Wipro, the leading IT conglomerate, is now in the process of tightening its security controls in the finance department after discovering instances of fraud by an employee. The fraudster, a qualified chartered account who was employed with the company's 'controllership' division in the finance department managed to siphon off around $4 million (around Rs 18 crore) from the company's bank account by accessing a colleague's password. It is surprising that such a mature IT service company (expected to have strong IT governance policies and fraud risk management mechanisms) failed to detect this fraud incident which happened over a period of three years.

Can IT security controls be held responsible for this mishap? Sunder Krishanan, the chief research officer of Reliance Life Insurance feels that the issue is more about processes than technology controls. "The Wipro fraud is more about issues that concern segregation of duties. Acts were not being regularly monitored, which led to this slip," says Sunder Krishnan. From a technology perspective, Krishnan believes that

More fraud risk management stories Creating a fraud risk assessment policy Fraud risk assessment methodologies   Multi-layered user authentication at HDFC Bank for NetBanking safety

alerts could have been more preventive in order to detect the incident earlier, rather than three years in this case. This is corroborated by Rajendra K Shreemal, the VP and corporate treasurer of Wipro who confirmed in his comments to a financial daily that although the company has very stringent policies and fraud risk management processes in place, these were not strictly adhered to.

"Technology may not be able to prevent such frauds, as it is carried out by an authorized individual," believes Sivarama Krishnan, the executive director and partner for performance improvement at IT consultancy firm PricewaterhouseCoopers (PwC). He also feels that organizations also need to look at the cost of each technology control, since audit costs can be prohibitive at times. In this case, although Wipro witnessed a fraud of $4 million, it has already recovered half the money. "Wipro must have lost a total of $2 million. Cost of protection of this amount would have been to the tune of Rs 50 crore a year. So you also have to see if the risk is worth protecting or detecting. So it might become a conflicting call for companies to classify some risks as worth detecting," says Sivarama Krishnan.

"Every company's board must ask the CEO or CFO about how well the company is covered from an IT security monitoring perspective," says Sunil Chandiramani, the partner and national director for Ernst & Young India's advisory services. But as observed in this case, having a strong governance framework is not enough. "IT security is a journey and not a destination. Organizations must take IT security failures and breaches in the processes very seriously, even if there may not be any financial losses," says Chandiramani.

According to Sunder Krishnan, a more proactive, preventive and holistic fraud risk management approach was needed in Wipro's case. "Access levels given to employees need to be reviewed every month. More silent alerts, along with a whistle blowing policy, should be encouraged within the organization," he suggests.

The Wipro incident corroborates the fact that most frauds and security vulnerabilities in organizations are caused by insiders (international percentage of internal versus external threats is around 80:20 or 70:30). "Mitigation of insider security threats should be a significant focus area for organizations. In my opinion, it does not get adequate attention," says Chandiramani. A fraud risk management framework can significantly help

You have to see if the risk is worth protecting or detecting. So it might become a conflicting call for companies to classify some risks as worth detecting. Sivarama Krishnan executive director and partner for performance improvementPricewaterhouseCoopers

control insider threats, suggests Sivarama Krishnan. Agreeing with him on this front, Sunder Krishnan says that external independent review and statutory audit of systems, processes and people are not adequate. "You need a radical approach which looks at fraud prevention and fraud risk management from a holistic angle," he says. An organization must conduct fraud risk assessment of all functions and business divisions to find and continuously monitor sensitive areas . 

Password related frauds and security breaches are major challenges across the world. Many security incidents happen due to password theft or social engineering. So password protection is not just a technology issue. "It's more of a cultural issue. Even in cases where passwords are strong and complex, if they are shared or not kept safely, there will be breaches," says Sunder Krishnan. To avoid password theft, Sivarama Krishnan suggests adoption of two factor authentication through means like secure tokens, grid based mechanisms, and biometrics.

In hindsight, making fraud incidents public is rare among Indian companies. Hence the transparency provided by Wipro is applauded by many security experts. "In India, such frauds are normally swept under the carpet. Even in cases where these frauds do become public, there is hardly any timely or effective prosecution," concludes Sivarama Krishnan.