Although hackers and
phishing attacks make the headlines, almost 78% of fraud by
individuals against UK organisations is committed by employees.
Most businesses can no longer afford to ignore the threat from
within.
Internal fraud made up more than a quarter of the £1.19bn of
fraud losses recorded in cases brought before UK courts in 2008
according to
KPMG's
annual Forensic Fraud Barometer. The report reveals that
employee fraud across all UK organisations grew by six times in
2008 compared with the year before.
Analysts say the figures for enterprise fraud are likely to
increase in 2009 as a direct result of the poor economic climate
around the world. As the effects of the economic downturn begin to
take hold at every level, the temptation to commit fraud by
inflating expense claims or passing on information to organised
crime is greater than ever.
It is no surprise that managers are the biggest culprits,
accounting for 56% of internal fraud. They are in a better position
to abuse their position of trust and have authorised access to a
greater number of company resources.
Non-managers may soon catch up, however, with growth in fraud by
this group in 2008 outstripping that of managers by 133%.
Hitesh Patel, fraud investigation partner at KPMG Forensic, says
internal fraud is becoming more prevalent and should set alarm
bells ringing within organisations.
"In difficult times, internal fraud could even become the
tipping point between the survival and demise of an organisation,"
he says.
Businesses are turning to IT systems to detect and prevent
internal fraud, but many are failing to address the full complexity
of the problem.
Analyst firm Quocirca is preparing a report on internal fraud.
Quocirca analyst Bob Tarzey warns that businesses have not
addressed this issue to the extent that they need to.
Most organisations are implementing point systems that look for
specific, well-known types of fraud, says Shachar Mor, senior
consultant at information security firm Comsec Consulting.
These typically do not address the full complexity of the
problem because fraud is becoming increasingly sophisticated and is
often made up of several smaller activities across the
organisation.
A point system aimed at a specific activity is not going to make
the connections to identify more complex patterns of fraud
activity, says Bart Patrick, head of risk at SAS UK.
Fraud is multidimensional and, therefore, businesses need to
adopt a multidimensional approach, he says. The only way to reach
beyond the 20% of well-known frauds is to take a data-driven
approach.
This involves tapping into all the data sources within
organisations such as e-mail, building access logs, telephone
records and employee database activity.
Analytics technology can use all this information to uncover
hidden patterns of activity linked to fraud and enable
organisations to prevent fraud when similar patterns are detected
in future.
The most difficult type of fraud to tackle is the fraud that
goes undetected, which experts in the field have suggested is about
40% of all fraud carried out, says Patrick. Large financial
institutions commonly use analytics to help provide near real-time
alerts about unknown fraud by detecting and connecting anomalous
data to identify potential fraud activity.
Using this approach, data can be pulled together from multiple
sources to create and run a fraud risk model to score a transaction
and send the result to a bank in under 40 milliseconds. This
capability obviously involves an extensive data integration
project, which is likely to be out of the reach of organisations
that do not have the financial resources of multinational
banks.
Fraud analytics
New technology from software firms such as startup Intellinx is
likely to fill this gap by providing a way of using analytics to
combat fraud without the need for system integration.
The Intellinx software uses an agent-less network traffic
sniffing tool to collect and pass information from all company IT
systems to its analytics engine to identify potential fraud. The
technology can be deployed within a single day and does not require
expertise to link it with each information system used in an
organisation.
This enables a near real-time fraud alert capability with full
activity recording and replay in software that can be used against
both known and unknown types of fraud in an organisation.
Fine-tuning the software can take up to four weeks, says Orna
Mintz-Dov, chief executive of Intellinx, but organisations will
have the ability to record all transactions out of the box. This
technology has been deployed in the US, where police authorities
were able to immediately block any inappropriate internal requests
for information on president Barack Obama.
Endpoint management
Another innovative way of gaining visibility and control of
internal systems and data is using agent-less endpoint management
technologies.
Like the Intellinx software, the management system from endpoint
security supplier Promisec is designed to enable fast, centralised
and easy deployment with little impact on network performance.
Endpoint management can enable organisations to get visibility
of what users are doing with internal data, says Ari Tammam,
vice-president of channels at Promisec. Organisations can also
control company data by enforcing policies through every device
used to access the network, he says.
The software monitors and blocks any changes to software and
security settings, says Tammam, to prevent employees from
intentionally or unintentionally opening up opportunities for
fraud.
Tracing user transactions
Security supplier First Ondemand is pioneering yet another
innovative anti-fraud technology to provide cryptographically
secured unique identities for users, transactions and physical
goods.
Fraud can be prevented if an organisation can identify and
authenticate every person in its business processes, says Peter
Warner, head of financial sector business development at First
Ondemand.
The firm has developed software in partnership with Oracle to
enable organisations to create mass serialised identities and then
track them through all business processes and IT systems.
The technology is being used to prevent fraud by authenticating
pharmaceuticals, recipients of parcel deliveries and users of
electronic train ticketing services.
Shout about anti-fraud
Visible roll-outs of anti-fraud technologies alone can help
organisations reduce fraud, says Comsec's Shachar Mor, who
specialises in enterprise fraud.
Once an organisation can demonstrate its capability to identify
suspicious activity, it makes employees aware that there is a "dog
in the house" so they are less likely to commit fraud, he says.
Technology can vastly improve an organisation's ability to
deter, detect and prevent fraud, but it will not address business
process failures that often create opportunities for
fraudsters.
Fraud often occurs where there is a breakdown of control,
typically when processes are handed from one department to another
within an organisation, says SAS's Patrick.
Knowledge of processes within an organisation is an increasingly
important component of successful fraud prevention, says Nissim
Bar-El, chief executive of Comsec UK.
Fraud of some kind is a threat to most organisations, but Bar-El
says few have the ability or budget to combine anti-fraud
technologies with knowledge of business processes and user
behaviour.
This is likely to drive demand for comprehensive fraud
protection to be delivered as a more affordable service from a
third-party supplier, he says.
Such a service would put within reach of most businesses a
combination of process knowledge with cutting-edge technologies
from firms such as Intellinx, Promisec and First Ondemand.
Collaboration across industries is another key component missing
from many organisations' fraud prevention strategies, says
Patrick.
The future of fraud prevention must include some element of
information sharing across industries and regions, he says, because
fraud seldom operates in isolation.
Patrick is not in favour of devolving responsibility for fraud
prevention to third-party suppliers, but concedes that some
organisations may have a need for doing that.
"If such services can enable wider collaboration on fraud
prevention, I am fine with that," he says.
"Organisations that work together and do all they can with data
and technology will get the best result," he says. ●