer not using any time of data analytics on their customer data.

And while Target and other retailers may have your data with your permission, what about cases where you have not explicitly given permission? Facebook’s tagging feature, for instance, allows a friend to either take a photo of you and tag you, or check in to a location, and tag you as being with them. While you may not even have your phone with you, your image, and location data is being stored and mined.

One of the greatest threats, which is now gaining greater recognition, is the threat of theft of data. Going back to Target, only this week, they announced that they were hacked, and that the accounts of about 40 million customers were compromised. While they concentrated on credit card information, who knows what else they got. What if this was a medical or insurance institution; would you be comfortable if your medical data was stolen?

The Verdict

Big data on its own is nothing; it’s what we do with it. We can use the data to help us solve the world’s problems, or use it instead to further greed and destruction. There are endless possibilities as to how big data can be used.

Considering the good that can come from analysing big data, it would be better to implement proper security and governance frameworks to ensure that only good things happen.

Original article: A look at the pros and cons of big data'">Big Data – Opportunities and Threats A look at the pros and cons of big data

©2025 Interxect Services Limited. All Rights Reserved.

While open source software offers many advantages, it does have some disadvantages. In this article I will look at the arguments put against OSS. The intent is to not dissuade you from using OSS, but rather to inform you of the risks.

1. It’s sometimes not easy to implement

Usually, OSS is characteristically uneasy to implement. You find that mostly techies are the ones who would take the time to figure out how to install and implement an open source application. While the user interface may be easy to use, the back-end management is a pain.

Some have attributed this to the conflict of interest with OSS creators. These creators offer paid services that cater to the installation and support for the application, so it’s not in their best interest to make the installation easy.

Fortunately, there is often a large community to offer support, if you are willing to comb through forums and wait for answers to your questions. Or you can give in and pay for the installation and support services.

2. It’s not always the highest quality software

There are indeed some high quality OSS around, for example, Firefox, Open Office and PostgreSQL; however, these are the exception, not the rule. A vast majority of the OSS is poorly built, incomplete, dormant or poorly supported. This is caused my multiple issues such as a disorganised developer community, lack of incentives, or poor skills.

This may not be a problem if you plan to develop the software for your own use, and you have much of the capability in-house or contracted. But if you don’t then many OSS may not be worth the hassle.

3. A high skill set is required for modification

While a certain set of skills is required to install some OSS in the first place, there is another whole set required to make modifications, if that is what you plan to do. Programmers and applications developers, database designers and User Interface/User Experience (UI/UX) developers are the types of people required to produce really world-class applications, even if it’s just internally. You may need to have such a team in-house or contract it out, but you’re looking at a large human resources pool.

Now this is to produce world-class applications; if you want to have mediocre software, then you will be able to get away with much less.

4. OSS licensing is sometimes complicated

Is the OSS licensed as GPL, MPL, EPL, Apache, BSD…? You get the idea. There are lots of open source licenses out there, and this list is just the tip of the iceberg.

Each OSS license has its own nuances and requirements. One may require that all modified software be released as source code, another many may not, while another may not allow any derivative code at all.

Let’s not forget attacks on OSS by other commercial software makers about licensing and patent issues, such as Microsoft and WordPress. This adds another layer of risk with any OSS and open source project.

As a precaution, you may want to have a legal person review any licenses if you intend to modify the code, especially if you want to monetise those modifications later on.

5. The Open-Source business model is not always conducive to a sustainable business operation

OSS is loved by many; however, much fewer love it enough to pay for it. It takes a lot of commitment for developers to stay with a project on a pseudo-voluntary basis. Much OSS with a lot of promise, and a fairly large community, has fallen by the wayside. Others, have strong corporate backing, but even that doesn’t mean that it’ll survive (does anyone remember Corel Linux? It was one of the better distros at the time). Even the future of well known software is unknown, for example, MySQL might not have a future since Oracle acquired Sun, the owners of MySQL.

If you want to implement OSS in business critical applications, then you better ensure that you have a way to keep the software maintained if the creators ever go silent.

Then, is it a good idea to use OSS?

I’m no proponent of the open source movement, who tends to treat open source as a religion. I see both the pros and cons of closed source and open source alike. However, even considering the many drawbacks of OSS, open source still has a big future ahead of it.

Different business models have evolved that have allowed some organisations to create a sustainable business creating and using open source, such as Red Hat Linux, Rapid 7 Metasploit and Nexpose and SugarCRM. These businesses have been very successful and profitable.

I’ve always said that businesses need to move from being consumers of IT to being innovators of IT. Open source allows business to develop some of those skills necessary without reinventing the wheel.

It’s time to step forward and start creating new technology.

