Cyber-crime took a new twist when two employees tried to take advantage of the economic slump by stealing software from their employers and selling it to unsuspecting consumers. The two have been fired from their jobs and are facing criminal charges.
The can't be named until they have appeared in court.
The first man, who worked in the IT department of an international food company, was caught selling counterfeit CDs containing Microsoft software, which had been produced using license keys which he had stolen from his employer.
The second man, who worked for a fresh produce distributor, was caught selling genuine software packs he had stolen from his employer on a popular local online auction site.
Because the software was still in use and required for licensing purposes, its unauthorised sale and use would not have resulted in licensed installations of the software and could have exposed the legitimate owners to possible compliance and reputational risks.
Charl Everton, the anti-piracy manager at Microsoft South Africa, said the incidents were “a high-tech version of shoplifting".
“While both men are likely to face criminal consequences, it is their companies who stand to lose the most, as the thefts exposed shortcomings in their corporate governance and compliance frameworks,” says Everton.
Lynne Tromp, an associate director at KPMG, says that the two cases highlight a need for companies to maintain effective control of their software, or face exposure in terms of corporate governance regulations like Sarbanes-Oxley (SOX).
“Besides the risks associated with running or on-selling unlicensed software by the company or its employees – like business interruption, ineffective spend, susceptibility to malicious parties and liability for penalties – organisations are further exposed to reputational risk,” says Tromp. “The onus is on the organisation to maintain clear records of its software assets, and to demonstrate how it protects those assets.”
KPMG believes the cornerstone of any compliance or asset management programme rests in a suitably qualified reputable custodian (whether an employee or third party) who has been adequately screened. Tromp said that the incidents highlight the fact that companies have a clear responsibility to put more work into checking the credentials of potential employees: fictitious qualifications, overstated employment and experience or previous criminal convictions can be glossed over in a well-crafted CV.
Tromp says reputational risk often has the most severe impact on the business and extends far beyond manageable financial loss.
“Stakeholder questions are raised about whether management has adequately exercised control and oversight in other areas of the business if it lacks critical control in asset management and compliance,” she says.