Let's Build a Responsible Cyber Society



Hacking at WIPRO

Indian Tech Major WIPRO, which proudly announces its efforts towards "Enabling Business Transformation Excellence" found itself embarassed with a total failure of its internal controls leading to embezzlement of US $ 4 million by one of its employees.

According to the reports available, an employee of WIPRO working in the finance division  is reported to have embezzled US $ 4 million by stealing a password and using it to transfer money belonging to the Company. The fraud ran for a period of three years without being detected.

Though a sum of US $ 2 Million appears to have been recovered, and the Company is sound enough to absorb the remaining loss, the incident throws up several questions on the soundness of the Information Security systems at WIPRO. There is an indication that the systems were inadequate and the Company was negligent in protecting the information assets of the Company. There is also an indication that the Bank which allowed the transfer of money was also negligent in handling the authentication systems.

It is also evident that being a listed company bound by the SEBI Clause 49 declaration, the CFO and CEO had provided a false certification to the shareholders that "There was compliance of all regulatory requirements" and that "There was adequate internal controls". The audit committee and independent directors also need to introspect and see if they have been diligent.

Company's HR policies and the Security Incident Management system also need to be reviewed from the perspective of how the perpetrator of such a crime could only be "suspended" and no police complaint is being lodged for the commission of this cognizable offence.

It is also necessary to fix the responsibility of the statutory auditors B S R and Company who audited the finances of the Company.

It is clear that the large amount has been transferred under instructions through electronic documents which were (presumably) not backed by Digital Signatures. The case reveals the extent of loss companies and banks may sustain if they continue to ignore the need to adopt secure means of authentication recommended by ITA 2008.

 It was perhaps not a coincidence that Satyam Computer Services whose internal frauds of US $ 1.8 billion made news last year had also been a recipient of a "Golden Peacock Award" for Excellence in Corporate Governance a little before the fraud broke out.

These two incidents clearly indicate that the IT industry has a faulty system of evaluation which does not factor in the risks arising out of Cyber Crimes. The awards and certifications presently being used to determine the excellence in operations have completely lost credibility.

Naavi.org has been advocating that "There is No Quality without Security" and "No BCP" without a "Cyber Law Compliance Programme". The IISF 309 is an Information Security Framework suggested by Naavi to strengthen the Information Security System in a Company. 

The focus of the IISF 309 is securing the Company from the "Techno Legal Perspective" so that in the event of any loss, the company can recover the loss through appropriate legal measures. This ability to provide a "Defensive Legal Shield" (DLS) and an Offensive Legal Sword (OLS) is the need of the hour to extend the current technical approach to Information Security ending with a DRP and BCP objective.

Naavi has also floated some initial thoughts on measuring the Information Security preparedness of an organization through the IS-CMM system based on the "Theory of IS Motivation".

This Theory of IS Motivation takes into account the fact that "No Information Security Programme is successful unless it takes into account the need to incorporate the "Behavioural Science aspects" in the implementation mechanism.

The current incident highlights the deficiencies in the traditional approach to Information Security currently practiced by most Companies and underscores a need for a change in the approach.



February 18, 2010

Related Articles:

 Report in ET

Report in moneycontrol.com

Wipro Fraud by an Employee leaves IT Major Red Faced after Satyam Debacle  

Post fraud, Wipro reshuffles finance dept


Comments are Welcome at naavi@vsnl.com