Trust But Verify: Is Your IT Staff Stealing From You?
In the digital age, where the competitive advantage can come from strong technology, more than ever, your IT infrastructure is one of the most critical components to growing and supporting your business. But, how much do you really know about what it takes to run it, and who have you entrusted to maintain it for you.
If you are not a technology company, it is likely and wise to leave the Information Technology to the experts, but it is still part of your business, therefore you need to ensure you are managing it with every bit of rigor you manage the rest of your business; understand the basics on how it should operate, the expenses, and operating costs.
Just as there is financial fraud, there can be fraud in your IT environment too. Some common IT fraud risks to consider:
• Is your IT staff buying hardware or software and reselling it on auction sites?
• Is your IT staff buying hardware or software and returning it to the vendor in the form of cash or credit?
• Does your controller know the difference between a Cisco ASA 5505 and a Cisco ASA 5585? (By the way, the difference could be over $180,000!)
• Have you recently purchased a large number of IT assets, and thought to yourself, why do we need 25 MS CALs and, just what does 25 MS CALs actually do?
• Is staff piggybacking on your technology resources for personal use? Are they buying an “extra” computer and taking it home?
IT fraud risks are not restricted to IT staff as the perpetrators, even some computer savvy employees within your company can be stealing your assets:
• Running a personal or seedy websites from within your network. You may not notice the website being hosted from within your network, but maybe an unexplained slowness despite IT purchasing increasing levels of bandwidth.
• Using your Internet connection to host their own email or file sharing server. Peer-to-Peer file sharing still exists, and, despite the cost of storage being cheaper than ever, it can cost you money, and to compound the storage cost, they may be using your network as the repository to house these illegal files.
Another critical area of fraud in your IT environment relates to the security of your information. Secure asset disposition is critical to the protection of data at rest through the ends of its life-cycle. You rely on your IT staff to remove obsolete hardware, but are you retaining “death certificates” of the destroyed hard drives? Data that remains on those hard drives could contain company confidential information, or worse, State or Federally regulated personal sensitive information. Your IT staff may think they are helping the company by savings a few dollars by not destroying the drives, and who doesn’t need a little more hard disk space at home, but this practice can cause serious harm to your organization.
Finally, are you getting the service you pay for from your IT vendors?
• Businesses rely on the knowledge an outside vendor brings to the table. But, unless you are educated and knowledgeable about IT, how do you know if your vendor is charging you for the services they did actually perform?
• Implementing, and fixing, technology related portions of your business could often take longer than expected. Company management expects software to perform correctly straight out of the box, but often-custom configuration is needed to get the functionality you desire. To achieve this you hire qualified IT professionals, and the hours can quickly add up, but are those hours realistic? Would you know how to verify an estimate?
To mitigate IT fraud risk, there are many layers of controls, the first of which is to allow your controller to obtain the training needed to accurately understand requests for IT purchases, and how to reconcile purchase orders against invoices. The next best control point to reduce IT asset fraud is to capture a reasonably accurate IT asset inventory, at the time of purchase. After the purchase, perform an audit of your IT assets, both hardware and software. Annually, reconcile the list of devices against purchase orders. There are automated asset management products on the market, which can assist in performing this function, or, consider a manual review yearly as part of your continuous IT monitoring program.
Information Technology is a business enabler, don’t let IT fraud diminish its value, or your bottom line.
As always, if you have any questions about IT Fraud risk, or IT security in general, feel free to contact us at 617-471-1120, or firstname.lastname@example.org.