Corporate crime poses a real and substantial threat to
the stability of any business. Fraud and theft involving everything
from intellectual property to inventory, fromcybercrimeto corruption, are
multi-billion pound problems. All organisations are susceptible and
taking the right precautions to prevent crimes is crucial. Risk
does not distinguish between geography and size of a company, or
between industry and scope. The risk is real, worrisome and
ubiquitous.
Some of these fraud violations are down to the
increasing sophistication of the criminals perpetrating the
attacks but, in many instances, systems are compromised in ways
that simply should not be possible. Aside from the damage done to
an organisation's brand, an increasingly strict legislative
framework in some areas - laws such as
Sarbanes-Oxley, UK Fraud Bill - should have left no one in
doubt as to the importance of getting security right.
Yet despite the message being driven home by governments,
consumer groups and industry bodies that IT security is paramount,
fraud levels this year will continue to rise as we witness a
worrying number of serious breaches.
When people think of fraud, they tend to focus on the external
threat, but the bottom line is that the most dangerous threat comes
from within the organisation. Employee-related risk is a moving
target. For example, the fragmentation of corporate systems makes
it difficult to keep control of confidential data resulting in
leakage - an issue exacerbated by the availability of portable
storage, such as USB sticks and MP3 players. As new generations of
technology offer new ways of working, they also create new security
and ultimately fraud headaches.
The single most important factor for any business in exerting
tighter controls and reducing the risk of fraud is visibility. For
starters, access rights as a method of internal control is key to
any security strategy in preventing fraud. The concept of
least-privilege should only allow employees to do what their role
requires and no more. We are not advocating a Big Brother state -
the goal is to understand and manage the real risks rather than
trying to create jobs or undermine the rights of employees.
Ultimately reducing the risks associated with their own staff is as
much about procedure and policy as it is about technology.
Secondly, organisations need to confirm that only the right
individual is accessing the relevant information. Banks in
particular are faced with this issue and the rise in fraud has led
to a significant and stable increase in the acceptance and
deployment of two-factor authentication methods as banks seek to
elevate the real and perceived security of their online services.
Protecting their organisation from the financial fallout of fraud
is one consideration success in the lucrative internet banking
arena depends on how safe customers feel when using online banking
services and those working outside the enterprise walls also need
to have secure access.
Thirdly, non repudiation of documents can and should be
addressed through the use of digital signatures, which can also
deliver the ability to check that the document has not been altered
in any way since being signed. This is essential to preventing
various types of fraud including revenue diversion frauds,
procurement frauds and payment frauds.
Although more and more organisations are recognising that fraud
and security issues are not "grudge spend" but rather an
investment, there needs to be a shift in perception that fraud and
related security systems are not simply technology implementations
but rather a catalyst for business change and revenue growth.
But technology is not the only problem here. Business tensions
underpin the struggle for security. On the one hand, organisations
need to reduce fraud, but on the other hand, a competitive sector
such as banking requires them to make transactions and company
interactions to run smoothly for customers. As the drive for
customer convenience continues, the challenges surrounding banking
security and the need to compromise the security involved will
increase.
Fraud is an ongoing business and security concern - not just
ethically but to the bottom line. We will see more innovative ways
to commit fraud and security breaches. Enterprises, therefore, need
to match this hunger, innovation and enthusiasm with appropriate
rigour in their own security policies and architectures.