Information Technology (IT) is no longer just a support function focusing on physical assets. It has transformed into a gatekeeper of ‘information’, which is the lifeblood of any enterprise. Data has become ubiquitous and digitisation is now a way of doing business, and any slip-up in information security is a significant propeller for fraud.
These incidents could range from seemingly benign to complex, such as:
- Network hijacking
- Wire transfer fraud
- CEO email scam
- Manipulation of vendor bank information for funds transfer
- Social engineering attacks
- Privileged user abusing access privileges
The ramifications of fraud for a company are numerous, and severe, and their impact is difficult to quantify, especially because there may be sensitive data being compromised These incidents could lead to maligned reputation, loss of business and customers, financial implications, audit costs, regulatory proceedings and compromised sensitive information.
Digging deep into the cause
- Perils of digital disruption: Digital disruption has made it easier for perpetrators to commit sophisticated frauds, while at the same time it has made such frauds harder to detect. Companies that don’t address the risks and gaps in security associated with the use of personal devices at work could see sensitive information walking out their door.
- Unrestricted application or device use: When the IT function is unaware of the extent to which employees access applications like company email and wireless on personal devices, the risk of data breach and privacy violations rises and the spectrum of options for impostors to conduct fraud becomes expansive.
- Rogue employees: Rogue employees, especially within IT, may misuse confidential information for personal gain, to settle a score and, frequently, to infiltrate or release malicious code or emails on an entity’s customers or vendors. Misuse of privileged information can cause enterprise-wide damage.
- Rise in social engineering attacks: Phishing, quid pro quo, tailgating and forensic recovery are some tactics which can unknowingly make people abettors to social engineering frauds.
There is a way out
- Monitor the IT function, adopt an ingenious outlook: Frauds emanating from IT can be quite difficult to track. Therefore, the monitoring needs to be different compared to a traditional investigation. Businesses need to maintain trust, but at the same they must not overlook the need to verify. Monitoring human behaviour remains the bottom line
- Segregate roles: No single person in the function should have administrative privileges to control or manoeuvre transactions across business processes. Companies need to segregate IT security and mechanisms to issue alerts in the event of unauthorised access.
- Conduct IT audits: Audits need to be a routine affair to provide insights into fraud scenarios and measure the effectiveness of existing controls in line with the firm’s risk appetite. Internal audit paves the way to refine controls as per the changing needs of the business environment. Audits must also be in place to review security of policies pertaining to the use of personal devices at work.
- Educate, train and monitor behaviour: Businesses need to invest in educating employees, including C-level executives, on security policies and procedures. There should also be clear communication on what constitutes data and privacy violations and the associated disciplinary procedures. Data analytics, benchmarking and data mining can help in pointing out irregularities to monitor employee behaviour and enable early detection of fraud.
The role of the IT function in building an enterprise that is mindful of the risk environment is gaining importance. And there couldn’t be a better time to get your IT leaders on board to carefully evaluate your fraud risk strategy.
The blog appeared in ET CIO.