If one visits www.wipro.com, one findes that the Indian Tech Major WIPRO, proudly displays its award for “Enabling Business Transformation Excellence”. But today the Company is under a deep embarassment that an employee has been bleeding the company for the last three years and embezelled aroount US $ 4 million by simply transfering money from the Bank account to his personal account.
Though a sum of US $ 2 Million appears to have been recovered, and the Company is sound enough to absorb the remaining loss, the incident throws up several questions on the soundness of the Information Security systems at WIPRO.
It is time that other companies immediately review their own systems to ensure that similar problems are not occuring in their companies also.
There is an indication that WIPRO was negligent in protecting the information assets of the Company because it was not ITA 2008 compliant.
It is also evident that being a listed company bound by the SEBI Clause 49 declaration, the CFO and CEO had provided a false certification to the shareholders that “There was compliance of all regulatory requirements” and that “There was adequate internal controls”. The audit committee and independent directors also need to introspect and see if they have been diligent.
Company’s HR policies and the Security Incident Management system also need to be reviewed from the perspective of how the perpetrator of such a crime could only be “suspended” and no police complaint is being lodged for the commission of this cognizable offence.
It is also necessary to fix the responsibility of the statutory auditors B S R and Company who audited the finances of the Company.
It is clear that the large amount has been transferred under instructions through electronic documents which were (presumably) not backed by Digital Signatures. The case reveals the extent of loss companies and banks may sustain if they continue to ignore the need to adopt secure means of authentication recommended by ITA 2008.
 It was perhaps not a coincidence that Satyam Computer Services whose internal frauds of US $ 1.8 billion made news last year had also been a recipient of a “Golden Peacock Award” for Excellence in Corporate Governance a little before the fraud broke out.
These two incidents clearly indicate that the IT industry has a faulty system of evaluation which does not factor in the risks arising out of Cyber Crimes. The awards and certifications presently being used to determine the excellence in operations have completely lost credibility.
The author has been advocating that “There is No Quality without Security” and “No BCP” without a “Cyber Law Compliance Programme”. He has suggested an Information Security Framework called IISF 309 to strengthen the Information Security System in a Company.Â
The focus of the IISF 309 is securing the Company from the “Techno Legal Perspective” so that in the event of any loss, the company can recover the loss through appropriate legal measures. This ability to provide a “Defensive Legal Shield” (DLS) and an Offensive Legal Sword (OLS) is the need of the hour to extend the current technical approach to Information Security ending with a DRP and BCP objective.
Naavi has also floated some initial thoughts on measuring the Information Security preparedness of an organization through the IS-CMM system based on the “Theory of IS Motivation”.
This Theory of IS Motivation takes into account the fact that “No Information Security Programme is successful unless it takes into account the need to incorporate the “Behavioural Science aspects” in the implementation mechanism.
The current incident highlights the deficiencies in the traditional approach to Information Security currently practiced by most Companies and underscores a need for a change in the approach.
Naavi
Loading ...
4 users commented in " Negligence at WIPRO Leads to Fraud loss "
Follow-up comment rss or Leave a TrackbackThis is a good article highlighting the negligence in a reputed company. The CFO should take responsibility for this. Stating that only one person was involved is no excuse – in fact frauds from collusion are more difficult to detect.
I agree
Where there is human intervention and money there is always scope for greed. It is the internal processes that are to be strong. Embezzelment / fraud are common accurances even at large organisations. GE/ Tyco/ Enron/ Worldcomm are all examples. While many have vanished.. may have become stronger by implementing better proccesses/ controls. People and organisations learn from mistakes. It is the ability and inclination to learn and improve that is important and organisations such as GE / Tyco have shown this an Wipro is no different. You never expected ISRO to be successful on its very first rocket launch right? They learnt from mistakes and today they are a force to rekon with in the international space race.
Before getting on to one conclusion, introspection is required for any organizaiton, it this kind of incidents happening. No org in this world is perfect in all senses to business. the improvement or foolproofness will come along with time and facts rather than faults finding mission. Hence, we need not to compare Wipro with other financial scandals mentioned in previous comments. The only fact is needed in this situations is: self-commitment from top management of an org.
Leave A Reply