Skip to main content



Don’t let IT systems turn against you

Companies love their information technology solutions as they offer convenience and efficiency for all operations. But IT is a double-edged sword: Convenience for users also means convenience for those who seek to steal from or damage the company.

Companies love their information technology solutions as they offer convenience and efficiency for all operations. But IT is a double-edged sword: Convenience for users also means convenience for those who seek to steal from or damage the company.

And no one is immune. Sony learned that the hard way in 2011 when its PlayStation Network was hacked, resulting in the possible loss of more than 12,000 credit card numbers, the wrath of consumers and regulators and a blow to its reputation.

Even Symantec, a company that develops security products such as Norton AntiVirus, had its servers hacked into, and its code stolen and held for ransom. In the computer world, that is the equivalent of having your production facilities hijacked.

Just this weekend, Twitter reported that hackers might have stolen information belonging to 250,000 users.

This is the tip of the iceberg: Thousands of cases never reach the media and are quietly dealt with.

In the age of state-sponsored hacking and immense reliance on technology, we have reached a point where it is only a matter of time before a company’s IT systems and controls are compromised. Unlike what Hollywood would have you believe, many of these IT-based frauds and hacks are not difficult, and they can be foiled by enforcing basic IT controls.

Earlier last year, a major international bank in Australia revealed it had lost more than US$44.5 million (S$55.2 million) to insider fraud by a senior accountant. She had simply accessed user accounts of employees who had resigned to delete records of unauthorised transfers or make the transfers appear legitimate.

The good news is that there are steps a company can take to avoid becoming the next front-page victim.


The first and most fundamental is to schedule and perform regular IT audits. Such audits, performed by a competent practitioner, will help to identify controls weaknesses in your IT environment.

General IT Controls, which is an area of auditing, determines whether the right controls are in place and operating effectively.

This covers wide areas of the company’s operations, such as checking if a company is granting employees access to critical computer systems only with formal authorisation, whether backups are being conducted and whether there is a segregation of duties within computer systems.

Segregation of duties within IT systems is an essential but often misunderstood concept.

With manual business processes, it is easy to spot when an employee is performing two conflicting functions. For example, when they can both create and approve their own purchase orders. It is not as visible in a computer system and more difficult to identify but failure to do so can be costly: UBS suffered more than US$2 billion worth of losses in late 2011 due to a rogue trader being able to conduct unauthorised trades.

An IT audit can also go straight into each business process and look at where IT controls should be.

A common area to look at is user access rights: For example, whether an accountant can access the payroll and give himself a raise without being detected.


A more intensive but complementary method of looking at whether IT systems are secure is to hack them.

In companies where data is directly related to the competitive advantage of the company, ethical hackers are often employed to try and compromise the company’s computer systems using the same tools and methods that a malicious hacker would.

No system is completely secure, and the resultant report helps to identify security weaknesses and possible solutions.

Another major consideration is to determine whether your organisation is required to comply with governmental or other regulations.

PCI-DSS (Payment Card Industry-Data Security Standard) is an example of a regulation that is being aggressively enforced. Issued by Visa, it is designed to prevent credit card fraud and loss of customer information. In the event of non-compliance, Visa can impose a huge fine on the organisation.

From a governance perspective, the development of IT audit capabilities and audit programmes should be a part of internal audit and sponsored by the C-Suite, in order to give it the mandate and urgency it deserves.

Some companies go further and build IT security right into the organisational structure through the creation of a security function that is often led by a C-level executive such as a Chief Information Officer and, sometimes, the Chief Financial Officer.

To raise the visibility of IT security in the eyes of shareholders and the audit committee, the executive taking on this role should ideally report directly to the Chief Executive Officer.

In such a structure, the security team and internal audit exist as separate teams to provide a set of independent eyes but ultimately work together towards the same goal.

Karn G Bulsuk is Senior Consultant for a major Big 4 consulting firm in Australia.

Read more of the latest in




Stay in the know. Anytime. Anywhere.

Subscribe to get daily news updates, insights and must reads delivered straight to your inbox.

By clicking subscribe, I agree for my personal data to be used to send me TODAY newsletters, promotional offers and for research and analysis.