The fight against fraud is a constant arms race between criminals – both internal and external – seeking to breach a financial institutions (FIs) defences and the information security professionals trying to develop authentication and protection tools in time to meet the latest threats, says Allan Boardman, international vice president, ISACA. There is never a winner in this battle but if you have a guiding principle and a set of standards, like ISACA’s COBIT 5 business framework, which covers the governance and management of enterprise IT, to follow then it helps.
Fraud, defined as a wrongful or criminal deception intended to result in financial or personal gain, would appear to be a lucrative business nowadays. Judging by newspaper reports, it seems to be on the increase, particularly as these reports are likely to be only the tip of the iceberg.
As the availability of data, driven by information technology (IT) and social media has proliferated, so the threat landscape in relation to fraud has changed dramatically. We live in an age of consumer driven technology with massive growth in the use of social networking, cloud computing and personal devices. All of this has increased the risk of fraud at banks and corporations necessitating more protection for transactions and funds transfers at the end point and in the ether. The explosion of data gives fraudsters a lot more material to target and pursue, sometimes simply with the click of a mouse or a screen swipe.
Fraudsters continuously bombard individuals and corporations with phishing and other social engineering attacks to try to access personal or network information, often including the user’s login credentials. These attacks do not always require expert knowledge or expertise, particularly with the availability of ‘off the shelf’ self-service phishing kits on the internet. Protecting yourself against internal or external threats has never been more important.
Major global FIs and businesses are constantly being targeted, as evidenced by recent reports of several banks being subjected to online attacks and website outages believed to be linked to denial of service (DOS) attacks. These types of attacks are only likely to increase as the cyber criminals learn how to make their methods even more effective and can be used against any business with customer-facing online tools.
Recent Fraud Cases
Information security threats do not just originate from outside of organisations or external sources, nor are they always necessarily high tech or sophisticated in nature. There was a famous case just this summer where a UK bank employee simply submitted false invoices to claim payments which were subsequently paid out to her. [‘Jessica Harper, the ex-head of fraud and online security at Lloyds Banking Group in the UK, was jailed for defrauding her employer of £2.5m in August – Ed.’]. This famous case went on for some time before being detected. Organisations ignore the insider threat at their peril, especially when the disgruntled employee syndrome is added to the mix. The case could just as easily be replicated anywhere if a disgruntled employee was not required to authenticate themselves and staff actions were not tracked.
The recent huge fines imposed by regulators on FIs that failed in their anti-money laundering (AML) and sanctions screening duties in 2012 must also have caused concern in many boardrooms, and senior managers no doubt worry whether they too are exposed to similar issues? [The prime examples this year have been Standard Chartered bank and HSBC, which have respectively been fined US$340m and US$700m, rising to US$1.5bn, by US authorities for allowing banned Iranian transactions to pass and Mexican drug cartel money to be laundered – Ed.]. Senior managers and compliance officers must ask themselves what are the signs we should be looking for, how would they recognise suspect transactions, and what assurances do they have that things are in order in their own backyards?
Bank and corporate compliance officers must ensure that the transactions passing over their systems comply with several sanctions lists from the UN, the US or wherever, as well as block any fund transfers involving Specially Designated Nationals (SDN) or Politically Exposed Persons (PEPs), which can sometimes mean banned terrorists. Breaches and non-compliance cost money and must be avoided at all costs.
The extensiveness of fraudulent activity and the seemingly unlimited resourcefulness and imagination of the perpetrators, not to mention the global connected world that individuals and enterprises today operate in, makes it very challenging for FIs and corporations to combat fraud. Those charged with responsibility for prevention and detection of fraud have their hands full and have to remain very vigilant in these changing times if they are to stand any chance of winning the fight against fraud.
However, the reality is that despite the serious risk that fraud presents to organisations, and the rapidly changing and complex environments, many corporations that banks deal with still do not have formal systems and procedures to prevent, detect and respond to fraud. Such companies run the risk of falling foul of regulatory and other supervisory authorities as there is increased regulatory pressure on firms to make themselves more accountable for crimes such as fraud, and to demonstrate that they have a strategy for protecting their organisations from liability.
