Can IT security controls be held responsible for this mishap? Sunder Krishanan, the chief research officer of Reliance Life Insurance feels that the issue is more about processes than technology controls. "The Wipro fraud is more about issues that concern segregation of duties. Acts were not being regularly monitored, which led to this slip," says Sunder Krishnan. From a technology perspective, Krishnan believes that
"Technology may not be able to prevent such frauds, as it is carried out by an authorized individual," believes Sivarama Krishnan, the executive director and partner for performance improvement at IT consultancy firm PricewaterhouseCoopers (PwC). He also feels that organizations also need to look at the cost of each technology control, since audit costs can be prohibitive at times. In this case, although Wipro witnessed a fraud of $4 million, it has already recovered half the money. "Wipro must have lost a total of $2 million. Cost of protection of this amount would have been to the tune of Rs 50 crore a year. So you also have to see if the risk is worth protecting or detecting. So it might become a conflicting call for companies to classify some risks as worth detecting," says Sivarama Krishnan.
"Every company's board must ask the CEO or CFO about how well the company is covered from an IT security monitoring perspective," says Sunil Chandiramani, the partner and national director for Ernst & Young India's advisory services. But as observed in this case, having a strong governance framework is not enough. "IT security is a journey and not a destination. Organizations must take IT security failures and breaches in the processes very seriously, even if there may not be any financial losses," says Chandiramani.
According to Sunder Krishnan, a more proactive, preventive and holistic fraud risk management approach was needed in Wipro's case. "Access levels given to employees need to be reviewed every month. More silent alerts, along with a whistle blowing policy, should be encouraged within the organization," he suggests.
The Wipro incident corroborates the fact that most frauds and security vulnerabilities in organizations are caused by insiders (international percentage of internal versus external threats is around 80:20 or 70:30). "Mitigation of insider security threats should be a significant focus area for organizations. In my opinion, it does not get adequate attention," says Chandiramani. A fraud risk management framework can significantly help
Password related frauds and security breaches are major challenges across the world. Many security incidents happen due to password theft or social engineering. So password protection is not just a technology issue. "It's more of a cultural issue. Even in cases where passwords are strong and complex, if they are shared or not kept safely, there will be breaches," says Sunder Krishnan. To avoid password theft, Sivarama Krishnan suggests adoption of two factor authentication through means like secure tokens, grid based mechanisms, and biometrics.
In hindsight, making fraud incidents public is rare among Indian companies. Hence the transparency provided by Wipro is applauded by many security experts. "In India, such frauds are normally swept under the carpet. Even in cases where these frauds do become public, there is hardly any timely or effective prosecution," concludes Sivarama Krishnan.