We were recently asked to contribute to an article being written about "Fraud health checks, and training: what should businesses be doing?" The scope included all fraud, so not just IT fraud, but data theft by employees, material theft, and financial fraud. Our stance is that all fraud is preventable, but in the same way that any football game is winnable – stuff happens, mistakes are made, freak goals are scored. Accepting this means that, while the goal for combatting fraud is 100%, the reality will be that you can't win 'em all.
We specialize in cyber-fraud prevention and it's a highly technical subject where there are always new tactics and exploits being used. Traditional hacks through the organizations' internet 'front door' are only one dimension that needs to be covered. Phishing provides an effective way to get malware past corporate defenses, and it is relatively straightforward to ensure the malware can evade Anti-Virus systems now. Then there was the Target breach last year. The thieves exploited access to systems that a 3rd party services provider had, allowing card-number stealing malware to be installed and exploited for two and a half weeks before detection.
But even though we are pushing the envelope of hack prevention and breach detection with system hardening and File Integrity Monitoring technologies, it was grounding to read about the Apple store fraud* the other week. $300K of Apple goods were stolen through a brazen, good old-fashioned con – when the fraudsters payment card was declined at the till, he would tell the cashier that he would call his bank and get them to provide an override code, which they duly did, allowing the cashier to override the declined payment and complete the transaction. The 'bank' was the fraudsters accomplice and the 'override code' was just a series of digits – once the cashier overrides a declined sale, they can type in any old code by way of authorization!
1. What regular health checks should businesses be doing to ward off fraudsters? How regular?
The biggest threat is often complacency, so there has to be a mindset of constant, continuous vigilance – not just eyes in the back of the head but on the side too! In cyber security terms the monitoring can be automated to a degree taking the philosophy that if you know what normal, regular activity looks like, then any fraud activity should be highlighted in reported deviations and exceptions from the norm. Target had any number of clues that could have been spotted (new services added, registry changes, new DLL files appearing on POS terminals) but was ignored for too long. This was a case of the right approach to fraud detection, but wrong procedures wrapped around the detection tools – the vigilance was lacking. See more on Protecting POS systems
2. What anti-fraud training should staff get?
The same need for vigilance needs to be instilled into staff too. They need to be aware that fraud threats can be from insiders as much (if not more so) than external parties. Unusual events could be evidence of fraud, so if there is a swerve from the regular business processes (as in the Apple Store case) this should be referred up the line.
3. What official policies can be drafted to ensure people don't screw up? What should they cover? How can these policies be effective (ie, not written and left in a drawer)
You do need procedures and auditing/assessment that these are being followed. Because of the huge range and breadth of fraud vectors the procedures also get pretty long too – and boring. It's red tape and like any checks and balances, it will slow things down. So a risk assessment is needed and that really requires a drains up understanding of the business, existing processes and where the danger lies. Often there is an industry or regulatory standard that is provided by an overseeing body that needs to be followed, for example, in the card payment world there are official security standards mandated by the card brands to ensure good protection of card data (the PCI DSS), the US health sector has HIPAA-HITECH Privacy and Security Rules and of course there is Sarbanes-Oxley legislation which was introduced to prevent financial/accounting fraud (think Enron and Worldcom). All of these require the services of external auditor scrutiny at least annually to try and make sure the procedures are being followed so it is somewhat out of the organization's hands as to what they need to do and how they ensure they are within compliance.