Fight Fraud: Assessing the Risk
The best way to fight fraud is to get a clear appreciation of the fraud risk profile of a business or person and an understanding of what the organisational impact is, so that effective decisions can be made in the right areas. This should involve a thorough enterprise-wide fraud risk assessment including identifying and evaluating the control processes and procedures for preventing, detecting and responding to fraud. The transaction chain, including banks and suppliers, should be thoroughly examined.
The goal of such an assessment would be to determine where and how to commit scarce resources, valuable time and limited money to improving the key processes and aligning them with the business.
ISACA’s COBIT 5, a business framework for governance and the management of enterprise IT, can be used by corporations to assess their information security performance and to implement appropriate management practices, covering their control environment and key anti-fraud processes.
The COBIT 5 framework enables IT to be governed and managed in a holistic-manner for the whole enterprise taking into account full end-to-end business and IT functional areas of responsibility, considering the IT related interest of internal and external stakeholders. The principles are generic and useful for FIs and enterprises of all shapes and sizes.
In its COBIT 5 guidelines, ISACA suggests making a clear distinction between governance and management. So in the context of combating fraud, the board of directors of a company should direct, monitor and evaluate the fraud reduction processes and requirements based on the business needs. Whereas the executive management and all employees involved with fraud reduction processes should focus on the plan, build, run and monitor processes. In summary:
· Proper governance ensures that enterprise objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritisation and decision making; and monitoring performance, compliance and progress against agreed-on direction and objectives. An enterprise Data Management policy should result (EDM).
· Management then plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives – policy-based resource management (PBRM) results.
The COBIT 5 framework is built on five basic principles that allow an FI or any enterprise to build an effective governance and management framework based on a holistic set of seven enablers that optimises information and technology investment for the benefit of stakeholders.
The five principles are:
· Meeting stakeholder needs.
· Covering the enterprise end-to-end.
· Applying a single integrated framework.
· Enabling a holistic approach.
· Separating governance from management.
The seven enablers are:
· Processes—Describes an organised set of practices and activities to achieve certain objectives and produce a set of outputs in support of achieving overall IT-related goals.
· Organisational structures—What are the key decision-making entities in an organisation: plan it out.
· Culture, ethics and behaviour—Of individuals and of the organisation should be mapped. Very often this is underestimated as a success factor in governance and management activities.
· Principles, policies and frameworks—Are the vehicles to translate the desired behaviour into practical guidance for day-to-day management available?
· Information—Is it pervasive throughout any organisation, covering all information produced and used by the enterprise? Information is required for keeping the corporation running and well governed, but at the operational level, information is very often the key product of the enterprise itself.
· Services, infrastructure and applications—Include the infrastructure, technology and applications that provide the enterprise with IT processing and services in any security policy.
· People, skills and competencies—Ensure these are linked to people. It is necessary for successful completion of all activities and for making correct decisions and taking corrective actions.
Since fraud reduction impacts the whole corporation, ISACA suggests using and reviewing all of COBIT 5 enabling processes to ensure the board and executive management have proper coverage of all fraud reduction related requirements, benefits, risks and resources.
As a final observation, the COBIT 5 implementation model suggests seven steps to improve processes/activities with three rings: program management, change management and continuous improvement.
It should be noted that COBIT 5 for information security delivers an extended view of COBIT 5 that explains each component of it from an infosec perspective. It is a view of infosec governance and management that provides security professionals with detailed guidance for using COBIT 5 as they establish, implement and maintain information security in the business policies, processes and structures of an enterprise.
There is certainly no silver bullet to combating fraud but there are steps that FIs and corporations can and should take to mitigate their fraud risks and also reduce the impact of such incidents to their organisations. COBIT 5 provides a variety of useful resources to assist firms to develop and implement an effective anti-fraud strategy, and the tools and practice guides to deliver against the strategy.