It is so disappointing that many CEOs do not recognize cybercrime and fraud as the top risks to their business’s going concern.
All their discussion about risk management is narrow and focused on generalist areas like “reputation”, “credit”, “liquidity”; and “operational” risks without specifically identifying fraud as a major risk. As a result, no specific strategies are established within the company to address the fraud risks.
Many companies in Uganda have delegated the role of fraud risk management to the Internal Audit department. Many executives know that Internal Audit departments lacks the skills, tools and competence to handle most IT related fraud schemes. The reality is fraud is a big cost to the business, but decision makers don’t want to recognize it so.
Some executives will shamelessly say “we have not had any fraud incident in the last one year.” They don’t know that failure to identify a fraud incident could imply that fraudsters within the organization are too smart for their security, or internal audit department to notice.
The fact that in any organization, there are staff that will act dishonestly. These will steal as long as there is motive, rationalization and opportunity. The company can easily deal with reducing opportunity for staff to commit fraud. In the current work environment where critical processes are automated, and reliance on these critical systems is on few IT technicians and outside single source vendors, the opportunity in terms of back doors is always high.
Most IT guys know that internal audit or even external auditors lack the skills and capacity to independently evaluate IT controls and systems ascertain existence of fraud.
It is common for auditors to ask the head of IT or the network admin that “print for me the audit log” oblivious of the fact that it is too easy to edit the audit log in any system and show only transactions that can be explained. That is how big the IT security risks are to the business.
In the attached presentation by Mustapha B Mugisa to the ISACA Uganda members, find the common cyber security threats to Ugandan businesses and what needs to be done.
Every day you open your computer and connect it to the Internet, you expose yourself to risks of hacking, viruses and a plethora of risks like spam mails. Some of these are inevitable and not even the overzealous firewalls and filtering can stop spam mails. They will always come through. The risk with spam emails is that they consume your mail storage space or eat up your time as you attempt to delete them. That is lost productivity and it is expensive to the business.
One of the big challenges is the poor email naming nomenclature that tends to be predicted.
For example, at a company like Stanchart; all one may need to know is an email address of one of the staff and the full names of other employees of the company. You can get the correct email of the company by searching in Google the names of the CEO, HR or the PRO officers. These people will probably have published their correct contact details in the press release or job advert.
Once one gets a sample correct email address, say, firstname.lastname@example.org; they need to know the names of all other staff. You can easily find the names of the target company by searching in Google.com or LinkedIn. Because of the predictable email address nomenclature, it becomes easier for one to predict email addresses of other employees by using the order of the sample email.
Once this is accomplished, the fraudster can put the mailing list up for sale to other companies that do on-line cold email marketing or criminals that sell advertising services whereby they send spam emails to your inbox. If you are unlucky, the emails might contain a virus that will bring pop up ads on your screen.
That is one way cybercrime takes place.
It can be more complex in which you or your company could lose a lot of money. Either way, cybercrime is a reality and nobody is safe.
No system is too secure. No one is safe.
You just need to recognize the problem and invest lots of resources to ensure that you are always an inch ahead of the fraudster. That is the new reality.
Do not miss my presentation below. Lots of insights for you.
Copyright Mustapha B Mugisa, 2018. All rights reserved.