SPECIAL TO THE WEB

Scott Swanson, CFE

It’s easy for us, as armchair analysts, when we hear about daily data breaches, to point our fingers and poke holes in the ways institutions fail to mitigate risk and threats of data loss and leakage. Take, for example, the sophisticated cyberattack of CareFirst BlueCross BlueShield (CareFirst) on May 20. According to the article, CareFirst Announces Cyberattack; Offers Protection for Affected Members, on the CareFirst website, the attackers gained limited, unauthorized access to a single CareFirst database. The company discovered the breach as a part of its ongoing IT security efforts in the wake of recent cyberattacks on health insurers.

According to the article, CareFirst engaged a cybersecurity firm to conduct an end-to-end examination of its IT environment. Evidence suggested that attackers could have potentially acquired member user names created by individuals to use CareFirst’s website, as well as members’ names, birth dates, email addresses and subscriber identification numbers.

In truth, staffs within most IT security and compliance departments are diligent in their roles — they do the best they can with what they have. I believe that information security should have a place in IT. But IT shouldn’t hold the reins of information protection and investigation; if it does, perhaps anti-fraud experts can help.

IS A CYBERBREACH ACTUALLY CYBERFRAUD?

Right now, fraud examiners should be licking their chops. Fraud, by its nature, includes any intentional or deliberate act to deprive another of property or money by guile, deception or other unfair means (2015 Fraud Examiners Manual, 2.201). Similarly, theft is when someone takes something from another without consent. A fraudster’s main objective is to hide the act even if the act is completed. This is also is the objective with many data breachers. The acts are largely unknown before and after penetration. The intent is to steal … by means of fraud.

Look at Target, Sony, Home Depot, OPM, etc. In most cyberbreach cases, the incidents are identified long after the penetration and the thieves have absconded with the targeted data.

When I perform periodic testing as a risk consultant to commandeer information and breach controls, I find my pathway in most cases through ruses that will enable me access — technologically, physically or by human shortcomings. Here are some examples of how a cybercriminal might gain access to secure information in these three ways:

Technology

• Obtain a network or access password by asking an employee.
• Spear phish to feign a trusted co-worker or site to trick the individual into logging into a trap-identity capture. For example, recreate a LinkedIn invitation in an email with an authentic look and feel of the actual website that grabs the user’s name and password when they believe they’re logging in to the invitation.
• Gain access to an unattended device or endpoint (i.e. desktop computers and devices such as laptops, smartphones and tablets) that an employee left on a desk or counter during office hours. When employees leave their systems unattended and fail to log off, passersby can access information that isn’t password protected.

Physically 

• Enter a facility without authorization by picking the lock or by entering through unlocked doors and other unrestricted access points. Or a fraudster can simply enter while a thoughtful person holds the door open as they both enter the building.
• Steal hard-copy information that’s unattended such as paper forms, bills and customer information near printers, fax machines and in unlocked garbage containers.
• Peer over an employees’ shoulders while they access private content, read information lying in the open or access files that aren’t locked away to see unsecured information.

Human shortcomings

• Failure to comply with policies and procedures. Most policies and procedures exist as rules on a form that’s either in some nebulous manual or on a database for employees. Without carefully implementing policies and procedures in alignment with natural, daily activities, most employees won’t think about the controls unless they’re culturally ingrained.
• Failure to create adequate controls. Organizations create controls to minimize activities that could create undue risk. However, risks are always changing and not all controls are sustainable, if indeed they were properly created in the first place.
• Failure to identify and plan against dynamic risks, threats and vulnerabilities. Most risk assessments are a snapshot in time, yet organizations often don’t periodically reassess them to identify changes and indicators of adverse events.

Regulatory authorities and directives, such as the ones governing the Health Insurance Portability and Accountability Act of 1996, mandate that organizations need to protect information with technology, physical security and appropriate functional controls. Now, if information protection falls under IT, are companies really using the best resources to cover physical security and processes that fall outside of computer or device-based controls, such as business procedures? Probably not because the key loophole is usually human behavior. That’s a corporate risk and security issue, and it’s also a legal and human resources problem. The fact that the mechanism might have used technology shouldn’t drive “ownership” of the problem to IT. So who can transcend all of these business units? A properly trained fraud examiner.

Read the full article on Fraud-Magazine.com.