Saturday, December 11, 2021

How To Avoid Internal Fraud - 3 Action Items To Be Taken

 


Last weekend, I wrote about a new type of fraud that is happening in more occurrence these days:  Synthetic based ones.  This occurs when the Cyberattacker used both real and fake information about you in order to create a whole new profile, essentially making you a person with totally different characteristics. 

The goal of this is fly under the radar for as long as possible, as many businesses are simply not up to speed yet in capturing these kinds of attacks.

But whatever variant it is, it all comes down to one thing:  Fraud, especially that of internal ones, are extremely difficult to detect.  The major reason for this is that they are often conducted by actual human beings, primarily carried out by using Social Engineering tactics. 

For example, you could have an employee that you have had for a long period of time, they appear to be happy, but underneath, they are planning a Fraud based attack on your company.

Employees, whether they have a criminal background or not, are often the most thought of suspect, because they know the internal workings of your organization, especially the weak spots.  So it all comes down to one thing really, which is quite unfortunate in some ways: 

You simply cannot trust anybody these days, no matter how well you may know them.

But for purposes of this blog, we will stick to how it relates to business, and some measures you can take to help avoid it.  Here we go:

1)     Create and deploy a fraud hotline:

I have actually written about this before, but although employees might be the proverbial weakest link in the security chain, they can also be your best source of internal eyes. For example, depending upon how large your business is, you cannot be at all places all of the time.  So therefore, you have to rely on your employees to report anything to you that may be suspicious or simply out of the ordinary.  Therefore, you need to maintain a special hotline in which an employee can anonymously report this kind of activities without any fear of reprisals being taken against them.  In this regard, probably the best people to answer this hotline would be your IT Security team.  In fact, according to a recent report by the Association of Certified Fraud Examiners  ( also known as “ACFE”), 43% of all fraud cases are captured by these kinds of tips.  More detail about this report can be found at this link:

https://www.acfeinsights.com/acfe-insights/announcing-the-2020-report-to-the-nations

But keep in mind one more important thing:  All of the above assumes that you still maintain a brick-and-mortar office of sorts.  Given how the world now is now going to digital to the 99% Remote Workforce, obviously having a tip line may not be as effective.  Therefore, your best bet is to migrate to a Cloud based platform, such as that of Microsoft Azure.  They have all the tools you could ever need to identify and stop fraudulent attacks to your digital assets as they happen on a real time basis.  Heck, they even give you tools to even help you track down the perpetrator as well.

2)     Maintain the right set of controls:

Once again, this is one of the biggest buzzwords still being bandied about in the world of Cybersecurity.  But you know what?  Having the right set of controls in place has now become mandatory, as set forth by the data privacy laws of the GDPR and the CCPA, as well as others.  The term controls is a catch all term, and which ones you use are largely dependent upon the kind of digital assets that you have.  In terms of fraudulent based activity, there are two types of controls:  Active and Passive.  With the former, it means that the controls you have in place are doing their job to mitigate the risk of internal fraud from actually happening.  This would include setting up rights and permissions according to the job details of the employee, having a segregation of duties, deploying Multifactor Authentication (MFA), having a regular password reset schedule, putting in physical devices to add more security, etc.  With the latter, as its name implies, you are taking a less formal approach.  Instead, you are making use audits, sudden changes in the level of inventory, etc. in order to detect any fraudulent activity.  So you may be asking now which approach is the best?  Well, using both, and a hybrid approach is the best one to take.  This will to help to ensure that you are taking all of the steps necessary to protect your business from internal fraud.  In fact, according to the same report as just mentioned, almost 30% of all fraudulent activity occurs because of a sheer lack of controls.

3)     Watch for any signs of abnormalities:

Let’s face it, life is a rat race. We all have our daily ups and downs, and emotional swings.  It is just a part of who we are as a human being.  But one thing for sure is that no matter how much we try to hide our feelings and emotions so that they are not so apparent to others, there are always involuntary clues that are given out.  But when it comes to your employees, one of the key things to look out for is how their behavior changes when they do, they work.  For example, if there are drastic mood swings, unusual relationships with external, third parties, a reluctance to attend meetings, or even share in responsibilities, these are for sure red flags.  Now it doesn’t mean necessarily that your employee who is displaying these emotions is going to launch an internal fraud attack, but typically it is those that are disgruntled that are more prone in doing this.

My Thoughts On This

As I mentioned earlier, Internal Fraud will always be hard to detect. But for your employees, whether they are remote or not, always conduct training sessions, in a manner very similar as to how you would do a Cyber related security awareness training program.

Always take your best efforts to make your employees feel happy, and most importantly, appreciated.  True, money and budgets are tight, but you do not have to spend a lot of money to do this.  Even simple verbal acknowledgements and gift cards can do wonders to the human spirit as well. 

In the end, remember that the costs associated with keeping your employees happy will far outweigh the costs if you are hit with an Internal Fraud attack.

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...