Original article: Why businesses may choose to shy away from OSS'">5 Arguments against Open Source Software Why businesses may choose to shy away from OSS

©2025 Interxect Services Limited. All Rights Reserved.

The recently released “Understand the State of Data Security and Privacy” report found that 36% of data breaches were caused by inadvertent misuse of data and 35% were caused by malicious internal users. Last year, those figures were 27% and 12% respectively.

I usually take all of these figures here with a pinch of salt, but I do know from experience that enterprises take a lax attitude when it comes to internal security. The main issue in this case seems to be a lack of training in security awareness and policies. The report stated that 42% of the respondents had received training on how to remain secure at work, and only 57% said that they were aware of the security policies of the company. Educating users on how to approach computer use and to protect themselves from cyber-threats is necessary.

There has been voices denouncing the effectiveness of training users in computer security, such as here and here. But this is a fallacy and it supposes that the training is the be all and end all of IT security, but it’s really just intended to be another layer of defence. IT Security is about reducing risks, and that’s what user education is for.

Some advantages of user awareness education are:

• It helps users to be vigilant about computer use and possible security risks
• It can be a low effort, high impact way of protecting your data
• It may improve the relationship between users and IT if done right
• It can be transformative as users take the lessons to other facets of the organisation or even their lives

I won’t claim that user education is some sort of magic bullet, but it can be a useful weapon against data breaches.

There is another part of the Forrester report that is worth mentioning – that IT departments tend to think to tactical about IT security, choosing instead to focus on technology, such as anti-virus and data loss protection (DLP), to protect against inadvertent actions of users. Even security awareness training for users is a tactic all in itself. What companies need to have is a strategy for protecting their data.

The framework that Forrester defined seems like a good place to start, as it is similar to other frameworks I’ve seen and used. At a high level:

1. Classify your data and define which ones you wish to protect.
2. Determine how data is being used and what mechanisms are available to protect it.
3. Implement the protections.

Remember that your data is a valuable asset, if not the most valuable asset, to your organisation and you must protect it.

What do you think? Do you believe that your company will benefit from security awareness education, or do you think that money and effort is better spent elsewhere? Chime in below.

Original article: And you should not take them for granted!'">Humans are the Weakest Links in IT Security And you should not take them for granted!

©2025 Interxect Services Limited. All Rights Reserved.

I’m sure you’ve also seen it happen at the department level – power plays between employees. I’ve seen it before where staff members will not do certain tasks, see issues but will not resolve it, or worst, sabotage efforts of another to make them seem incompetent.

Such negative activities reduce the capability and productivity of the department. And in the IT department, it can be hazardous for your data, which can become pawns in this dangerous game of chess play.

So what can you do about it?

1. Do not get involved

Often the manager or team supervisor will get involved with the gossip and negativity with the intention of being “friends”, but this just adds fuel to the flames. Don’t do that! Nothing demoralises a department or business more than the leadership getting involved in the politics, even if done behind closed doors.

So what to do instead?

2. Listen and Be Open

When there is conflict or negativity, listen carefully to your staff and team. Do not interject or offer advice, no matter how much you want to. Get the person talking about what is going on. Why do they feel the way they do? What do they think cause it? What do they want to happen? What would they like the environment to feel like?

Do not judge. Just listen and take notes (after asking if it is okay to do so first).

3. Mirror and empathise

This is a very tricky area here. You do not want to make light of anyone’s issues, but also you do not want to agree that they are right (unless for sure they are). Instead empathise with the way they feel saying something, “and this whole situation has you feeling… angry? Disappointed?” or “I understand that you may be feeling frustrated”. The idea here is to let the other person feel felt.

4. Formulate an action plan

Once the person is talking and is open to dialog, formulate an action plan as to what needs to happen next. It might be tempting to bring the other person in, but I suggest that you talk to the other person in private first to get them open to dialog as well. Once that happens, then you can have both in the room with you as a mediator. Mediation is another skill that I will address in another article, but for now, know that it is something that may be required.

Ensure to set deadlines to when certain things are to happen so that there is not another issue of unmet expectations.

Issues addressed, what next?

Once major issues have been addresses and things have settled down, it may be beneficial to do the following.

Understand the informal organisational structure

Not all power and influence comes from position and job title. Many people have influence outside of position or may have the ears of people in high positions. There may be cliques and groups, and others who seem dead set to put one against another. By understanding these linkages, you will be in a better position to head-off potential problems.

Keep your ears to the ground

Listen out for grumblings among employees and staff, and be ready to address any rumour circulating before they become uncontrollable. In the absence of open dialogue, presumptions run wild. Keep friendships with people who are always in tune to the grape vine; this is usually the receptionist, but could also be admin staff.

