When CyberMedia News reported on the recent phishing attack on ICICI customers one thing that stood out was that it was conducted in a highly sophisticated and well-planned manner. http://www.ciol.com/content/news/2006/106021019.asp

The perpetrators had completely replicated ICICI Bank's net banking website hoping to get account holders to reveal their access information. It was an alert customer that brought the fraud to the banks notice. To its credit, ICICI acted quickly and minimised the damage.

One of the reasons the bank could contain the damage early was that it had a robust Risk Containment unit, which went into overdrive. The fraud was identified quickly, the damage control was swift and the perpetrators were nabbed within a few days.

Fraud is not restricted to the banking, finance or retail industry. Every organization is susceptible. This time ICICI bank was the victim, but tomorrow any organization could be the target.

Madhabhi Puri Buch, senior general manager, ICICI Bank, noted that private banks in India have implemented processes to combat such crimes. While it is true that most organizations have implemented some measures in part, clearly defined Risk Mitigation Policies in the Indian business scenario are still a minority.

Risk can enter an organisation through only two doorways: people and processes. Organizations are realizing the value of pre-employment screening, vendor reference checks and internal audits as effective risk management tools. The question is, is that good enough?

With increasing sophistication in internal and external fraud, organisations must transcend their comfort zones and rely more on prevention than on post mortems.

A comprehensive risk management policy would encompass various types of potential internal and external risks, the measures to control them, and the damage control process if the organization faces a real risk situation.

This not only readies the organization to take swift action, based on predefined risk triggers, but also sends a clear message to its internal and external stakeholders, that the enterprise is alert to possible risks.

The episode at ICICI Bank cannot be taken in isolation. It is just a sign of things to come. According to the Anti-Phishing Working Group's website, phishing is on the increase in India.

Its time to ask yourself how vulnerable your organisation is, and whether it is geared to deal with the risk.