Last weekend, I wrote about a new type of fraud that is happening
in more occurrence these days: Synthetic
based ones. This occurs when the Cyberattacker
used both real and fake information about you in order to create a whole new
profile, essentially making you a person with totally different
characteristics.
The goal of this is fly under the radar for as long as possible,
as many businesses are simply not up to speed yet in capturing these kinds of
attacks.
But whatever variant it is, it all comes down to one thing: Fraud, especially that of internal ones, are
extremely difficult to detect. The major
reason for this is that they are often conducted by actual human beings, primarily
carried out by using Social Engineering tactics.
For example, you could have an employee that you have had
for a long period of time, they appear to be happy, but underneath, they are planning
a Fraud based attack on your company.
Employees, whether they have a criminal background or not,
are often the most thought of suspect, because they know the internal workings
of your organization, especially the weak spots. So it all comes down to one thing really, which
is quite unfortunate in some ways:
You simply cannot trust anybody these days, no matter how
well you may know them.
But for purposes of this blog, we will stick to how it
relates to business, and some measures you can take to help avoid it. Here we go:
1)
Create and deploy a fraud hotline:
I have actually written about this
before, but although employees might be the proverbial weakest link in the security
chain, they can also be your best source of internal eyes. For example,
depending upon how large your business is, you cannot be at all places all of
the time. So therefore, you have to rely
on your employees to report anything to you that may be suspicious or simply out
of the ordinary. Therefore, you need to maintain
a special hotline in which an employee can anonymously report this kind of
activities without any fear of reprisals being taken against them. In this regard, probably the best people to
answer this hotline would be your IT Security team. In fact, according to a recent report by the Association
of Certified Fraud Examiners ( also
known as “ACFE”), 43% of all fraud cases are captured by these kinds of
tips. More detail about this report can
be found at this link:
https://www.acfeinsights.com/acfe-insights/announcing-the-2020-report-to-the-nations
But keep in mind one more important
thing: All of the above assumes that you
still maintain a brick-and-mortar office of sorts. Given how the world now is now going to
digital to the 99% Remote Workforce, obviously having a tip line may not be as
effective. Therefore, your best bet is
to migrate to a Cloud based platform, such as that of Microsoft Azure. They have all the tools you could ever need
to identify and stop fraudulent attacks to your digital assets as they happen
on a real time basis. Heck, they even
give you tools to even help you track down the perpetrator as well.
2)
Maintain the right set of controls:
Once again, this is one of the
biggest buzzwords still being bandied about in the world of Cybersecurity. But you know what? Having the right set of controls in place has
now become mandatory, as set forth by the data privacy laws of the GDPR and the
CCPA, as well as others. The term controls
is a catch all term, and which ones you use are largely dependent upon the kind
of digital assets that you have. In
terms of fraudulent based activity, there are two types of controls: Active and Passive. With the former, it means that the controls
you have in place are doing their job to mitigate the risk of internal fraud
from actually happening. This would
include setting up rights and permissions according to the job details of the
employee, having a segregation of duties, deploying Multifactor Authentication
(MFA), having a regular password reset schedule, putting in physical devices to
add more security, etc. With the latter,
as its name implies, you are taking a less formal approach. Instead, you are making use audits, sudden
changes in the level of inventory, etc. in order to detect any fraudulent
activity. So you may be asking now which
approach is the best? Well, using both, and
a hybrid approach is the best one to take.
This will to help to ensure that you are taking all of the steps
necessary to protect your business from internal fraud. In fact, according to the same report as just
mentioned, almost 30% of all fraudulent activity occurs because of a sheer lack
of controls.
3)
Watch for any signs of abnormalities:
Let’s face it, life is a rat race.
We all have our daily ups and downs, and emotional swings. It is just a part of who we are as a human
being. But one thing for sure is that no
matter how much we try to hide our feelings and emotions so that they are not
so apparent to others, there are always involuntary clues that are given
out. But when it comes to your employees,
one of the key things to look out for is how their behavior changes when they do,
they work. For example, if there are
drastic mood swings, unusual relationships with external, third parties, a
reluctance to attend meetings, or even share in responsibilities, these are for
sure red flags. Now it doesn’t mean
necessarily that your employee who is displaying these emotions is going to
launch an internal fraud attack, but typically it is those that are disgruntled
that are more prone in doing this.
My Thoughts On This
As I mentioned earlier, Internal Fraud will always be hard
to detect. But for your employees, whether they are remote or not, always conduct
training sessions, in a manner very similar as to how you would do a Cyber related
security awareness training program.
Always take your best efforts to make your employees feel
happy, and most importantly, appreciated.
True, money and budgets are tight, but you do not have to spend a lot of
money to do this. Even simple verbal acknowledgements
and gift cards can do wonders to the human spirit as well.
In the end, remember that the costs associated with keeping your
employees happy will far outweigh the costs if you are hit with an Internal
Fraud attack.
No comments:
Post a Comment