Fraud risk management is key to avoid Wipro-like incidents

By Dhwani Pandya, Principal Correspondent 19 Feb 2010 | SearchSecurity.in

Enterprise IT news roundup Digg This!     StumbleUpon     Del.icio.us

Tags: Enterprise risk management strategies,  Business compliance management,  Information security policies and end-user awareness training,  Hacking countermeasures,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Enterprise risk management strategies Buying an IPS: Determine your performance requirements WNS' SIEM tool boosts inhouse incident management capabilities Demystifying WAF solutions: A Web application firewall evaluation guide How to use a PDF redaction tool with a redacted document policy How to foil ATM card skimming Man in the middle attack prevention strategies PCI-DSS compliance best practices Effective security incident handling : A quick guide SAS 70 not a certification for security in cloud: Gartner SaaS evaluation: Considerations for a SaaS service-level agreement Business compliance management WNS' SIEM tool boosts inhouse incident management capabilities PCI-DSS compliance best practices SAS 70 not a certification for security in cloud: Gartner Seven considerations when evaluating automated GRC tools IT Amendment Act 2008 compliance guidelines for India.org 10 internal security audit guidelines Looking to better manage insider security risks? Try compliance Risk management in information technology IP based CCTVs = Better RoI on security compared to analog PCI call centre: Understanding PCI DSS call recording requirements Information security policies and end-user awareness training IT Amendment Act 2008 compliance guidelines for India.org 10 internal security audit guidelines PCI call centre: Understanding PCI DSS call recording requirements ISO 27001 certification helps e-care India address customer security concerns All-in-one-security software vs. best-of-breed products Has IT Amendment Act 2008 created a new audit domain? A closer look at Windows 7 Firewall settings ISO 27001 ISMS design tips for your organization Security awareness and its role in energized infosec initiatives IAM evaluation and deployment guidelines

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary knowledge process outsourcing (KPO)  (SearchSecurityIN.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

is more about issues that concern segregation of duties. Acts were not being regularly monitored, which led to this slip," says Sunder Krishnan. From a technology perspective, Krishnan believes that alerts could have been more preventive in order to detect the incident earlier, rather than three years in this case. This is corroborated by Rajendra K Shreemal, the VP and corporate treasurer of Wipro who confirmed in his comments to a financial daily that although the company has very stringent policies and fraud risk management processes in place, these were not strictly adhered to.

"Technology may not be able to prevent such frauds, as it is carried out by an authorized individual," believes Sivarama Krishnan, the executive director and partner for performance improvement at IT consultancy firm PricewaterhouseCoopers (PwC). He also feels that organizations also need to look at the cost of each technology control, since audit costs can be prohibitive at times. In this case, although Wipro witnessed a fraud of $4 million, it has already recovered half the money. "Wipro must have lost a total of $2 million. Cost of protection of this amount would have been to the tune of Rs 50 crore a year. So you also have to see if the risk is worth protecting or detecting. So it might become a conflicting call for companies to classify some risks as worth detecting," says Sivarama Krishnan.

"Every company's board must ask the CEO or CFO about how well the company is covered from an IT security monitoring perspective," says Sunil Chandiramani, the partner and national director for Ernst & Young India's advisory services. But as observed in this case, having a strong governance framework is not enough. "IT security is a journey and not a destination. Organizations must take IT security failures and breaches in the processes very seriously, even if there may not be any financial losses," says Chandiramani.

According to Sunder Krishnan, a more proactive, preventive and holistic fraud risk management approach was needed in Wipro's case. "Access levels given to employees need to be reviewed every month. More silent alerts, along with a whistle blowing policy, should be encouraged within the organization," he suggests.

The Wipro incident corroborates the fact that most frauds and security vulnerabilities in organizations are caused by insiders (international percentage of internal versus external threats is around 80:20 or 70:30). "Mitigation of insider security threats should be a significant focus area for organizations. In my opinion, it does not get adequate attention," says Chandiramani. A fraud risk management framework can significantly help control insider threats, suggests Sivarama Krishnan. Agreeing with him on this front, Sunder Krishnan says that external independent review and statutory audit of systems, processes and people are not adequate. "You need a radical approach which looks at fraud prevention and fraud risk management from a holistic angle," he says. An organization must conduct fraud risk assessment of all functions and business divisions to find and continuously monitor sensitive areas . 

Password related frauds and security breaches are major challenges across the world. Many security incidents happen due to password theft or social engineering. So password protection is not just a technology issue. "It's more of a cultural issue. Even in cases where passwords are strong and complex, if they are shared or not kept safely, there will be breaches," says Sunder Krishnan. To avoid password theft, Sivarama Krishnan suggests adoption of two factor authentication through means like secure tokens, grid based mechanisms, and biometrics.

In hindsight, making fraud incidents public is rare among Indian companies. Hence the transparency provided by Wipro is applauded by many security experts. "In India, such frauds are normally swept under the carpet. Even in cases where these frauds do become public, there is hardly any timely or effective prosecution," concludes Sivarama Krishnan.