IT is an integral part of most businesses nowadays, but many companies still don't do enough to secure their computer resources from criminals, many times ignoring even basic IT controls. Here are the most important things that you can do to help secure your company from becoming the next front page victim.
Published in Today Newspaper (Singapore) and The Nation (Thailand).Companies love their IT, as it helps to provide convenience and efficiency for all operations. But IT is a double edged sword: what many may not realize is that convenience for users also means convenience for those who would seek to steal from or damage the company.
No one is immune. Earlier last year Sony learned that the hard way when their PlayStation Network was hacked, losing over 12,000 credit card numbers, the wrath of consumers and regulators, losses of over $171 million and an unenviable loss of reputation.
Even, Symantec, a company which develops security products such as Norton Anti Virus recently had its servers hacked into and their code stolen and held for ransom. In the computer world, that is the equivalent of having your production facilities hijacked.
These cases are simply the tip of the iceberg: thousands of cases never reach the media and are quietly dealt with. In the age of state sponsored hacking and immense reliance on technology, it has reached a point where it is only a matter of time before a company’s IT systems and controls are compromised.
Unlike what Hollywood would have you believe, many of these IT based frauds and hacks aren’t difficult, and they can be halted by enforcing basic IT controls. Earlier in 2012, ING revealed that it had lost over $30 million due to insider fraud by a senior accountant. The perpetrator was no Matrix hacker: she simply used the user accounts of resigned employees to delete records of illegal transfers or use them to make the transfers appear legitimate.
The good news is that there are steps that a company can take to avoid becoming the next front page victim.
Are Duties Segregated?
The first fundamental action is to schedule and perform regular IT audits. Such audits, performed by a competent practitioner, will help to identify controls weaknesses in your IT environment.
One of the basic areas for audit are known as General IT Controls (GITC), which determine whether fundamental controls are in place and operating effectively. These cover wide areas of the company, looking to see whether a company is granting employees access to critical computer systems only with formal authorization, whether backups are being conducted, or whether there are segregation of duties within the computer systems.
Segregation of duties within IT systems is an essential, but little understood concept in Thailand at the moment. When business processes are mainly manual, it was easy to literally see whether an employee was performing two conflicting functions – for example, whether they were able to both create and approve their own purchase orders.
In a computer system, it is no longer as simple, as the right to create and approve purchase orders have become an obscure function in the computer, no longer as visible to business users. For example, in late 2011, a lack of segregation of duties and other controls allowed a rogue trader in UBS to conduct unauthorized trades, resulting in over $2 billion worth of losses.
An IT audit can also go straight into each business process and look at where IT controls should lie, which is especially important in companies where there is IT reliance, and where many controls can be easily and manually overridden. A very common area to look is in user access rights – for example, whether an accountant could access the payroll and give himself a raise, or put his uncle on the pay roll.
The Hacking Test
A more intensive, but complementary method of looking at whether IT systems are secure is to hack them. Especially in companies where information and data is their competitive advantage, you will find that many often employ ethical hackers who will try to compromise their own computer systems using the same tools and methods that a malicious hacker would. No system is completely secure, and the resultant report would help to identify the security weaknesses and how to fix them.
Another major consideration is to determine whether your organization is required to comply with governmental or other regulations.
PCI-DSS (Payment Card Industry-Data Security Standard) is an example of one which is being aggressively pushed in Thailand at the moment. Issued by Visa, it is designed to prevent credit card fraud and loss of customer information. In the event of non-compliance, Visa can fine the organization a large sum of money.
Although Visa has not yet chosen to focus on merchant compliance in Thailand yet, it is only a matter of time before they do. If your company has any credit card terminals, the requirement for a PCI-DSS audit may soon arrive at your doorstep.
From a governance perspective, the development of IT audit capabilities and the audit programme should be a part of Internal Audit and sponsored by the C-suite, in order to give it the mandate and urgency it deserves. In many leading companies, additional governance in IT security is built right into the organizational structure via the creation of a security function lead by a Chief Information Officer (CIO) or Chief Security Officer (CSO), working together with internal audit but operating as independent teams. The CIO or CSO and internal audit should report directly to the CEO, to demonstrate to shareholders that IT controls and security issues are being taken seriously.
With these steps, it is possible to enjoy the fruits and convenience of IT, while minimizing the risks to your company.
Photo credit: Jonathan