Fraud Symptom 10 – Lapses in Information Assurance

The 2011 report of Panda Security titled “The Cyber Crime Black Market: Uncovered” discusses the way the crime organizations work to steal data and conduct frauds. The report mentions the ongoing rates for bank customer data – credit card information is sold between US$ 2 to US$ 90, depending on the nature of the card and information. European card details attract a higher price than US and Asia. The report mentions the roles of programmers, distributors, tech experts, hackers, fraudsters, cashiers, mules, tellers, and social engineering experts. They all have a role to play in the crime scene and collaborate to conduct high-level frauds.

In light of the increasing threat of cyber crime, information assurance plays a critical role in organizations, especially financial institutions. Media regularly provides cases of cyber attacks, which provide an external perspective. However, the foundation for sound information security is laid within the organization. Any lapses in this area, signifies a high risk of fraud. I am here giving some examples on how to identify the issues excluding the regular network breaches.

1.  Commitment to Information Assurance Policies and Procedures

The first indicator of lapses in information assurance appears on evaluating the information assurance policies and procedures. The questions to ask are – does it cover all sources of data leakage, does it monitor exceptions, how is the implementation and are regular audits conducted to ensure adherence.

To illustrate, I had once prepared an information assurance polices document for an organization. According to my estimate, on approval of the document, the implementation time was three months. However, to my surprise the management did not approve the document for over a year, despite repeated reminders on high exposure to information risks. I subsequently discovered that some senior executives were conducting frauds and laying the blame on the juniors. Their problem was that if the policies were implemented, they would not have easy escape goats.

2.    Level of Application Controls

Most organizations still lack focus on application controls – the basic input, processing and output controls and access controls. Access to critical information is available easily and hence can be stolen.

For example, in one case I had found that a VISA card application could be accessed by the employees working on the process from their homes or any internet café. Interestingly enough, all the customer information of the cards was visible outside of office premises and machines.

In another case, a Master card processing application of a bank had no input controls and verification controls on the amount. The employee could pass the transaction for US$ 5 million, when the real amount might be just US$ 5. The whole transaction was processed without verification checks and the only control available was at Master card office.

3.    Back-end Logs

From a fraud detection perspective, back-end logs are crucial. They provide the information of access of various accounts by employees, transactions conducted and the whole trail of activities. Analyzing the logs helps in identifying suspects.

However, some companies give the weird logic that maintaining back-end logs is expensive; hence, we do not keep them. With the cheap data storage facilities available, the organizations are losing the best tool available to them for fraud detection.

The second risk of back-end logs is that the information security personnel can play havoc with it. For example, if they have participated in a fraud, they can remain undetected. The simple process employed by deviant information security personnel is to download the back-end log, tamper with it to remove their own access trail and in its place put some other employee’s information. This way when the fraud is investigated, the other employee becomes the suspect.

These are just a few examples on how lapses in information assurance increase the risk of frauds.

Recommendations

To ensure that the organization is adequately covering information assurance risks, do the following:

a)  Implement information assurance policies and procedures.

b)  Put a system in place to regularly monitor adherence and address exceptions

c)  Conduct ethical network hacking to assess security vulnerabilities

d)  Review all critical applications for controls and mitigate the major weaknesses.

e)  Segregate duties of information technology and information security personnel to ensure that they do not tamper with the application. Build in some checks to monitor their activities.

f)  Investigate all breaches and incidents to determine the root cause analysis and make the environment more secure

References:

The Cyber-Crime Black Market: Uncovered by Panda Security

To read more on Fraud Symptom series, click here

Brand and Reputation Risks in Fraud

The brand and reputation damage on an organization reporting fraud and misconduct is huge, if not managed properly. The recent spate of top honchos of India corporate world in 2G scam (Reliance, DB Realty, etc.) has resulted in huge loss in market capitalization. For some companies, the share prices have become 30-40% of the price before disclosure of fraud.

An old PWC survey report issued after the Enron, WorldCom and other companies debacle in 2002-2003 states the following:

“A 2004 CEO survey conducted in association with the World Economic Forum reflects just how seriously fraud and reputation risk is perceived by executive management. Of the 1,400 CEOs taking part in that PricewaterhouseCoopers study, 35% identified reputation risk as either “one of the biggest threats” (10%) or “a significant threat” (25%) to their business growth prospects.

 And as indicated by the spate of major frauds in recent years, a single fraud-related failure can result in a multibillion-dollar loss. In fact, a 2002 study of 663 fraud cases by the Association of Certified Fraud Examiners (ACFE) suggests that fraud can cost roughly 6% of a company’s annual revenues. That figure, when applied to the U.S. Gross Domestic Product, translates into a fraud-related loss in the neighborhood of $600 billion for U.S.-based companies in 2002 –about $4,500 per employee.”

Hence, do not underestimate the reputation risks in fraud cases. A well-devised strategy is required. As I had mentioned in the post “Media Ethics” evaluate the pros and cons of Indian media. In India, if an organization has huge advertising budgets, the concerned media houses benefitting from the advertising budgets do not go all out after the organization. Though this is not always the case.

I had once witnessed an odd situation where the communications manager instead of protecting the organization brand, exposed it to negative publicity. The old case was of an identity theft fraud. The fraud team submitted a document containing media risks to the communications team. Then after taking internal approvals, a police complaint was filed. As expected, there were numerous journalists. However, the communications heads refused to interact with the media and just issued one official statement.

The other interesting bit was that one journalist had more information on police activities and the case than others did. The fraud investigator checked with the police personnel whether they were leaking out information. There were some old relationships existing between police official and the journalist. Hence, the initial assumption was that police official is responsible for the reputation damage.

However, subsequently the fraud investigator found out that it was an inside job by the organization personnel. The communications manager hadn’t restrained reputation damage on the instructions of a senior executive within the organization.  The senior executive subsequently used the reputation risks as an excuse for not filing police complaints for other frauds.

In such cases, where some serious reputation damage incident has occurred, it is advisable for the new management to talk to the old management.

Closing Thoughts

A reputation risk management strategy must be developed and implemented before taking action. If the organization does not have reputed or reliable brand managers, then it should hire external managers to manage the situation.

References:

PWC- The Emerging Role of Internal Audit in Managing Fraud and Reputation Risks