Trust after controls

“If your wife asks to go out for a party, insist that she moves along with one of her children. The younger the better.”

“If your wife asks to go out for a party, insist that she moves along with one of her children. The younger the better.” That is what my grandfather Mzee Atanansi Komunjara often advised friends who asked how to avoid exposing their wives to risks of extra-marital affairs. Time and again, women would ask their husbands to go visit their people back home — a red flag of rekindling old fires.

Following a spate of frauds reported in the national papers, companies can learn a lot from grandpa’s advice – trust after controls. During these Coronavirus pandemic times, cash is lost yet people must eat. The motive to steal is high.

Automating business processes opens opportunities to tap into new markets, reduce costs, and offer client convenience at scale. However, this comes with risks of cybercrime which could be catastrophic for example in case of a single point of failure due to system bad setup. Unlike traditional systems where the entrepreneur may have different warehouses distributed throughout the city, manned by different people when it comes to technology companies they set up one server and install all their critical applications on it. For example, you find an SME with an accounting system hosted on its local server at the company office. When you study the set up you notice the following:

  1. The IT manager installed the application and has all the administrative rights to it. The IT manager or vendor of the software, has a master key or master password to create new users, delete users, create records and transactions, and delete records and transactions, modify the system audit trail, view all system uses, create a new data table or delete, do backups and delete backups, etc. It is like giving your house help at home the master key to all the house, including access to your bedroom where you keep records.
  2. The server room is placed in the basement, next to a window that is sometimes left open. You observe that rain could flood the floor because you see the server put on some wood to lift it. You also observe that the door to the server is not manned. Meaning that the server hosting the critical business processes could easily be flooded and or physically stolen!
  3. The server is connected to the network where other users are connected to the Internet, thereby exposing the server to cyber risks like hacking.
  4. And most of all, the company has no IT security policy in place and no staff has ever read it and acknowledged having read it despite having over 20 staff with usernames and passwords which were assigned to them.

Such a set up exposes the SMEs to huge cybersecurity risks. For example, reports in the media show that some staff at the mobile money aggregator with super administrator passwords could have been involved in the fraud by abusing their privileges.

This is common. And business owners must know this and prepare for it. Just like partners should know not to avoid exposing their loved ones to risks of extra-marital affairs. Why would a woman insist on asking his husband to attend a sex party, for which she will not attend based on testing his strength? Or why would you send your husband on a holiday trip with your beautiful young sister because you want to deepen family relationships? Some of these ideas’ intentions may be good but they carry lots of risks. For that reason, trust after controls. If you must go for a sex party, go together, and agree not to leave each other.

If your sister is to move with your husband, or your brother with your wife, have older children in the car or let them have their wives and husbands in the same car. That is called trust after controls.

If you are to give your super administrator password to one person, ask them to tell you every time they use it and document all the tables they view when they log in, including tracking all their activity in the audit log that is saved automatically on another external backup server which they cannot access! And also, have real-time notification when they attempt to change a table for which they normally should not change or when they log in the system at times that appear odd. For example, as an entrepreneur, you should be alerted when one of your staff in Uganda logins into your system at 3 am. Really, what is urgent to log in at that time. You need to enable an automatic SMS and email notification when such a thing happens so that you can follow up instantly and prevent the damage.

Trust only after controls. Blind faith is not good.

Don’t jump out of the airplane without wearing a parachute.

Don’t move to meetings without your face mask.

Don’t allow your children to move with strangers.

Trust after controls.

Copyright Mustapha B Mugisa, Mr. Strategy 2020. All rights reserved.

Leave a Reply

Your email address will not be published.