 "Security, IT & People: What Does The Wipro Fraud Tell Us?")
‘The people and circumstances around me do not make me what I am, they reveal who I am,’ said Laura Schlessinger, an American talk radio host and a socially conservative commentator and author. Companies like Satyam and Wipro are figuring out the truth of her words today. As per recent media reports, an employee of Wipro managed to embezzle $4 million from the company’s accounts.
It’s All About the People
Fingers have been pointed at the company’s IT infrastructure, their auditing methods and the finance team at the helm of affairs. However, one thing that we always seem to miss in such cases is the people of the company. “One can implement as many security solutions as available. However, how can you control the individuals, who are dealing with these solutions? After all, someone somewhere is going to know the passwords or how to get past these solutions,” says Faraz Ahmed, CISO, Reliance Life Insurance.
Pawan Kumar Singh, CISO, Tulip Telecom, agrees and adds, “There is no controlling the temptation or greed of employees. IT works as an enabler for a company. At the end of the day, it is controlled by the people in the company. So, the focus of companies should be their employees more than mere technology. In fact, the dependence on technology in today’s age creates more problems than solutions”.
Employee Verification: Need of the Hour
Singh and Ahmed both agree that a company should be extremely vigilant while hiring its employees. “A company the size of Wipro is always in need of people. Sometimes, due to business pressure, there is a possible gap that creeps into the verification process. Somehow, this is one area where the organisation cannot afford to compromise. Secondly, one should conduct psychometric tests of employees to know about their emotional state of being. It is important to know what your employees are going through so that they can be handheld in a better fashion,” says Ahmed. He also adds that updating the risk assessment solutions regularly should become a common practice in the business community.
Communication is the Key
Singh agrees and says, “Communication with employees on a personal level is of utmost importance”. He further states that one should have multiple motivational factors in place for employees. “Quite a few leadership programs are conducted for the top management but how many of these are offered at the junior level?” he asks. He further adds that one should create a culture of pride and ethics in the company. According to him, there is a need to revisit the chapter on ethics by all and sundry and have a good read of the same. “Another thing that one needs to do is to install the fear of punishment and loss of reputation among employees related to such incidents.”
Suresh Iyer, Chief Security Officer-APAC, Aditya Birla Minacs, says, “The Information Security leader should ensure that all C-level functions have security-related KPIs among other performance metrics”. He further adds that companies must have an operational practice of having all functions with significant risk exposure (which again needs to be evaluated through a detailed risk assessment procedure) being monitored on multiple channels, i.e. self-assessment, sample-based peer review, mandatory dual sign-off for high-value transactions – again maintaining a detailed ‘Delegation of Authority’ manual depending on the value of transaction.
Plugging the Loopholes
Though people’s temperaments and inclinations may not be totally in the employer’s hands, there are some things that are. Iyer says, “One should keep the company’s audit absolutely unbiased and totally independent. If the audit teams are part of the finance team, it defeats the entire purpose. Also, if Information Security audit teams have to report to the CIO’s office, independence is compromised”.
Ahmed, on the other hand, believes that there should be a breakdown in process within the organisation. “The duties should be segregated in the financial team and one person should not be handed out the entire details of a company’s financial systems”. Singh agrees and says, “The systems should have a feature wherein multiple passwords are needed to access financial data. Thus, it will make the job of the fraudster even more difficult”.
Iyer further says, “One should implement two-factor authentication for access to critical applications. (In this case, the password was stolen, however, if digital certificates or soft/ hard tokens were involved, maybe the chances of having both compromised would have reduced significantly). Mandatory senior management sign-off for high-value transactions should be built into ERP systems. Application controls should have alert systems in place that would alert the finance head and the fraud prevention team in an auto trigger mode as soon as something goes wrong. It helps to have the fraud prevention cell reviewing these alert systems online on a regular basis.”
Learning the Lesson
The incidents at Wipro and Satyam are open for all of us to learn from. Better communication with employees at all levels, instilling pride in company ethics and more stringent and robust IT security systems could help enterprise security leaders ride the waves of insecurity among people and as far as their data is concerned too.
(With inputs from Abhishek Raval)
 "Israel targets top Hamas leaders in Doha; Qatar, Iran condemn strike as violation of sovereignty")
 "Nepal: Oli to continue until new PM is sworn in, nation on edge as all branches of govt torched")
 "Who is CP Radhakrishnan, India's next vice-president?")
 "Israel informed US ahead of strikes on Hamas leaders in Doha, says White House")
 "Israel targets top Hamas leaders in Doha; Qatar, Iran condemn strike as violation of sovereignty")
 "Nepal: Oli to continue until new PM is sworn in, nation on edge as all branches of govt torched")
 "Who is CP Radhakrishnan, India's next vice-president?")
 "Israel informed US ahead of strikes on Hamas leaders in Doha, says White House")