Build relationships at all levels

By building relationships at all levels of the business, you can have greater resources at your disposal to address issues that come along. You can also learn from others how best to approach certain issues so you can benefit from that knowledge and handle the politics more effectively.
Learn to recognise and treat all peers and employees fairly.

You may never be able to eliminate office politics from the work environment, but you can work to minimise the negative effects. And if you can minimise office politics within the IT department, you have one less thing affecting your data to worry about.

Do you have a story to share about how you handled your internal politics? Or how do you feel about the advice that I’ve given? Please leave your comments below.

Be sure to sign up for our e-mail list where we plan to send out regular tips on how you can improve IT and your business along with it.

Original article: Here's what you can do about it...'">Office Politics can hurt your IT Here's what you can do about it...

©2025 Interxect Services Limited. All Rights Reserved.

I mentioned before that too much technology can be detrimental to your information security goals. In the insurance industry, there is something called moral hazard. Moral hazard is where an insured person takes more risks because the potential costs of such risks are taken care of by another party.

This also happens with IT security. Think about yourselves for a moment. You feel safer with anti-virus software and personal firewalls installed on your PC, and as such you may browse more “freely” on the Internet. Yes, your risks have decreased, but the additional risky behaviour – unsafe browsing in this case – may now increase your risk of being affected by malicious software.

I’ve seen this with many organisations. They’ve implemented some of the best security, but still have security breaches, by sometimes the simplest infections. This often causes them to doubt the effectiveness of the products and to then get more security products to address the perceived weaknesses. What had instead happened was the users had come to expect that they were protected from such risks. Even the IT department is sometimes lulled into a sense of security that they don’t consistently follow the required practices to keep their network secure.

So do you have a technology problem? Are you so dependent on technology that you have put yourself and your organisation at risk?

Consider the following statements:

• You think that technology is the only way that you can protect your information assets.
• You constantly purchase the newest and latest security technologies to protect your network without reviewing whether the risks they address are relevant to you, or have already been addressed.
• You have multiple technology tools that perform the same type of task, e.g. multiple anti-virus products, because “one may detect malware that the other didn’t pick up”.
• You are unaware of what your IT and business risks are and/or you cannot identify what your critical servers and services are.
• You think that as long as you are compliant to regulatory frameworks or standards your network is protected and your information is secure.
• You and your users expect technology to do it all for you.

If you’ve answered “true” to even a few of these statements, then you may have a technology problem. You should reassess your mindset and beliefs about information security before you have yourself, a moral hazard.

Original article: How more may be less!'">Is Your Data Security Technology a Moral Hazard? How more may be less!

©2025 Interxect Services Limited. All Rights Reserved.

A recent report by NCC Group found that many security appliances such as email gateways, firewalls, web content filters, terminal services, unified threat management (UTM) systems and other appliances were filled with vulnerabilities.

The report highlighted products from Sophos, Citrix, Pfsense, Symantec and Trend Micro showing that many had vulnerabilities such as:

• Cross-Site Scripting (XSS)
• SSH or WebUI susceptible to brute-force attacks
• Unpatched operating systems
• Privilege Escalation
• Command-Injection via the WebUI

Many users may feel that because these are security appliances that they must be inherently secure, but the report clearly shows that this is not the case.

Security appliances are not just a cause of concern, many other services now come in an appliance form-factor. Services such as IP Telephony PBXs, environmental management and network management come as appliances that you just drop and configure within your network. Also consider the many network devices that have mini operating systems within them such as environmental monitors, network printers or security systems. All of these are applications that need to be managed and secured.

While the risk that those vulnerabilities may be exploited by outside attackers may be small, simply because an appliance or device is not directly connected to the Internet does not mean that it is not at risk and that you should not make all attempts to secure it. Attacks can originate from the inside of the network, or in the case where a user PC may be compromised, allow a way for the attacker to gain even more control of your network.

To reduce the risks of these appliances and devices consider implementing the following:

• Change the non-default usernames and passwords on all appliances and devices. Use a strong password.
• Avoid exposing the management interfaces of these appliances and devices to the internet or other unprotected networks.
• Consider placing the management interfaces in a protected network behind a firewall within your internal network.
• Keep the operating systems and firmware of the appliances and devices updated.
• Ensure that logging is enabled on all the devices, and if possible, set up alerts to be sent for any login attempt.
• Disable unnecessary or insecure services on appliances such as telnet, http and ftp. Use encrypted protocols such as SSH, SFTP and HTTPS.

Here’s to a more secure future.

Original article: or you may find yourself becoming a victim of irony'">Ensure that you secure those security appliances or you may find yourself becoming a victim of irony

©2025 Interxect Services Limited. All Rights Reserved.

Zeus is a malicious software application (termed malware) that is designed to steal online credentials and other personally identifiable information (PII); it is geared to stealing banking credentials and information from users.

