Whatever value your company has, you can be sure someone is trying to steal it. They are trying right now, as you read this. Doubtless you are aware of that reality – you have security in place, staff assigned to protect data, perhaps even a strong intrusion-detection system to prevent unwanted interlopers from poking about your files, electronically or otherwise.
But the chances are that the criminals trying to break in to your company are the least of your concerns. Fraudulent activity is on the rise, to be sure, but the most rampant segment of fraud is being perpetrated by insiders – your own employees.
Internal weaknesses
The anecdotal and statistical evidence is clear: studies from the US government, research firm Gartner and the Computer Security Institute have all shown that as much as three-quarters of measured security losses each year comes from within organisations. Earlier this year, The Wall Street Journal warned: “The biggest threats to information security often don’t come from hackers. They come from a company’s own employees.” Companies, in other words, have spent so much time successfully protecting their perimeters that they have ignored the weaknesses of their internal infrastructure.
Think of everything you have to protect, and the multitude of ways it can be taken from you: stolen laptops; surreptitious e-mail attachments; ultra-portable USB drives. Your company’s lifeblood is its intellectual property and non-public information, and you simply can’t keep watch over every employee, every minute of every day.
Luckily, your systems can. They can guard themselves, to a degree – provided you teach them what to look for. In the effort to proactively gauge – and then put a stop to – fraudulent activities by employees, there are steps that your company can take, such as monitoring outbound e-mails and web use on each computer terminal; embedding traceable information to identify unauthorised printing of documents; and locking down access to files in a laptop that has been lost or stolen.
In short, you can monitor and control both your information networks and your individual terminals, to identify and block ‘data extrusion’ attempts by anyone, whether inside employees or outside hackers.
Unfortunately, many security applications introduce complex, burdensome authentication procedures that hamper productivity and overtax your network and system resources – and may fail, even then, to provide the level of security your company requires. They opt for either end-point controls at the user level, or organisation-wide monitors on the corporate level.
But there needn’t be such a painful trade off. The ideal anti-fraud system should be unobtrusive, require limited network bandwidth and have a minimal effect on the normal duties of your staff. And once you have put in place a single, centralised security application that passively monitors and actively alerts your administrators to wrongful activity, you will gain a plethora of additional benefits, including:
- system-wide problem analysis;
- comprehensive audit logs;
- overall policy setting;
- unified behavioural analysis;
- regulatory compliance reporting.
All of that comes as a byproduct of cohesive anti-fraud preparation, but it is the preparation itself that remains critical. Clichéd as it may sound, in terms of cost-benefit analysis, an ounce of prevention really is worth a pound of cure.
Serious repercussions
Once a fraud has been committed, the repercussions are dire. Many regions, for example, have passed laws requiring companies to acknowledge any illegal access to customer data. But by the time those painful public disclosures have been made, the damage – both to the individuals and to the company’s reputation – is done, and in many cases is irreparable. The public relations difficulties, harsh financial penalties and increasing compensatory damages are daunting at the very least.
On top of that, companies are finding themselves subject to new and ever more stringent regulatory burdens, such as the Health Insurance Portability and Accountability Act, Sarbanes-Oxley, Basel II and a host of country-specific data protection laws.
To that end, the focus should be on fraud avoidance, not fraud detection, and even the smallest crimes should be stopped. The overwhelming majority of companies fail to realise the importance of this issue. Waiting until the crime has been committed is, by definition, too late. Companies need real-time detection and an immediate, automated response for every step of fraudulent activity.
A system that maintains constant vigilance and a policy of zero tolerance can put a stop to all data extrusion acts at the outset and, at the same time, enable information officers to identify the root cause of security breaches.
There are five unavoidable truths of fraud avoidance:
- Authorised people can easily commit improper acts.
- Company rules and security policies by themselves are insufficient.
- Only a few people are adequately aware of the critical importance of data.
- Routine periodic monitoring alone cannot prevent violations.
- No employee is immune to the occasional error or moment of inattentiveness.
In the face of those truths, the solution is to mitigate the risk of fraud at its source: human deception. This requires tackling the difficult task of discerning patterns of behaviour.
By monitoring, recording and analysing large stores of attempted fraudulent activity, software can build a history of criminal strategy, and raise alerts when similar attempts are made. By recognising anomalous activity, systems can flag any moves to circumvent established procedures. And by tracking individual actions rather than building superfluous bureaucracy, applications can provide security without hampering productivity.
Employees need to be able to perform the day-to-day functions they have been hired for. But they also need to know that the data and intellectual property they are handling belongs to the company, and the company is going to prevent them from stealing it.
Comprehensive approach
This is all part of a natural progression: companies are learning, sometimes by painful experience, the challenges of dealing with large stores of portable data. Comprehensiveness is the key: monitoring not just every end-point on the system (every laptop, every terminal and every network node) but alerting administrators to end-points missing from the system as well. Unauthorised activity – deviation of any kind from established rules – needs to be noted and addressed, and rules-based technology is the surest means to target violations on a company-wide scale.
The catchword of fraud avoidance is accountability, and by being proactive in the performance of its three basic functions – detecting, responding and protecting – a successful anti-fraud system will hold employees accountable at every stage.
The simple truth is that fraud will never go away. As long as companies continue to generate information or intellectual property of value, criminals, from without and within, will endeavour to locate it. In the never-ending battle of fraud avoidance, companies need to stop trying to build stronger walls, and focus instead on ensuring they know what is going on inside the walls they already have.
Kazuhiko Adachi is chairman of Intelligent Wave Inc.
