Many are shocked by the recent incident in which two organisations were duped into sending large sums of money to an unauthorised third person or organisation abroad.
What has particularly struck observers is that the issue concerns the audit authority and the Bank of Bhutan; two organisations that shouldn’t be vulnerable to such a crime.
The trick used was one of the oldest one in the book: Spam.
While awareness on spam is increasing, we still see a lot of people falling for spam and chain mail. This is apparent on Facebook where we can see many of our “friends” typing “amen” or some other phrase, or sharing something with the intention to ward off impending bad luck or misfortune if the required action is not carried out. What happens is they are baited into doing something.
But while this could be seen simply as an annoying but bearable and trivial phenomenon on social media, the implications of having such a trait while holding an important post could be dire.
Spammers throw out various bait and the techniques they use could be simple to sophisticated. Either way, it is important for our officials, especially those in organisations that handle sensitive information, to understand the nature of spam. It is essential they are able to recognise it.
The second issue here is that the official in question used a personal account for official work.
The government has invested significantly in transitioning to Google Apps. The sole intention is to increase security.
For an organisation that handles sensitive information, it makes sense that personal accounts are not used for official work. Such autonomous agencies must also move onto more stable and secure communications platforms like Google Apps or its equivalent.
The third issue is that when such large sums of money are involved, a one-step verification process, in the name of speeding up services is risky as displayed recently. When significant amounts of money are involved, a two-step verification process should be in place where the sender can confirm that the process has indeed been initiated. One phone call cannot delay service.
The recent event also showed that organisations can have highly sophisticated security systems individually but when systems have to interact with each other, the varying levels of security result in the entire system becoming vulnerable.
There is a clearly a need for more to be done in this area.