Security Officer Goes Postal

By Bill Kennedy - The Toronto Globe and Mail newspaper had this article about a city of San Francisco computer engineer who changed the security passwords on his employer's system. The system still works, but nobody can get in to set up new users, change passwords etc. The man, Terry Childs, is languishing in a local jail with bail set at $5,000,000.

As an accountant, should you care? I do. The accounting system I run is a major user of the computer network. A network security issue is a financial security risk.

My first thought was: breakdown in controls, i.e. segregation of incompatible duties. There should be more than one person with the system password. But then I thought, wait, what if the control system was in place? What if Childs just let himself in late one night, as he would typically do to apply new security patches, and changed the password? If he were in charge of security, it would be quite a normal thing for him to do. The difference is that he didn't notify the other security administration staff of the change.

My next thought was how to design a security system so that this couldn't happen. You would need at least two passwords, neither of which could change the other. Then there would have to be two independent security officers, etc. I checked with the security officer on our system. He said that we have three system administrators, each with a separate admin login and password. Even if one of them changed the password on all three admin accounts, it's still possible to unlock the admin password. Thank you, Microsoft!

But design is only half the issue. Even though our system could recover from a rogue security officer, that doesn't mean that he/she couldn't do a significant amount of damage. Control systems only go so far. They cannot protect you from human feelings and weaknesses. If your security officer does not feel that he/she is part of the team, then you have a major risk regardless of how well your system is designed.

So, who is to blame, the employee or the employer? The newspaper article doesn't shed much light on why Childs was so disgruntled that he would put himself and the whole city of San Francisco at risk, but my experience leads me to point the finger squarely at both. Putting Childs in jail will not correct the problem. Management needs to find out what the problem is and take positive steps to listen to employee concerns, and employees need to find a constructive way to air their grievances. In his own passive-agressive way, Childs has become the most outspoken of the disgruntled employees, but I'll bet you 10 pounds of Ghirardelli chocolate he's not the only one.

P.S. A note on security: one of my clients was doing an upgrade and I saw him logging in as "Bob". I told him that for this work he had to login as Admin. He just smiled and said the Administrator account actually had no system privileges. It was there as a decoy for hackers. The real power was in the Bob account. Lesson learned.

This blog

by Bill Kennedy, CA.IT, PMP - With over 25 years of accounting experience, Bill has a varied background in accounting management and accounting systems implementation, with a focus on the charitable sector. He is also an experienced volunteer board member and fundraiser.

More from this blog

Bloggers crew

Steve Knowles has spent 25 years in business and practice in the UK, but he also worked in the states and the years haven't dulled his way of seeing an alternative view to everyone else, and every day is a new adventure.

42456

Joel M. Ungar, CPA is a lifelong resident of the Detroit area and a graduate of The University of Michigan. He is a principal with Silberstein Ungar, PLLC, a Top 15 auditor of SEC public reporting companies.

74664

Allan Boress, CPA, with over 25 years as a practitioner and consultant to the accounting profession. Mr. Boress is the author of 12 published books in 6 different languages, including a best-seller, The "I-Hate-Selling" Book.

47434

Larry Perry, CPA, CPA Firm Support Services, LLC, is the author of accounting and auditing manuals, author and presenter of live staff training seminars, and author of webcast and self-study CPE programs. He blogs about small audits, reviews, and compilations.

87093
Sandra Wiley, COO and Shareholder, is ranked by Accounting Today as one of the 100 Most Influential People in Accounting as a result of her prominent role as an industry expert on HR and training as well as influence as a management and planning consultant. She is also a founding member of The CPA Consultant's Alliance. Sandra is a certified Kolbe™ trainer who advises firms on building balanced teams, managing employee conflict and hiring staff.
19940

Maria Calabrese, CIR, Human Resources manager for Fazio, Mannuzza, Roche, Tankel, LaPilusa, LLC in Cranford, New Jersey, Maria's topics revolve around the world of: Mentoring, Performance management, and The "Y Generation," a.k.a. "The whY generation".

54547

William Brighenti is a CPA, Certified QuickBooks ProAdvisor, and Certified [Business] Valuation Analyst, operating an accounting, tax, and QuickBooks consulting firm in Hartford, Connecticut, Accountants CPA Hartford.

79208

Ken Garen, CPA, is the co-founder and President of Universal Business Computing Company (www.ubcc.com), a software development firm of high-volume, high-productivity accounting and payroll technology.

24531

Eva Rosenberg, MBA, EA, is the publisher of TaxMama.com, and author of the weekly syndicated Ask TaxMama column. She provides answers to tax questions from taxpayers and tax professionals worldwide.

62946

Amy Vetter, CPA, CITP is the CPA Programs Leader for Intacct Corporation responsible for leading the CPA/BPO Partners nationally.

33913
Brian Strahle is the owner of LEVERAGE SALT, LLC where he provides state and local tax technical services to accounting firms, law firms and tax research organizations across the United States. He also writes a weekly column in Tax Analysts State tax Notes entitled, "The SALT Effect." For more info, visit his website: www.leveragestateandlocaltax.com
100953
Scott H. Cytron, ABC, is president of Cytron and Company, known for helping companies and organizations improve their bottom line through a hybrid of strategic public relations, communications, marketing programs and top-notch client service. An accredited consultant, Scott works with companies, organizations and individuals in professional services (accounting, finance, medical, legal, engineering), high-tech and B2B/B2C product/service sales.
25195

Rita Keller is a nationally known CPA firm management consultant, speaker, author, mentor and blogger. She has over 30 years hands-on experience in CPA firm management, marketing, technology and administrative operations.

51406
Stacy Kildal is the mom of two fantastic kids, an Advanced Certified QuickBooks ProAdvisor, Certified Enterprise Solutions ProAdvisor, Sleeter Group Certified Consultant, a nationally recognized member of the Intuit Trainer and Writer Network, and co-host of RadioFree QuickBooks.
27020
Michael Alter's blog specializes in providing practical advice to those who seek greater profitability and practice management tactics that enhance deeper client relationships.
31335

Sally Glick, CMO, Principal, Marketer of the Year in 2003 and AAM Hall of Famer in 2007, leads a lively discussion of the constantly expanding roles of marketing and the professional marketers that drive this initiative in accounting firms of all sizes.

98343

The IMA Young Professionals Blog features the insights of IMA’s Young Professionals Committee. Committee members share advice and experiences on careers, continuing education, work/life balance, and other issues affecting young accounting and finance professionals.

32519

FEI Financial Reporting Blog provides highlights from SEC, PCAOB, FASB, IASB, and other regulatory news, including reporting under Sarbanes-Oxley Sect 404. It is written by Edith Orenstein, Director of Technical Policy Analysis at FEI.

109225

Sue Anderson has 30 years of experience in continuing education for accountants. Currently she is the program director for online CPE provider CPE Link.

59648

Jim Fahey is COO of Apple Growth Partners, a regional CPA firm in Ohio. His focus is on the effective and efficient use of technology within the firm by all team members.

38563
Caleb Newquist is the Editor-in-Chief of Sift Media US, overseeing content for both AccountingWEB and Going Concern.
65499

Leita Hart-Fanta, CPA, CGFM, and CGAP is the author of "The Yellow Book Interpreted" and owner of Yellowbook-CPE.com a website devoted to training for governmental auditors.

91332

AccountingWEB is more than just a U.S. team of journalists and financial and technology experts - we have an international side, too! Members of our British team who publish AccountingWEB.co.uk share their ideas, insights, and perspectives from across the pond.

52413