Buoyed by news and social media coverage of online threats and cyberattacks, cybersecurity is all the rage today. Indeed, whether we’re talking about the recent Iranian online assault on worldwide universities or the cyberattack on the city of Atlanta (which shut down Wi-Fi at the world’s busiest airport), cybersecurity is constantly and rightfully in the spotlight.Read More
Perhaps the most encouraging and notable piece of RSA’s most recent quarterly report comes in the form of an overall decrease in cyberfraud. The total amount of cyberfraud attacks observed from January 1, 2018 to March 31, 2018, represented a decrease not only from the previous quarter (16.2%) but also from the same quarter of 2017 (8.6%).Read More
Bruce Dubinsky, CFE, MsT, CPA, CVA
Managing Director, Duff & Phelps, LLC
It’s no surprise that companies have fraud on their mind these days. As of May, a Verizon report revealed that 6 million data breaches in businesses worldwide had already occurred in 2016. In response, steps have been taken by organizations to protect themselves from outside hacker threats — but this might not be enough. Unbeknownst to many, the bigger danger to these companies and their customers’ data arises from those who are trusted the most: 50 percent of all security incidents are caused by people inside an organization. According to the 2016 ACFE Report to the Nations on Occupational Fraud and Abuse, a typical organization loses an estimated 5 percent of revenue a year as a result of fraud.
The onset of International Fraud Awareness Week, November 13-19, provides a compelling opportunity to discuss the dangers and prevention methods of insider fraud.
We can start with the understanding that learning that your company’s confidential data was stolen, not by a hacker, but by an employee, is a catastrophic scenario that no organization wants to face. Although sometimes these data breaches are unintentional — perpetrated by careless employees — in most circumstances, they are the result of malicious intent. Oftentimes, personally identifiable information (PII) is stolen to be sold on the black market or used to receive social security benefits, open new credit card accounts or to apply for insurance benefits.
The ACFE report finds that a perpetrators’ level of authority is directly related to the magnitude of the fraud, as the losses incurred from the scheme by an owner or executive (about $703,000) are more than four times the median loss by managers (about $173,000) and nearly 11 times as much as the loss caused by rank-and-file employees (about $65,000).
Companies can combat insider fraud by developing safety measures that emphasize a team approach, through which all areas of the organization or agency work together to identify threats and prevent them from escalating into significant losses. The Report to the Nations found that when organizations adopt and encourage an “if you see something, say something” approach, they can mitigate losses by up to 54 percent. In addition, insider fraud can be detected up to 50 percent faster.
Consistent with this approach, the most common detection method in the ACFE study was from employee tips (39.1 percent of cases). Organizations that had reporting hotlines were also much more likely to detect fraud through these tips than organizations without a reporting outlet (47.3 percent compared to 28.2 percent, respectively). Additionally, when fraud was uncovered through methods such as surveillance and monitoring or account reconciliation, the loss duration of schemes was lower than when the schemes were detected through passive methods, such as notification by police or by accidental discovery. Many agencies also had success with professionally-manned hotlines for whistleblowers.
There are valuable resources available to help your company take the necessary steps to prevent insider fraud. The LexisNexis® Fraud Defense Network, of which I am a board member, provides resources such as the Identity Fraud Protection Playbook and technology for cross-industry fraud prevention. Take the quiz to see how your fraud prevention efforts measure up to the competition and collect valuable insights on preparing for this significant threat.
You can find more free resources to spread fraud awareness, like social media badges, infographics and videos, at FraudWeek.com.
SPECIAL TO THE WEB
Scott Swanson, CFE
It’s easy for us, as armchair analysts, when we hear about daily data breaches, to point our fingers and poke holes in the ways institutions fail to mitigate risk and threats of data loss and leakage. Take, for example, the sophisticated cyberattack of CareFirst BlueCross BlueShield (CareFirst) on May 20. According to the article, CareFirst Announces Cyberattack; Offers Protection for Affected Members, on the CareFirst website, the attackers gained limited, unauthorized access to a single CareFirst database. The company discovered the breach as a part of its ongoing IT security efforts in the wake of recent cyberattacks on health insurers.
