Recent IT security breach reminds the Board of its responsibility to govern IT risks

Regular identification and control of IT risks would have significantly helped to prevent the recent security breach at the Post Bank that took place between 1 and 3 January 2012.

March 6, 2012

News release from Grant Thornton

Regular identification and control of IT risks would have significantly helped to prevent the recent security breach at the Post Bank that took place between 1 and 3 January 2012.

That’s the view of Michiel Jonker, senior manager, IT Advisory at Grant Thornton Johannesburg.

“What’s more concerning,” says Jonker, “is that the breach not only resulted in financial losses for the business, but it also caused negative publicity.”

The Post Bank security breach was allegedly caused by a lack of proper IT controls which directly resulted in an estimated R42 million being stolen in just three days.

Jonker emphasises that the King III Corporate Governance report clearly outlines that it is the Board of Directors’ responsibility to govern all business risks, including IT risks, as well as all vital technology investments, for publically listed organisations as well as government institutions.

There is no doubt that the explosive use of information systems has resulted in higher effectiveness and efficiency in organisations, especially in recent decades. But Jonker stresses that it is possible for organisations to implement cost effective IT and manual controls and solutions in order to minimise the potential negative impact of IT threats.

Jonker cites the benefits and power that medical scheme administrators have gained through electronic data interchange (EDI) for claim submissions as an example of how automated information systems directly improve business operations and opportunities.

“Large South African medical schemes today are able to process the majority of their claims electronically – without any human involvement,” says Jonker. “Faster processing, improved accuracy in claim assessments and a streamlined staff component are some of the benefits experienced by these institutions.”

“With the implementation of automated and manual controls, Post Bank officials would have been able to prevent and detect the occurrence of identified risks and reduce the impact of these risks through various correction procedures before they occur,” says Jonker.

Many incidents can be prevented by controls addressing normal day-to-day issues and risks. Simple controls such as the prevention of password sharing among users, the sound management of user accounts in order to disable dormant accounts from a system in a timely manner, the active promotion of security awareness among employees and the regular implementation of important policies, procedures and standards would have added significant security to the information systems.

“It is a well-known fact that many security exploits on the Internet and within company networks could have been prevented in the past but that it was as a result of neglecting to update basic operating and application security systems as well as the timeous implementation of available patches, that these security incidents did occur – many times with devastating results,” Jonker concludes.