Zeus is a trojan, so it is disguised as something ‘safe’, and usually spread by links via email, comments on websites, and through social media, especially facebook.

SMBs are particularly attractive because they have more money than the average individual and often have lax security mechanisms in place to mitigate against malicious attacks. According to Symantec in its Internet Security Threat Report 2013, the largest growth area for targeted attacks in 2012 was with small businesses. As it says, “money stolen from a small business is as easy to spend as money stolen from a large business.”

Symantec had found in an earlier survey that many small businesses are not concerned about IT security and usually believe that the data that they have holds little value to attackers.  I have also had to educate some of my clients about the risks involved if their data, or even their servers, were stolen.

The Federation of Small Businesses in the UK reported that small businesses lose £785 million to cybercrime per year. The sad thing is that many a small business would go bankrupt if an attack was successful at draining their bank accounts.

Not only small businesses should be on the alert, but many small financial institutions, such as credit unions, should be aware of the threats and risks. Many of these institutions lack the resources and infrastructure of their larger counterparts and may be ill prepared for those attacks.

So what are some of the ways that small businesses can protect themselves.

1. Have up-to-date anti-virus, anti-spyware and anti-malware software installed and running.
2. Keep your PCs updated to all the latest software and security patches.
3. Use strong passwords on banking websites. If your bank offers a hardware security token, consider getting that service.
4. Train employees to recognise and avoid suspicious emails or links. Also keep an open environment that allows employees to report if they accidently click on a link; time is of the essence for these attacks.
5. If you have any suspicions about an email or message (such as snail mail) received that purports to be from your bankers, call them using the number from the phone book to verify the information. Do not use any numbers, email addresses or internet addresses from the message to contact them.
6. Use a computer account without administrative rights.
7. Always type in the internet address of the bank into your browser. Do not click any links within emails to access the online bank.
8. Limit access to computers that will be used to access online bank applications. Also limit the applications or sites that those computers will be allowed to access to limit exposure to malicious content.
9. If you can’t dedicate a computer to access online banking, then consider using a Live CD of an operating system to just access the online banking system.

For small financial institutions:

1. Make the required investments to secure your data and network.
2. Perform regular security assessments to identify and address risks.
3. Train your employees to become more aware of security risks and what they must do to reduce those risks.
4. Educate your customers as to what they can do to protect themselves.

Online banking is a huge timesaver for many a small business and with the right checks and balances can continue to be a safe way to manage your business’ finances.

Do you have any other tips that I should have mentioned? Feel free to add them to the comments below.

Original article: SMEs and Small Financial Institutions Beware'">Zeus Malware Reboot SMEs and Small Financial Institutions Beware

©2025 Interxect Services Limited. All Rights Reserved.

This is purely an issue of work ethic, and the business is hardly to blame for the actions of the employee, however, if any damages were to occur because of it, the business may have been held accountable for it. To the business’ credit, it had performed a security audit and was able to detect the act. But how many other businesses do not do the same? What other activities are taking place within your business that you are not aware of and has the potential to bring you heavy losses, both in reputation and finances?

Unethical behaviour in IT departments is of particular concern, as there is real potential of serious damage.

How can we prevent this?

The question remains how can businesses protect themselves from unethical behaviour such as this? I have pondered this for some time as many businesses use the NDA – Non-Disclosure Agreement – as a way to keep workers honest, but this still depends on ethics. You can act like “big brother” and monitor your employees’ every move, but that will just decrease morale. A regular and consistent audit may be the best way to capture these events, but this suffers from two disadvantages – it’s a costly recurring expense, and it captures incidents after the fact, when the damage is already done.

There is one thing you can try that I think is the best option.

Another Approach

The best way to approach this, in my opinion, is to try to prevent it from happening at all. We do this by maintaining a proper and open relationship with your employees.

Be approachable to employees and allow them speak openly about their concerns. Sincerely try to address their concerns and be honest about situations – if they can’t trust you, then they will have no qualms about betraying your trust.

Create a culture of ethical habits by setting the example for the employees to follow, such as giving recognition and credit where due, by not engaging in corrupt practices, or by not pushing the envelope of what might be ethical behaviour.

The Best Way?

Will this prevent bad behaviour from ever happening? No,  I seriously doubt that. Within everyone there is a bad and good side – yin and yang – and what you need to do is create an environment where it is easier to do good, and be good. Perhaps I’m being optimistic, but I’d rather be a wrong optimist than a right pessimist.

Original article: Can you stop this from happening in your business?'">Security audit finds dev OUTSOURCED his JOB to China to goof off at work Can you stop this from happening in your business?

©2025 Interxect Services Limited. All Rights Reserved.