According to the article, CareFirst engaged a cybersecurity firm to conduct an end-to-end examination of its IT environment. Evidence suggested that attackers could have potentially acquired member user names created by individuals to use CareFirst’s website, as well as members’ names, birth dates, email addresses and subscriber identification numbers.
In truth, staffs within most IT security and compliance departments are diligent in their roles — they do the best they can with what they have. I believe that information security should have a place in IT. But IT shouldn’t hold the reins of information protection and investigation; if it does, perhaps anti-fraud experts can help.
IS A CYBERBREACH ACTUALLY CYBERFRAUD?
Right now, fraud examiners should be licking their chops. Fraud, by its nature, includes any intentional or deliberate act to deprive another of property or money by guile, deception or other unfair means (2015 Fraud Examiners Manual, 2.201). Similarly, theft is when someone takes something from another without consent. A fraudster’s main objective is to hide the act even if the act is completed. This is also is the objective with many data breachers. The acts are largely unknown before and after penetration. The intent is to steal … by means of fraud.
Look at Target, Sony, Home Depot, OPM, etc. In most cyberbreach cases, the incidents are identified long after the penetration and the thieves have absconded with the targeted data.
When I perform periodic testing as a risk consultant to commandeer information and breach controls, I find my pathway in most cases through ruses that will enable me access — technologically, physically or by human shortcomings. Here are some examples of how a cybercriminal might gain access to secure information in these three ways:
- Obtain a network or access password by asking an employee.
- Spear phish to feign a trusted co-worker or site to trick the individual into logging into a trap-identity capture. For example, recreate a LinkedIn invitation in an email with an authentic look and feel of the actual website that grabs the user’s name and password when they believe they’re logging in to the invitation.
- Gain access to an unattended device or endpoint (i.e. desktop computers and devices such as laptops, smartphones and tablets) that an employee left on a desk or counter during office hours. When employees leave their systems unattended and fail to log off, passersby can access information that isn’t password protected.
- Enter a facility without authorization by picking the lock or by entering through unlocked doors and other unrestricted access points. Or a fraudster can simply enter while a thoughtful person holds the door open as they both enter the building.
- Steal hard-copy information that’s unattended such as paper forms, bills and customer information near printers, fax machines and in unlocked garbage containers.
- Peer over an employees’ shoulders while they access private content, read information lying in the open or access files that aren’t locked away to see unsecured information.
- Failure to comply with policies and procedures. Most policies and procedures exist as rules on a form that’s either in some nebulous manual or on a database for employees. Without carefully implementing policies and procedures in alignment with natural, daily activities, most employees won’t think about the controls unless they’re culturally ingrained.
- Failure to create adequate controls. Organizations create controls to minimize activities that could create undue risk. However, risks are always changing and not all controls are sustainable, if indeed they were properly created in the first place.
- Failure to identify and plan against dynamic risks, threats and vulnerabilities. Most risk assessments are a snapshot in time, yet organizations often don’t periodically reassess them to identify changes and indicators of adverse events.
Regulatory authorities and directives, such as the ones governing the Health Insurance Portability and Accountability Act of 1996, mandate that organizations need to protect information with technology, physical security and appropriate functional controls. Now, if information protection falls under IT, are companies really using the best resources to cover physical security and processes that fall outside of computer or device-based controls, such as business procedures? Probably not because the key loophole is usually human behavior. That’s a corporate risk and security issue, and it’s also a legal and human resources problem. The fact that the mechanism might have used technology shouldn’t drive “ownership” of the problem to IT. So who can transcend all of these business units? A properly trained fraud examiner.
Read the full article on Fraud-Magazine.com.