Not many Kenyan business owners are convinced that ICT security is a severe threat to their firms. Business people are more likely to appreciate and react to the current inflationary fluctuations, the weakening shilling, high labour costs and increased energy costs. Little will however be heard about ICT and its security. This is despite that ICT is the modern day ‘nervous system’ that coordinates the business processes of most companies.
ICT systems support business processes and the dependency ranges from Enterprise Management Systems (ERP) for performing integrated business processes, emails for communication and document workflows.
All these systems have users who perform various tasks for the business. These employees must be able to access these systems at the appropriate level. The restrictions imposed on the employees are important. For example communication systems like Outlook e-mail should only be used for business.
An ERP system like SAP usually contains financially and personal data that is sensitive. Who accesses what is of utmost importance to the business. Restrictions will for instance ensure that a user who raises an invoice cannot also approve and pay this invoice. This example illustrates the business issue of ICT security.
Most businesses unfortunately treat the granting of permission and authorizations as the sole responsibility of the IT department. Business management only become involved when a user discovers they can’t perform a business function, for example re-ordering stock.
Treating ICT security as the sole responsibility of the IT department is counter-productive to the business. The marketing, finance, production and human resource representatives should be involved in the authorization design process.
This is because it is the business that will ultimately bear the consequences of a poorly secured system. Incidences of internal fraud are increasingly carried out in the ICT systems businesses use. This is because of the high level of dependency they have on these systems.
However these fraudulent attacks are aimed at the business processes which are reliant on the ICT systems. It is therefore logical that the internal fraudster uses the systems to achieve the end result of defrauding the company. This means that mitigating the risk of fraud and financial misstatements is not a purely ICT issue.
There is no excuse for ICT security not to be well-understood by the business side. It is for both business and IT departments to take the responsibility for ensuring that security of their systems are aligned and prioritized as a business issue.