Computerworld - Every security system, in the end, depends on people. Ideally, programs could be written with restricted privileges for operators so they would pose no threat - but I doubt it would work in practice.
I believe our staff is honest, but I'm not sure we can rely on employee inertia to protect us where money is involved. To determine the scope of any potential problems, we recently reviewed our 30 funds-transfer systems.
Fortunately, many of the systems limit the transfer amount, or they're set up in such a way that committing fraud would require a complicated string of collusions with other companies.
In general, I found our controls adequate. Based on the idea of separation of privilege, these systems need at least two staffers working together to move money. However, I did find some disturbing trends.
Our company is always trying to drive down costs and reduce staff. This has led to concentrations of control: A few individuals - who may feel that their jobs are at risk - now handle all funds transfers. It has also left us with audit and control groups that have little experience with fraud. The longer these trends continue, the greater the risk of a disgruntled employee trying to run away with some cash.
I found bigger problems too. I found the passwords needed to complete a transfer for two accounts taped to a monitor. We hope to prevent recurrences through staff training.
In addition to checking out each system myself, I had each business and IT team that uses the applications complete a detailed questionnaire about possible frauds. We then ran scenario-based role plays of those schemes.
Only one person in the 30 groups bothered to ask who I was and why I wanted to know how to defraud the company. I'll have to follow up with advice to all to be less trusting.
An Outside Job
The exposed passwords aside, I believe our systems are reasonably well built. But I wish I could say I had the same confidence in our new business partners. They don't have dedicated security teams; security responsibilities are shared across IT.
I've always been a little worried by companies that do that. It can mean that security is truly integrated into the business process and doesn't need a champion. But it usually means security takes second place to ease of use. Most IT developers have little knowledge of or interest in security.
My concerns rose to a near panic when one business partner explained a "clever" solution
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
