On the matter of the Nigerian Bank that lost 6 billion Naira to fraud of recent …read story
I must say that it is hard to read such news and not make any comment about this. To put this in perspective for readers that might not understand the Nigerian currency, 6 billion Naira would amount to approximately 36 million dollars (at the time of this report).
Reading through the story, obviously, this is not a case of external hacking over networks (MAC or IP or all that techy matrix things like velocity attacks that we see in the Hollywood movies) rather, it is simply insider Fraud action; fraud related and due to access risk as a result of unmonitored, unchecked and inconsistent authorization that bank staffs have within their banking software system. In my opinion, For a Nigerian bank in this age and time to be left exposed to such fraud is quite horrendous. Think about the effects this has on investor confidence, shareholders value and customers as stakeholders.
Having said that, it is only becoming clearer that financial services firms need to have a programme that identifies monitors and effectively controls both financial and more importantly as this case has shown: non-financial risks across their operations especially as it concerns User access. Normally, this programme should be enterprise specific and should be automated through best in class software; An approach that usually aims at presenting a holistic view of the entire risk and compliance process at their fingertips of the Chief risk officer, enabling them to make the right decisions at the right time.
I remember having a conversation with a risk unit team of a Nigerian Bank and all I could hear from the other side of the table was IP and MAC attacks over network, Penetration Testing etc. and I could only but say: Gentlemen! Greater lies the dangers within than without. Whilst all the external threats are important to note, it goes without saying that the concept of risk management in the real world has been biased by the screens of Hollywood to ignore the insider threats.
And that was where we started our conversation about having an effective GRC framework. The good news about building such frameworks is that it is never too late to start. Some key points need to be noted though are: Each frame work is industry specific; hence the framework that was used for the manufacturing would not suffice for the financial services although the underlying business principles are similar. It must be designed and built specifically for the each specific industry. It should be flexible enough to react to ever-changing regulatory and business environments. It needs to enable the division of roles and responsibilities throughout the institution – front, middle and back office – and requires a very clear user experience that is specific to each of those roles and responsibilities.
For the bank that just made a colossal loss. I empathize with the shareholders and other stakeholders. But I would say: it is not too late to begin that journey too. Talk to a Governance Risk & Compliance Consultancy firm that understands Security from an Authorization and Identity Management perspective such as DeltaGRiC today in order to save tomorrow!
And to answer the question: Yes, it could have been prevented or at worst, perhaps detected earlier.