Cyberbreaches and internal information theft are often regarded as information technology (IT) problems. However, most information loss isn’t a pure-play IT issue, which might be part of data security problems. Should entities remove handling of cyberbreaches and information protection from IT? Should they handle the prevention and investigation of cybercrime in a separate fraud-related department? Or should fraud examiners step up and become more involved?
It’s easy for us, as armchair analysts, when we hear about daily data breaches, to point our fingers and poke holes in the ways institutions fail to mitigate risk and threats of data loss and leakage. Take, for example, the sophisticated cyberattack of CareFirst BlueCross BlueShield (CareFirst) on May 20. According to the article,
CareFirst Announces Cyberattack; Offers Protection for Affected Members, on the CareFirst website, the attackers gained limited, unauthorized access to a single CareFirst database. The company discovered the breach as a part of its ongoing IT security efforts in the wake of recent cyberattacks on health insurers.
According to the article, CareFirst engaged a cybersecurity firm to conduct an end-to-end examination of its IT environment. Evidence suggested that attackers could have potentially acquired member user names created by individuals to use CareFirst’s website, as well as members’ names, birth dates, email addresses and subscriber identification numbers.
In truth, staffs within most IT security and compliance departments are diligent in their roles — they do the best they can with what they have. I believe that information security should have a place in IT. But IT shouldn’t hold the reins of information protection and investigation; if it does, perhaps anti-fraud experts can help.
Is a cyberbreach really cyberfraud?
Right now, fraud examiners should be licking their chops. Fraud, by its nature, includes any intentional or deliberate act to deprive another of property or money by guile, deception or other unfair means (2015 Fraud Examiners Manual, 2.201). Similarly, theft is when someone takes something from another without consent. A fraudster’s main objective is to hide the act even if the act is completed. This is also is the objective with many data breachers. The acts are largely unknown before and after penetration. The intent is to steal … by means of fraud.
Look at Target, Sony, Home Depot, OPM, etc. In most cyberbreach cases, the incidents are identified long after the penetration and the thieves have absconded with the targeted data.
When I perform periodic testing as a risk consultant to commandeer information and breach controls, I find my pathway in most cases through ruses that will enable me access — technologically, physically or by human shortcomings. Here are some examples of how a cybercriminal might gain access to secure information in these three ways:
- Obtain a network or access password by asking an employee.
- Spear phish to feign a trusted co-worker or site to trick the individual into logging into a trap-identity capture. For example, recreate a LinkedIn invitation in an email with an authentic look and feel of the actual website that grabs the user’s name and password when they believe they’re logging in to the invitation.
- Gain access to an unattended device or endpoint (i.e. desktop computers and devices such as laptops, smartphones and tablets) that an employee left on a desk or counter during office hours. When employees leave their systems unattended and fail to log off, passersby can access information that isn’t password protected.
- Enter a facility without authorization by picking the lock or by entering through unlocked doors and other unrestricted access points. Or a fraudster can simply enter while a thoughtful person holds the door open as they both enter the building.
- Steal hard-copy information that’s unattended such as paper forms, bills and customer information near printers, fax machines and in unlocked garbage containers.
- Peer over an employees’ shoulders while they access private content, read information lying in the open or access files that aren’t locked away to see unsecured information.
- Failure to comply with policies and procedures. Most policies and procedures exist as rules on a form that’s either in some nebulous manual or on a database for employees. Without carefully implementing policies and procedures in alignment with natural, daily activities, most employees won’t think about the controls unless they’re culturally ingrained.
- Failure to create adequate controls. Organizations create controls to minimize activities that could create undue risk. However, risks are always changing and not all controls are sustainable, if indeed they were properly created in the first place.
- Failure to identify and plan against dynamic risks, threats and vulnerabilities. Most risk assessments are a snapshot in time, yet organizations often don’t periodically reassess them to identify changes and indicators of adverse events.
Regulatory authorities and directives, such as the ones governing the
Health Insurance Portability and Accountability Act of 1996, mandate that organizations need to protect information with technology, physical security and appropriate functional controls. Now, if information protection falls under IT, are companies really using the best resources to cover physical security and processes that fall outside of computer or device-based controls, such as business procedures? Probably not because the key loophole is usually human behavior. That’s a corporate risk and security issue, and it’s also a legal and human resources problem. The fact that the mechanism might have used technology shouldn’t drive “ownership” of the problem to IT. So who can transcend all of these business units? A properly trained fraud examiner.
Moving cyberfraud out of IT
From an organizational perspective, an integrated anti-fraud framework that covers financial and information loss would make sense, especially if it involved improving fraud intelligence units as the “eyes and ears” to stop crime and reduce the risk of loss and non-compliance. Doing so could require a holistic approach that involves the entire company’s efforts in governance, risk and compliance. Unfortunately, organizational transformation can take a lot of time and could be beyond the scope of what a fraud examiner can achieve without assistance.
The graphic below shows how a fraud framework can be integrated into an organization and how IT can still function within security. It also takes physical premises and the human dimension into consideration.
Typically, it’s the responsibility of the security department — and to a degree, the anti-fraud department — to address cyberbreaches. The security department typically deals with internal losses that affect customers and the institution but so does the anti-fraud department. But neither exists in isolation. As the model above represents, elements of legal, compliance, intelligence and investigations departments relate to the risk department functions. Companies investigate frauds and breaches and then turn them over to law enforcement if they can’t handle them internally, yet they should emphasize inter-departmental communications to ensure the approach is the most sound and responsible. The bottom line is that the most effective response to an attack is a united community effort that’s devoted to the investigation of unauthorized money leaving the bank.
How to create change
Trends in investigations, findings and lawsuits show that regulatory enforcement is starting to go after more financial services executives and will likely cause companies to adopt more efficient crime-stopping efforts. From a turf standpoint, this could be the perfect opportunity for the CFE to raise a hand to help fix a broken process.
- Share with leadership that cybertheft starts with a fraud through intent to deceive and induce action or inaction to cheat. This tells management that a place for fraud examiners’ expertise across the organization is imperative to recognize new and emerging threats. Fraud examiners’ assistance, policies, procedures and other controls can better align business units to improve adherence and recognition of the risks that they’re mitigating.
- Business units and technology services departments use compliance departments to detect and establish policies. But organizations can only begin to understand which adversaries would want to grab particular information or data if they enlist experts in threat recognition, intelligence analysis and investigation skills. Fraud examiners can assist by augmenting training and education in these areas. Fraud examination is a multi-disciplinary craft that should continue to evolve with global threats. Certain core skills will remain the same, but others can be pulled from different professions and incorporated to the demands of corporate fraud resiliency. One example of this is mobile device forensics. Fraud examiners who can conduct exit interviews that include examinations of company-owned devices could feasibly catch illicit acts before employees are fully separated from organizations.
Wrap up the crime
I strongly believe that organizations should recruit CFEs to fight cybercrime. They can use their skills and experience of interviewing, investigating, elicitation and spotting anomalies to aid in the elimination of cyberfraud.
Scott Swanson, CFE, is principal/owner of Donovan Black Risk Mitigation Group. He can be reached directly at 312-659-3000 or email@example.com.