Fraud Prevention is one of the biggest challenges to the organizations across the world. What are the advanced measures that can be explored to ensure Fraud Prevention in a more effective manner? What role can Information Security play to enhance the Fraud Prevention mechanisms in your organization?Traditionally, “Information Security” term is associated with Cyber Security and is used interchangeably. Approach from organizations, vendors, and industry experts gave an outlook that Information Security is all about technology related Cyber Security controls only.Delivering direct business value from information security investment seldom come up as a priority or discussion point. At best, it becomes a theoretical analysis of the strategic alignment of Information Security with business. But still, practical effectiveness or implementation methodologies found lacking.Nevertheless, like many other areas, Fraud Prevention is one of the critical business challenges that Information Security controls can add value to.Information Security and Fraud PreventionInformation Security community has failed to demonstrate or communicate effective mechanisms in preventing organizational losses from breaches other than cyber attacks. Finding an Information Security expert with adequate technical background and business acumen is the most significant challenge the industry encounter.Professionals with governance or audit background come with risk management background. Although exceptions noted, most of the experts come with theoretical knowledge on technology and doesn’t understand the real technical challenges. At the same time, the other side of the spectrum is the technical experts who come from an IT background but without an open mind or any exposure to business challenges and expectations.The right Information Security leader, with technical expertise and business acumen, shall be able to link the Information Security controls with business challenges. This alignment is by ensuring the control adequacy and effectiveness, but wherever possible by linking to business needs and aspirations. Fraud prevention is one of the direct selling points to demonstrate the value of Information Security to a non-technical audience, including the board members.Information Security risks and investments to protect from cyber attacks is extremely crucial, especially considering the current wave of hacking incidents and data breaches. But, the significance of Information Security is much more than the Cyber Security controls.If we analyze, a good percentage of frauds has some connection with ineffective Information Security controls. It may be due to weakness in people, process or technology controls, associated with valuable business data.Example:If a person or process access or alter the data that he supposed not to, it may lead to fraud. Here the basic principles of Information Security are breached, namely confidentiality, integrity or availability. Key security control areas of access management and data management are extensively crucial for fraud prevention.Although execution of frauds attributed to many factors, the ever-increasing dependency on information security controls are getting significant importance these days.As in the past, financial organizations realize this fact more than others. Insider threat management initiatives that get a lot of business buy-in mainly focussed on this aspect. Fraud Management departments are more interested in the data security controls so that the prevention and detection of frauds will be more efficient and effective. Security monitoring use cases for fraud detection is gaining momentum among information security experts.Fundamental principles or conceptsIn addition to various other scenarios, causes of fraud can be the following also:Data exposure to a potential fraudster (Internal/External – Unauthorized view) – Confidentiality breach/Impact.Illegitimate alteration of data by the potential fraudster – Integrity breach/Impact.Unauthorized damage to data or service by the potential fraudster so that the genuine users cannot access it on time – Availability ImpactFraud From External Sources – Online ChannelsImportance of adequate information security controls to combat fraud take a huge jump when online channels become the fastest and most efficient channel of service delivery. Although offline channels also could be the source of fraud and can get impacted, fraud through online channels (including mobile) can be incredibly easier in an anonymous manner and may be potentially destructive.Cybercriminals target their victims through online channels, as the probability of finding one is more easier compared to physical means. In addition to that, the identity of the fraudster is easy to hide and extremely difficult to find out after a successful fraud. That gives immense motivation to the real-life criminals to use online channels.Emails, websites and mobile applications are being used to lure potential victims. Considering the increased adoption of mobile devices and Internet, the probability of finding a vulnerable target is quite easy for the fraudsters.Defrauding the common public and customers of favorite organizations including banking firms is a common trend. Chances of trusting a targeted fraudulent message (in the name of a famous brand) are very high. Various financial frauds are being carried out through fake websites, email, and SMS communication pretending as leading organizations. Some of the messages can fool the smartest of people, by customizing it with an extremely genuine-looking message. Mostly it addresses the victims, by carrying out background checks in advance, using social media details.Compromising popular email service accounts of the customers or the partner firms could be another source of fraud, by snooping into the communication between a supplier and customer.At some point of time, the fraudster may create a fake email account that almost looks like the original one, with a minor change in the spelling of the email address, and sends instructions to transfer fund to an account that belongs to criminals. Many organizations fall into this trap, due to lack of sufficient processes and awareness.More significant frauds use data exfiltration and cyber espionage, where expert criminal gangs use online channels to spread malware and blackmail the victims. These, finally end up in financial and reputational losses in addition to regulatory damages.Fraud from Internal Sources – Misuse of access and information/service handlingMany types of frauds can be executed by disloyal staff, especially those with privilege access like IT, Finance, and HR Employees. Exposure of sensitive information to unauthorized personnel and extra privileges (more than required) etc., can potentially lead to unpleasant scenarios. In the same manner, unauthorized data transfer privileges can also be detrimental to the organization.Lack of effective segregation of duties and timely monitoring and detection of activities by the employees (which may include permanent or temporary/outsource) could be a significant weakness in the information security control environment that could lead to substantial frauds.Many of the recent financial frauds owe to the collusion of employees with internal or external parties. Weakness in access management, data transfer management, segregation of duties, and least privilege based access provisioning are some of the causes of internal frauds (and in many cases external fraud also).Recommendations – How can Information Security Controls prevent Frauds?Fraud PreventionEnsure to align Information Security Program and activities with Fraud Prevention measures in the organizationCarry out a Fraud Risk Assessment in the context of Information Security Threats – From Internal and External perspectiveIdentify, design and implement critical controls required to protect the organization, staff and its customers from frauds – People, Process and Technology Controls. In some cases, it may be just through improved awareness among the people.Ensure to have proactive monitoring and detective mechanisms to predict frauds through early warnings.Formulate “use cases” by collecting intelligence through internal and external sources of information to detect potential fraud for a timely response.Focus on ensuring effective controls on the protection of information from internal and external threats – Confidentiality, Integrity, and Availability of the data. Authorized parties only should have access and authority to view and change the information and its status, with adequate audit trails.Develop and practice incident response plan for handling potentially fraudulent activities (due to information security breaches), where fraud management/investigation teams may need to be involved. In some instances, HR department too, if the potential fraud attempt includes the involvement of the staff.Develop and implement specific controls for all online channels to be resilient to fraudulent activities – Technical and Procedural.Ensure to perform multiple checks and Maker-Checker based approvals for critical/sensitive actions or transactions with appropriate segregation in duties.Develop customized security awareness training to educate the staff and customers about the importance of Information Security best practices for Fraud Prevention.
