If one visits www.wipro.com, one findes that the Indian Tech Major WIPRO,Â proudly displays its award for “Enabling Business Transformation Excellence”. But today the Company is under a deep embarassment that an employee has been bleeding the company for the last three years and embezelled aroount US $ 4 million by simply transfering money from the Bank account to his personal account.
Though a sum of US $ 2 Million appears to have been recovered, and the Company is sound enough to absorb the remaining loss, the incident throws up several questions on the soundness of the Information Security systems at WIPRO.
It is time that other companies immediately review their own systems to ensure that similar problems are not occuring in their companies also.
There is an indication that WIPRO was negligent in protecting the information assets of the Company because it was not ITA 2008 compliant.
It is also evident that being a listed company bound by the SEBI Clause 49 declaration, the CFO and CEO had provided a false certification to the shareholders that “There was compliance of all regulatory requirements” and that “There was adequate internal controls”. The audit committee and independent directors also need to introspect and see if they have been diligent.
Company’s HR policies and the Security Incident Management system also need to be reviewed from the perspective of how the perpetrator of such a crime could only be “suspended” and no police complaint is being lodged for the commission of this cognizable offence.
It is also necessary to fix the responsibility of the statutory auditors B S R and Company who audited the finances of the Company.
It is clear that the large amount has been transferred under instructions through electronic documents which were (presumably) not backed by Digital Signatures. The case reveals the extent of loss companies and banks may sustain if they continue to ignore the need to adopt secure means of authentication recommended by ITA 2008.
Â It was perhaps not a coincidence that Satyam Computer Services whose internal frauds of US $ 1.8 billion made news last year had also been a recipient of a “Golden Peacock Award” for Excellence in Corporate Governance a little before the fraud broke out.
These two incidents clearly indicate that the IT industry has a faulty system of evaluation which does not factor in the risks arising out of Cyber Crimes. The awards and certifications presently being used to determine the excellence in operations have completely lost credibility.
The authorÂ has been advocating that “There is No Quality without Security” and “No BCP” without a “Cyber Law Compliance Programme”. He has suggested an Information Security Framework calledÂ IISF 309 to strengthen the Information Security System in a Company.Â
The focus of the IISF 309 is securing the Company from the “Techno Legal Perspective” so that in the event of any loss, the company can recover the loss through appropriate legal measures. This ability to provide a “Defensive Legal Shield” (DLS) and an Offensive Legal Sword (OLS) is the need of the hour to extend the current technical approach to Information Security ending with a DRP and BCP objective.
Naavi has also floated some initial thoughts on measuring the Information Security preparedness of an organization through the IS-CMM system based on the “Theory of IS Motivation”.
This Theory of IS Motivation takes into account the fact that “No Information Security Programme is successful unless it takes into account the need to incorporate the “Behavioural Science aspects” in the implementation mechanism.
The current incident highlights the deficiencies in the traditional approach to Information Security currently practiced by most Companies and underscores a need for a change in the approach.