On Internal Control and Mr. Potato Head

Here’s one way to convey the importance of software patch management: a bunch of Canadian Tire retail stores had to close last week because “a downloading error” caused all purchases to be scanned at the checkout register as Mr. Potato Head. 

The Toronto Star dug up this story last week. Five Canadian Tire stores in Ontario suffered the glitch on the morning of June 30. Any products customers tried to buy were recorded as a sale of the Mr. Potato Head toy — which Canadian Tire does actually sell in its home goods section

Mr. Potato Head

Mr. Potato Head

A Canadian Tire spokesman told the Star that the glitch only made product names appear as Mr. Potato Head; not the prices or item ID numbers. Still, that meant customer receipts simply listed “Mr. Potato Head” over and over. 

The glitch was resolved about 90 minutes later, and customers “were asked to continue browsing” while corporate IT fixed the issue. 

OK, that story is hilarious. Peel away the skin, however, and we do find a teachable moment here for IT security and compliance. 

The lesson is this: software patches, updates, upgrades and the like can be a delicate matter. Companies need clear policies about how those downloads happen, such as who does the downloading and installation, and how patches should be tested before implementing them across the enterprise. 

Now, we don’t know what “a downloading error” precisely means here. Canadian Tire does $14 billion in revenue annually and runs 1,700 locations across Canada, so I’m sure it does have internal control and security policies to govern software patches — but really, that underlines the importance of the issue even more. If a business as sophisticated as Canadian Tire can make a blunder like this, anyone can. 

Yes, purchases scanning as Mr. Potato Head is funny and harmless. On the other hand, the other week we had the much more serious report of a security flaw in Oracle software that allows hackers to penetrate your IT systems and alter accounting data without ever being detected by standard audits or internal control. 

That is decidedly not funny, but the internal control issue is the same in both examples: software patch management. Oracle already has a patch to solve this security threat, but if your organization is among the scads that don’t update your ERP software promptly, your accounting data is easy pickings for online miscreants. 

As businesses keep moving to cloud-based tech providers for mission-critical services, and cybersecurity keeps rising as a dire threat, patch management will keep growing in importance. 

That’s one fact that should be plain as the nose on Mr. Potato Head.

Leave a Comment

You must be logged in to post a comment.