After retiring law enforcement I started a private investigations and physical security consulting business in my home of Portland, Oregon. The security consulting portion of my business is varied and usually involves assessing security vulnerabilities, reviewing or developing security procedures, recommending specific security improvements, and providing security training.Most of my clients are small to medium businesses but I am sometimes hired by individuals. Many of these people live in semi-rural areas adjacent to cities. They are often retired or commute into the city during the work week and tend to their “hobby farms” in the evenings and weekends. Typically their property has a barn of some sort, a few outbuildings, some farm machinery, and often has a couple horses, some chickens, and maybe a goat or two.Security for these semi-rural areas is a growing concern. According to the FBI overall urban crime has been steadily decreasing nationwide but rural crime – especially property crime, is increasing. Trespassing, theft and burglary are major concerns for rural property owners and residents as sometimes crooks view these rural isolated areas as easy marks. These semi-rural areas also sometimes attract drug users who are looking for secluded spots to do their drugs and other assorted crooks.The truth is, because of their relative isolation and the fact that many rural residents have not traditionally given much thought to security, many of these rural areas are easy marks for crooks. Fortunately, there are some basic and relatively inexpensive things residents and rural property owners can do to make themselves and their property more secure.Practical Security MeasuresAfter conducting a comprehensive security risk assessment I often recommend that rural property owners take steps to limit the number of roads and foot paths into the property. External lighting around susceptible areas is also a good idea with blue light often being more effective than regular white light illumination.With the evolution of security technology, effective alarm systems and GPS are becoming more cost effective. I often recommend perimeter alarms that can detect intruders at the earliest point of trespass. GPS devices hidden inside high-value property like tractors, trailers, and all terrain vehicles are also a good idea. While this may not prevent theft, it will greatly help in recovery of stolen property and maybe even aid in the apprehension of the perpetrators.Animals for SecurityIn ancient times animals of almost every stripe have been used to help protect persons and property. Big cats, elephants, alligators, and even venomous snakes have been used to protect and secure property!We all know about guard dogs. Throughout the world dogs are commonly used for security purposes. But have you heard of guard monkeys? Not many people in the United States keep monkeys but in India authorities used Langur monkeys to help secure the 2010 Commonwealth Games. These monkeys have aggressive personalities but they have excellent eyesight and are highly trainable. And, in recent times the U.S. Army even reportedly used rats to sniff out bombs!Effective Security Can Sometimes be Very BasicSometimes I get real basic. On one occasion, as part of an overall security strategy, I recommended that the property owners buy a flock of geese. Yes, you read that right! They already had some chickens running around so adding a few geese would not be a big issue with feed or housing. And, a small gaggle of geese serves as a very effective “early-warning system.”For a security consultant in today’s modern high-tech world to recommend geese as an early warning system might seem a little odd, but in a rural or semi-rural environment it makes simple and practical sense. Geese, like Swans, are very territorial and since ancient Roman times have been used for “watch guards.” They have an acute sense of smell and eyes that seem to see just about everything.When anything – man or beast, enters their space they can get quite aggressive. They make a lot of noise and have been known to “attack” anything that enters “their space.” Simply stated, intruders do not like noise and commotion and will often flee when detected. If an intruder does not flee, the honking and commotion of a gaggle of agitated geese can alert a home owner who can then take immediate steps to protect themselves and repel the intruder (i.e., arm themselves, make sure house doors are all locked, turn on lights, etc.).All physical security measures should be practical and cost effectiveWhen deploying physical security measures there should be a balance of the probability of criminal activity against the cost to protect a certain target. For example, it makes no practical sense to spend a million dollars on a security system that protects something valued at a mere $50,000.Layered security (also sometimes referred to as “concentric rings of security”) is a well established security strategy. Its basic premise is that before an intruder can reach a target, the intruder must overcome multiple layers of security (i.e., gates, locked doors, illuminated areas, alarm systems, and yes… even flocks of geese). Even in today’s modern high-tech world, low-tech security strategies augmented with high-tech, can often be an economical and effective way to protect persons and property. And, YES, animals like geese can sometimes be an important part of an overall security strategy.