In Dante’s Inferno, the 14th century poet-cum-philosopher wrote about the nine circles of hell. Shaped like a funnel, each circle extends to the centre of the Earth. The ninth circle is the one that closely encircles Lucifer. In the eight circle are the fraudsters.
And that’s where today’s IT felons would also be heading if speakers at a Toronto seminar on IT fraud had their way. The seminar – titled “IT fraud and the finance function: What CFOs need to know” – was held yesterday in Toronto.
“[Those who commit] fraud are worse than murderers (who are in the seventh circle),” said Tony Dimmick, a professor at Queen’s University’s school of business in Kingston, Ont., about Dante’s circle of hell.
Dimmick defined IT fraud as the malicious use of IT to cause financial loss or damage to an organization.
He said 10 per cent of North American organizations suffer serious IT fraud each year, and this costs them hundreds of billions of dollars.
He added the publicity around high profile fraud damages both personal and corporate reputations and can take off up to 13 per cent of the market value of a publicly traded company. And it also features among the top 10 CFO concerns.
However, John Weigelt, national technology officer at Microsoft Canada, said CFOs often don’t see eye-to-eye with CIOs when it comes to the role of IT in security.
He said engaging business leaders remains a challenge, as they often view IT fraud as an IT systems thing. “How do you invest in preventing something bad from happening, and how do you invest when something bad happens? You can calculate the time it takes to restore a system and do updates, but what about customer perception of the business? That is difficult to quantify and without concrete numbers it becomes difficult to [get the CFO on board].”
Weigelt added security practitioners have shifted away from responding to viruses and worms, with almost two-thirds focusing on compliance activities to meet security needs. Compliance is something more vital for CFOs, as they are now often personally accountable for that.
Compliance helps companies meet regulations like Sarbanes-Oxley in the United States, and PIPEDA here in Canada.
With privacy, security and compliance playing an active role in the fight against fraud, Weigelt said there is now a move towards data governance, which allows a holistic view of an organization, from a cultural and technology perspective.
It also offers a holistic view of a company’s data to help with monitoring, management and protection against IT fraud.
Dimmick echoed these views and added that establishing policies on data governance can help combat IT fraud. Dimmick said senior management must follow these policies to serve as a role model for others in the company.
One way to protect data is to leverage existing investments in technologies a company already has – such as information rights management applications that determine who has access to what, and identity manager applications that delete users who have left the company.
Partnerships, Weigelt stressed, are key to any organization’s struggle against IT fraud.
“CFOs don’t need to feel isolated within the organization in fighting fraud. They need to look all disciplines in an organization like IT and legal to solve these fraud problems,” he said.