Increase the difficulty of committing fraud
One way to deter fraud is to design a system with sufficient controls to make fraud difficult to perpetrate. These controls help ensure the accuracy, integrity and safety of system resources.
i) Develop a Strong System of Internal Controls: The overall responsibility for a secure and adequately controlled system lies with top management. Managers typically delegate the design of adequate control systems to systems analysis, designers, and end users. The corporate information security officer and the operations staff are typically responsible for ensuring that control procedures are followed.
It is especially important to make sure that internal controls are in place during the end-of-the-year holiday season. Research shows that a disproportionate amount of computer fraud and security break-ins takes place during the holidays.
ii) Segregate Duties: There must be an adequate segregation of duties to prevent individuals from stealing assets and covering up their tracks.
iii) Require vacations and Rotate Duties: Many fraud schemes, such as lapping and kiting, require the ongoing attention of the perpetrator. If mandatory vacations are coupled with a temporary rotation of duties, such ongoing fraud schemes would fall apart.
iv) Restrict Access to Computer Equipment and Data Files: Computer frauds can be reduced significantly if access to computer equipment and data files is restricted. Physically access to computer equipment should be restricted, and legitimate users should be authenticated before they are allowed to use the system. Unfortunately, companies often fail to delete or change ID codes and passwords when employees leave or are transferred to another department.
v) Encrypt Data and Programs: Another way to protect data is to translate it into a secret code, thereby making it meaningless to anyone without the means to decipher it.
vi) Protect Telephone Lines: Computers hackers (called phreakers when they attack telephone systems) using telephone lines to transmit viruses and to access, steal, and destroy data.
One effective method to protect telephone lines is to attach an electronic lock and key to them.
When a new system is installed, never use the default passwords as they are all published on the internet. On established systems, change the password frequently.
vii) Protect the System from Virus: There are hundreds of thousands of virus attacks every year, and an estimated 90% of the PCs that suffer a virus attack are re-infected within 30 days by the same virus or some other virus. A system can be protected from viruses.
Fortunately, some very good virus protection programs are available. Virus protection programs are designed to remain in computer memory and search for viruses trying to infiltrate the system. The intrusion is usually detected when there is an unauthorized attempt to access an executable program. When an infection attempt is detected, the software freezes the system and flashes a message to the user. The user can then instruct the program to remove the virus. Virus detection program, which spots an infection soon after it starts, is more reliable than virus protection programs. Virus identification programs scan all executable programs to find the removed all known viruses from the system. These programs work by scanning the system for specific characteristics of known virus strains.
Make sure that the latest versions of the anti-virus programs are used.
viii) Control Sensitive Data: To protect its sensitive data, a company should classify all of its data according to its importance and confidentially and then apply and enforce appropriate
access restrictions. It should shred discarded paper documents. Controls can be placed over data files to prevent or discourage copying. Employees should be informed of the consequences of using illegal copies of software, and the company should institute controls to see that illegal copies are not in use. Sensitive and confidential information, backup tapes, and system documentation should be locked up at night and should be left out on desks. Servers and PCs should also be locked when not in use. Companies should never store all of their data in one place or give an employee access to all of it. Local area networks can use dedicated servers that allow data to be downloaded but never uploaded to avoid infection by a network computer. Closed-circuit televisions can be used to monitor areas where sensitive data or easily stolen assets are handled.
Some organizations with particularly sensitive data are installing diskless PCs or workstations. All data are stored centrally in a network and users download the data they need to work on each day. At the end of the day all data to be saved must be stored in the network.
Since users can delete or destroy only the data on their screens, the company‘s data is secure; the system is virtually immune to disasters a user might intentionally or unintentionally cause. In addition, without disks, users cannot introduce viruses into the system with contaminated diskettes. Nor does the company lose valuable data, because employees cannot copy company data on diskettes and remove them from the premises.
ix) Control Laptop Computers: Special care should be given to laptops because thieves are increasingly breaking into cars and hotel rooms to steal laptops for the confidential information they contain. To control laptops, companies should take following measures:
Establish laptop security policies to require employees to back up data before traveling and to separate source when on the road, and to never leave a laptop unattended.
Install software that makes it impossible for the computer to boot up without a password.
Password-protect and encrypt data on the hard disk so that if a laptop is stolen, the data can not be used.
Employees should be asked to store confidential data on a disk, rather than the hard drive, and always keep the diskette in their possession.