Ways to prevent the IT systems from turning against you
Companies love their information-technology solutions, as they help provide convenience and efficiency for all operations. But IT is a double-edged sword, and what many may not realise is that convenience for users also means convenience for those who seek to steal from or damage a company.
No one is immune. Sony learned that the hard way in 2011 when its PlayStation network was hacked, resulting in the possible loss of more than 12,000 credit-card numbers, the wrath of consumers and regulators, US$171 million (Bt5 billion) and an unenviable blow to the company's reputation.
Even Symantec, a company that develops security products such as Norton AntiVirus, had its servers hacked into and its code stolen and was held for ransom. In the computer world, that is the equivalent of having your production facilities hijacked.
These cases are simply the tip of the iceberg, as thousands of others never reach the media and are quietly dealt with. In the age of state-sponsored hacking and immense reliance on technology, we have reached a point where it is only a matter of time before a company's IT systems and controls are compromised.
Unlike what Hollywood would have you believe, many of these IT-based frauds and hacks aren't difficult, and they can be halted by enforcing basic IT controls. Last year, ING revealed that it had lost more than $44.5 million because of insider fraud by a senior accountant. The perpetrator was no hacker from "The Matrix": She simply accessed user accounts of resigned employees to delete records of unauthorised transfers, or to make the transfers appear legitimate.
IT audits essential
The good news is that there are steps a company can take to avoid becoming the next front-page victim.
The first and most fundamental step is to schedule and perform regular IT audits. Such audits, performed by a competent practitioner, will help to identify control weaknesses in your IT environment.
General IT control, which is an area of auditing, determines whether the right controls are in place and operating effectively. These controls cover wide areas of a company's operations.
Examples include checking whether a company is granting employees access to critical computer systems only with formal authorisation, whether backups are being conducted and whether there is segregation of duties within computer systems.
Segregation of duties within IT systems is an essential but little-understood concept in Thailand. With manual business processes, it is easy to spot when an employee is performing two conflicting functions - for example, when he is able both to create and approve his own purchase orders.
It is not as visible in a computer system and is more difficult to identify, but failure to do so can be costly: UBS suffered more than $2 billion worth of losses in late 2011 due to a rogue trader being able to conduct unauthorised trades.
An IT audit can also go straight into each business process and look at where IT controls should be, which is especially important in companies where there is heavy reliance on information technology. A common area to look at is user access rights - for example, whether an accountant can access the payroll and give himself a pay increase without being detected.
A more intensive but complementary method of looking at whether IT systems are secure is to hack them deliberately. Especially in companies where information and data are directly related to the competitive advantage of the business, ethical hackers are often employed to try to compromise the company's security and uncover weaknesses.
Nevada Governor Brian Sandoval has awarded MGM Resorts International the "11th Annual Nevada Governor's Points of Light Award" for its employee volunteer initiative. Such ethical hacking is completely secure, and the resultant report helps with identifying security weaknesses and possible solutions.
Another major consideration is to determine whether your organisation is required to comply with governmental or other regulations. PCI-DSS (Payment Card Industry-Data Security Standard) is an example of a regulation that is being pushed aggressively in Thailand at the moment. Issued by Visa, it is designed to prevent credit-card fraud and loss of customer information. In the event of non-compliance, Visa can fine the organisation a large sum of money.
Although Visa has not yet chosen to focus on merchant compliance in Thailand, it is only a matter of time before it does. If your company has any credit-card terminals, the requirement for a PCI-DSS audit may soon land on your doorstep.
From a governance perspective, the development of IT audit capabilities and audit programmes should be a part of internal audit and sponsored by the "C-suite", to give it the mandate and urgency it deserves.
Some companies go further and build IT security right into the organisational structure, through the creation of a security function which we often see led by a C-level executive such as a chief information officer, and sometimes the chief financial officer.
To raise the visibility of IT security in the eyes of shareholders and the audit committee, this role should ideally report directly to the chief executive officer.
In such a structure, the security team and internal audit exist as separate teams to provide a set of independent eyes, but ultimately work together towards the same goal.
With these steps, it is possible to enjoy the fruits and convenience of IT, while minimising the risks to your company.