Protecting against the 'D’oh' factor can be hard

Security managers can protect their enterprises against a lot of things, except stupidity.

Take the episode at Eden Prairie, Minn.-based grocery giant Supervalu Inc. Earlier this year, someone sent the company two e-mails -- one purporting to be from an employee at Frito-Lay and the other from an employee at American Greetings Corp. The late-February e-mails basically instructed Supervalu to start depositing future payments to each vendor into new bank accounts, one in Miami and the other in Rogers, Ark..

And guess what? That’s precisely what Supervalu did. Without apparently so much as a cursory verification of the authenticity of the instructions or of the person(s) who sent them. It received the two emails and obediently began depositing millions of dollars into the two bank accounts. By the time it discovered the ruse in early March, Supervalu had already deposited just over $6.5 million into an HSBC bank account in Miami purportedly belonging to American Greetings and an additional $3.5 million into a First Security Bank account in Arkansas supposedly belonging to Frit-Lay.

Supervalu managed to stop the money from being withdrawn, thanks to quick intervention by the FBI and "internal controls" that helped the company quickly detect the fraud according to a spokeswoman.

But closing the barn door just before the horse runs out make you wonder: just where the heck were those controls before Supervalu started making all those wire transfers. Just think about it. All it took for one of the biggest grocery chains in the country to to start depositing millions of dollars into two fraudulent bank accounts were two e-mails. Two emails.

Even if no one at Supervalu has ever heard of phishing or online scammers, doesn’t it seem incredible that they’d act on e-mailed instructions without making at least a phone call maybe? Especially since millions of dollars were involved? Heck, I can’t update the e-mail address on my bank account without getting an immediate and anxious inquiry from my bank asking if I had indeed requested such a change. And it’s not even like I’m asking them to send me a million bucks (though it sure would be nice if I did and they obliged as quickly as Supervalu!).

Some folks are probably going to look at this episode and say it was an IT security failure, and I guess it was a security failure in the same way the ChoicePoint incident was. But it’s also about financial fraud resulting from the kind of fundamental process failure that IT security controls alone can’t prevent--at least not easily. You can implement all the firewalls, intrusion prevention systems and monitoring tools you want for dealing with every conceivable threat out there and still have a Homer Simpson somewhere in your organization who’ll sign away on million dollar transactions based on a couple of emails. What do you think?