How Vital Is Information Security Controls in Fraud Prevention?

By Illyas Kooliyankal

Fraud Prevention is one of the biggest challenges to the organizations across the world. What are the advanced measures that can be explored to ensure Fraud Prevention in a more effective manner? What role can Information Security play to enhance the Fraud Prevention mechanisms in your organization?

Traditionally, "Information Security" term is associated with Cyber Security and is used interchangeably. Approach from organizations, vendors, and industry experts gave an outlook that Information Security is all about technology related Cyber Security controls only.

Delivering direct business value from information security investment seldom come up as a priority or discussion point. At best, it becomes a theoretical analysis of the strategic alignment of Information Security with business. But still, practical effectiveness or implementation methodologies found lacking.

Nevertheless, like many other areas, Fraud Prevention is one of the critical business challenges that Information Security controls can add value to.

Information Security and Fraud Prevention

Information Security community has failed to demonstrate or communicate effective mechanisms in preventing organizational losses from breaches other than cyber attacks. Finding an Information Security expert with adequate technical background and business acumen is the most significant challenge the industry encounter.

Professionals with governance or audit background come with risk management background. Although exceptions noted, most of the experts come with theoretical knowledge on technology and doesn't understand the real technical challenges. At the same time, the other side of the spectrum is the technical experts who come from an IT background but without an open mind or any exposure to business challenges and expectations.

The right Information Security leader, with technical expertise and business acumen, shall be able to link the Information Security controls with business challenges. This alignment is by ensuring the control adequacy and effectiveness, but wherever possible by linking to business needs and aspirations. Fraud prevention is one of the direct selling points to demonstrate the value of Information Security to a non-technical audience, including the board members.

Information Security risks and investments to protect from cyber attacks is extremely crucial, especially considering the current wave of hacking incidents and data breaches. But, the significance of Information Security is much more than the Cyber Security controls.

If we analyze, a good percentage of frauds has some connection with ineffective Information Security controls. It may be due to weakness in people, process or technology controls, associated with valuable business data.

Example:

If a person or process access or alter the data that he supposed not to, it may lead to fraud. Here the basic principles of Information Security are breached, namely confidentiality, integrity or availability. Key security control areas of access management and data management are extensively crucial for fraud prevention.

Although execution of frauds attributed to many factors, the ever-increasing dependency on information security controls are getting significant importance these days.

As in the past, financial organizations realize this fact more than others. Insider threat management initiatives that get a lot of business buy-in mainly focussed on this aspect. Fraud Management departments are more interested in the data security controls so that the prevention and detection of frauds will be more efficient and effective. Security monitoring use cases for fraud detection is gaining momentum among information security experts.

Fundamental principles or concepts

In addition to various other scenarios, causes of fraud can be the following also:

Data exposure to a potential fraudster (Internal/External - Unauthorized view) - Confidentiality breach/Impact.

Illegitimate alteration of data by the potential fraudster - Integrity breach/Impact.

Unauthorized damage to data or service by the potential fraudster so that the genuine users cannot access it on time - Availability Impact

Fraud From External Sources - Online Channels

Importance of adequate information security controls to combat fraud take a huge jump when online channels become the fastest and most efficient channel of service delivery. Although offline channels also could be the source of fraud and can get impacted, fraud through online channels (including mobile) can be incredibly easier in an anonymous manner and may be potentially destructive.

Cybercriminals target their victims through online channels, as the probability of finding one is more easier compared to physical means. In addition to that, the identity of the fraudster is easy to hide and extremely difficult to find out after a successful fraud. That gives immense motivation to the real-life criminals to use online channels.

Emails, websites and mobile applications are being used to lure potential victims. Considering the increased adoption of mobile devices and Internet, the probability of finding a vulnerable target is quite easy for the fraudsters.

Defrauding the common public and customers of favorite organizations including banking firms is a common trend. Chances of trusting a targeted fraudulent message (in the name of a famous brand) are very high. Various financial frauds are being carried out through fake websites, email, and SMS communication pretending as leading organizations. Some of the messages can fool the smartest of people, by customizing it with an extremely genuine-looking message. Mostly it addresses the victims, by carrying out background checks in advance, using social media details.

Compromising popular email service accounts of the customers or the partner firms could be another source of fraud, by snooping into the communication between a supplier and customer.

At some point of time, the fraudster may create a fake email account that almost looks like the original one, with a minor change in the spelling of the email address, and sends instructions to transfer fund to an account that belongs to criminals. Many organizations fall into this trap, due to lack of sufficient processes and awareness.

More significant frauds use data exfiltration and cyber espionage, where expert criminal gangs use online channels to spread malware and blackmail the victims. These, finally end up in financial and reputational losses in addition to regulatory damages.

Fraud from Internal Sources - Misuse of access and information/service handling

Many types of frauds can be executed by disloyal staff, especially those with privilege access like IT, Finance, and HR Employees. Exposure of sensitive information to unauthorized personnel and extra privileges (more than required) etc., can potentially lead to unpleasant scenarios. In the same manner, unauthorized data transfer privileges can also be detrimental to the organization.

Lack of effective segregation of duties and timely monitoring and detection of activities by the employees (which may include permanent or temporary/outsource) could be a significant weakness in the information security control environment that could lead to substantial frauds.

Many of the recent financial frauds owe to the collusion of employees with internal or external parties. Weakness in access management, data transfer management, segregation of duties, and least privilege based access provisioning are some of the causes of internal frauds (and in many cases external fraud also).

Recommendations - How can Information Security Controls prevent Frauds?

Fraud Prevention

Ensure to align Information Security Program and activities with Fraud Prevention measures in the organization

Carry out a Fraud Risk Assessment in the context of Information Security Threats - From Internal and External perspective

Identify, design and implement critical controls required to protect the organization, staff and its customers from frauds - People, Process and Technology Controls. In some cases, it may be just through improved awareness among the people.

Ensure to have proactive monitoring and detective mechanisms to predict frauds through early warnings.

Formulate "use cases" by collecting intelligence through internal and external sources of information to detect potential fraud for a timely response.

Focus on ensuring effective controls on the protection of information from internal and external threats - Confidentiality, Integrity, and Availability of the data. Authorized parties only should have access and authority to view and change the information and its status, with adequate audit trails.

Develop and practice incident response plan for handling potentially fraudulent activities (due to information security breaches), where fraud management/investigation teams may need to be involved. In some instances, HR department too, if the potential fraud attempt includes the involvement of the staff.

Develop and implement specific controls for all online channels to be resilient to fraudulent activities - Technical and Procedural.

Ensure to perform multiple checks and Maker-Checker based approvals for critical/sensitive actions or transactions with appropriate segregation in duties.

Develop customized security awareness training to educate the staff and customers about the importance of Information Security best practices for Fraud Prevention.