Last week’s Institute of Internal Auditors (IIA) cyber fraud webinar was a great reminder. Basic IT controls that we learned years ago are still valuable to follow. Sales reps may promise that their product is the “silver bullet” for preventing cyber fraud, but those apps don’t replace good old fashioned IT controls and training.
Fraud has existed for a long, long time. Technology gives criminals new opportunities to perpetrate bigger frauds more quickly than ever before. Many data breaches occur because basic IT controls are neglected, leaving systems vulnerable to hacks and malware. Purchasing advanced solutions doesn’t replace basic IT controls.
Four basic IT controls that reduce cyber fraud are:
- Update and Patch Management
Skipping system updates and patches create vulnerabilities, such as those that were exploited by hackers in some recent cyber fraud events (e.g., Equifax and Home Depot). Excuses for skipping updates and patches include lack of time and concern about impacts on other systems. Updates and patches are crucial — they protect systems with up-to-date security processes.
System logs and periodic monitoring should be established to detect operating activities or conditions that should not occur. Anomalies, such as after-hours transaction volume spikes and data transmitted to an unauthorized IP address, should be monitored and acted on. Automated alerts and error reports require follow-up and action to be effective.
- Password Management
Passwords are the key to the front door of an organization’s systems. Sharing passwords and keeping factory-issued passwords are like hanging the keys on the door knob. One example is when a system administrator fails to change the manufacturer’s default password, leaving the door to that system wide open to unauthorized access.
- Fraud Risk Training
Traditional methods, like training and documentation, make people aware of cyber threats and vulnerabilities. Real life examples of the risks and costs of a data breach, and techniques used by hackers to manipulate people and data, help workers to recognize risks and how to avoid them.
Even after investing in silver bullet applications, organizations can still fall victim to cyber fraud due to a breakdown in basic IT controls. Following these four basic IT controls help organizations reduce their vulnerability to expensive cyber fraud.