Lax IT security controls let the fraudsters in

Information technology aids fraudsters, but IT professionals also assist criminals through poor security practices, according to a computer forensics survey.

Weak internal controls or overriding those controls resulted in more than 72 per cent of all computer-based fraud, a KPMG Forensic survey of 2000 companies revealed.

Speaking at a fraud prevention seminar in Sydney, Detective Inspector Colin Dyson, from NSW Police, pointed the finger at IT technology, saying incidents of fraud are on the increase due to the rise of electronic global trading.

E-fraud cost Australian businesses $273 million in the two years to September 2001, the survey showed. While internal management practices accounted for 67 per cent of value lost in fraud cases, it accounted for 28 per cent of the fraudulent incidents committed by internal staff, the report said.

Dean Newlan, director of forensic accounting at KPMG, said the survey revealed effective internal control is crucial to fraud prevention, and it is middle management that enforces these measures.

Dyson said enterprises must be diligent in preserving evidence or risk jeopardising an investigation, saying also that IT had altered investigative practices.

"Traditionally investigations have been paper-based, and investigators have had a paper trail to lock the offender away. The quality of the investigation and the prosecution are reliant on evidence and, increasingly, we are losing that paper and [now] have electronic trails," Dyson said.

"If organisations don't have sufficient technology to track and record data as evidence, we can't make [a case]," said Dyson.

Dyson told Computerworld that, although organisations are generally getting more savvy at preserving the chain of electronic evidence, they "still have some way to go".

Preserving data logs is particularly important, he said. "Large ISPs, for instance, may preserve logs for two weeks or only seven days."

Identity fraud, the practice of creating fictitious identities or stealing someone else's identity to obtain credit cards or other financial products, underpins most of the incidents that happen today, Dyson said.

Senator Amanda Vanstone, Minister for the Department of Family and Community Services, who also spoke at the seminar, said Centrelink, which cannot afford fraud, is a "big spender" on technology measures to stem it.

Unable to name an exact cost in dollars, Vanstone said the Government agency spends in the order of "hundreds of millions of dollars on hardware and software from a diverse range of suppliers" in its armoury against fraud.

Vanstone said Centrelink, which doles out $52 billion in payments annually and holds 14 million client records that must be maintained accurately and kept up to date, identified 144 incidents of identity fraud in the past year alone.

KPMG's Newlan cited more findings from the 2002 Fraud Survey, including:

* Fraud committed by external parties had leapt from 20 per cent of cases in 1999 to 41 per cent of cases in 2001.

* More than half these incidents involved credit card fraud, and accounted for 28 per cent of the total value fraudulently obtained from companies.

* $1.4 million is the average loss for organisations experiencing fraud.

* In more then one third of reported cases of major fraud, early warning signs are either ignored or not acted upon quickly enough.

* Most organisations have no intention of implementing a training system for staff in how to prevent and detect fraud.

* What's your take on IT management's role in fraud prevention? E-mail to siobhan_chapman@idg.com.au.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about CentrelinkKPMGNSW Police

Show Comments