Mitigating IT fraud and data theft in businesses

By Cassandra Mascarenhas

Widespread global connectivity and sharing of information today has led to the rise of what is now a commonplace problem in most organisations as of late – IT fraud and data theft. Yet, although no one is excluded from this risk, currently, the biggest issue with IT fraud is that it is not taken seriously by most businesses, which continue to operate on the assumption that they are exempt from such risks.

Veteran in the information and technology era with over 30 years of experience, Datamation Systems Chairman and Managing Director Fazal Issadeen, understanding the importance of avoiding IT fraud in organisations having encountered fraud on several occasions himself, addressed a gathering at a breakfast meeting organised by Infomate Pvt. Limited last week on the importance of businesses taking IT fraud seriously.

Delivering a presentation titled ‘Prevention of IT fraud and data theft,’ Issadeen noted that fraud deterrence is not a priority in most organisations. In fact the Computer Crime and Security Survey shows that 91 per cent of businesses spend less than five per cent if their annual IT security budget on end-use awareness training and 59 per cent of businesses report financial losses due to insider abuse.

“Very little thought is being put into fraud detection in organisations. Having a fraud policy and risk mitigation policy is totally neglected. Fraud takes place because organisations leave a door open for fraud to take place. If a fraud policy is in place, the thought of committing the fraud will not happen and thereby the fraud will not occur,” he explained.

He went on to say that creating such a policy involves creating a team with the stakeholders or a board of directors involved. Furthermore, it is the internal audit division that is primarily responsible for fraud detection and deterrence and they too should therefore be involved in the creation of this policy.

Where does fraud occur?

“Where does fraud occur?” Issadeen questioned. “With an insider. There is always a person within the organisation as well as external people involved in fraud. The root of fraud is the insider, who is the main cause of the fraud. There is sabotage, hackers and so many things that we have to face today. All this connectivity which comes with so many advantages and benefits increases business risk and calls for the need for more and more precautions to be taken. With all this connectivity today, even the Pentagon is not safe anymore. So what about us and how much are we willing to spend on protecting ourselves?”

Most commonly with data theft, the person in charge of the data steals the data. To prevent such a scenario from occurring, Issadeen recommended that the ISO 270001 certification should be implemented because this way, everything is strictly monitored.

He then pointed out that human error can occur at anytime and to overcome this problem, he suggested that these occurrences should be stimulated, like a fire drill. “We must think of disasters that could occur and do risk mitigation – never assume that it will not happen to you.”

Organisations can also make an innocent individual do something criminal by simply creating an opportunity by not taking provisions to avoid it. By creating this opportunity, when an employee starts having personal problems, this instigates the desire to commit the crime, followed by the process of justification which is natural.

“Very rarely do you find companies screening job applicants thoroughly even for high-priority jobs. For theft to take place 95 per cent of the time, connivance is needed so we have to be very careful, be transparent with employees and set the ground rules right from the beginning,” Issadeen stressed. “Most of the time when I had to appear on behalf of my client at labour tribunals is when the IT administrator gets too close to the cashier. They then get together and fraud occurs. Too much trust and too little monitoring is a common problem in Sri Lanka.”

Password hacking and sharing is yet another widespread issue. For as little as $ 49, a person can obtain software to monitor the keystrokes of a terminal in order to find passwords, once again leading to fraud which can collapse your business in the most unexpected manner.

Postponing reconciliation of bank, debtors, stock control and payroll is asking for disaster to happen, he added. Issadeen warned those present not to assume anything in business, stating that reconciliation is one major step for fraud prevention. Businesses have had immense problems with their software not reconciling but the instance a cross-checking system is implemented, everything falls into place.

Typical payroll frauds also include the creation of ghost employees.

“When implementing IT systems, there is generally a lot of resistance and unless you are alert and very sharp, you cannot detect this resistance and fraudulent intentions of employees unless you have suspicious minds. We cannot be too trusting,” he cautioned.  

When doing a payroll check, if there are people with the same name, addresses and bank account, there is the potential for fraud. If no leave has been taken by an employee for eight or nine months, there again is a potential for fraud.

“When we are doing salaries, everyone starts discussing each other’s salaries – it becomes the talk of the town. A survey conducted by Infomate and Datamation Systems found that anywhere the payroll was been done internally, everyone was aware of all the information. When done externally, all this information disappeared,” he shared.

Audit trails are also key to prevention of fraud because today audit trails are taken for transactions. If a bank account is changed, a transaction deleted or if any critical information is modified that must be recorded, kept, checked and available at any given time. The change of critical information where there is money involved must be recorded and businesses must be vary of it.

Furthermore, most organisations think that only cheques are involved with money, but invoices and receipts should be printed checked and kept under lock and key.

How can these problems be solved or prevented?

“We’ve got beautiful systems – very large systems working fantastically. The integrity of your database lies in your server. What about the integrity of the data held in Excel files? I would like to warn you very severely on getting information on Excel reports. Nearly all organisations worldwide obtain mission critical MIS from Excel reports. Very little thought is given to the fact that the data in the system can be manipulated in Excel to ensure that KPIs, performance bonuses, etc. are met based on this information,” Issadeen said.

He went on to say that organisations should therefore refrain from extracting information from Excel and should instead get their software to produce such reports.

Nearly 80 per cent of companies in Sri Lanka don’t send statements to their customers. If there is no communication between the company and the distributor, sales representatives end up taking the goods out of the company for their own personal use. They start billing legitimate customers who never receive these goods and the companies pay these cheques. To avoid such problems, not only must a business send debtors statements but also call the customers regularly and confirm debt balances.

Another fraudulent act committed by sales representatives is the storing of goods in their houses and after a period of time has passed, returning it as sales returns after receiving their commissions, etc. This can be overcome by ensuring the separation of duties – the finance department should have a separate unit to check if customers exist, have received goods and so on.

“We have a situation in most companies that are expanding business and everyone is busy – while businesses are expanding, disaster strikes and you end up spending 10 times the amount that you would have spent to ensure proper preventive measures,” he pointed out.

In conclusion, Issadeen recommended several preventive measures such as hiring outside sources to do audits and random checking. Another important factor is ensuring that end-user awareness is there throughout.

“When employees know that they are being double checked, this deters fraud. Preventing fraud is not rocket science, it is common sense. Brainstorm and then you start preparing the mitigation processes and implementing it. The law is complex and justice often delayed. Do not rely on it for a remedy when you can avoid going to court altogether,” he added.

Insider risk is real and is not well understood, Issadeen noted. Discover risk before enforcing controls and reduce risk without negatively impacting the business. Define policies on paper and involve business users.

“Put pen to paper and create awareness and make sure that every employee knows that they are being double checked – it’s like a poker game, even if you don’t double check them, the fact that you’ve told your employees that they are being double checked is prevention in itself,” he summed up.