Fraud is inherent in all kinds of companies, whatever industry they operate in. Whenever there are gains to be made, there is a likelihood of some type of fraud being committed. Unfortunately, organizations do not deal with fraud as they should; either because it does not occur frequently very or because the organizations themselves do not succeed in managing it properly.
Nonetheless, online fraud is a reality and has become increasingly important in organizations' strategic discussions.
In tandem, the development of new technologies in use by bad actors has become a variable that not only impacts security but also produces the type of fraud we are enduring today.
Countering the advances in technology by bad actors companies, public and private are investing billions to defend their assets, their data, processes, and brand image.
Over the past year (2017), we have witnessed a large number of attacks that have taken place for the sole purpose of committing computer fraud and profiting from stolen information. The Wanna Cry, Petya and Bad Rabbit cases reflect just to what extent we are exposed to fraud and cybercriminals.
In spite of the fact that many companies were unscathed by these incidents, the truth is that they were real and compromised systems as well as their data.
The Kroll investigation, The Global Fraud & Risk Report 2016-2017, which is available online, evidenced a considerable increase in the exposure of the interviewee companies.
In fraud-related matters, 82% of the executives interviewed brought to light at least one fraud incident in their organizations, resulting in significant growth of 75% with respect to the previous survey.
Another noteworthy figure is the rise in cyber attacks, as 85% of the interviewees said they had suffered an attack of this kind.
In spite of the difficulty in specifying the amount of the impact, what we can conclude is that it is significant with respect to company revenues.
Turning to the subject of technology, companies acknowledge that technology-driven fraud is on the rise and they make strides to implement solutions that serve to mitigate or stem this crime.
Nevertheless, these solutions, whether off-the-shelf or in-house developed, may not suffice against the risks organizations are exposed to given that they are deployed solely to solve something specific or to plug a security breach that has already been exploited.
Many of the solutions available on the market are not predictive and do not produce new or unknown information and, even though the industry is working with Deep Learning and Machine Learning more and more, these attacks are growing exponentially.
Prior to choosing a specific solution, organizations have to conduct a fraud risk analysis that is not only deeper but also offers a broader vision.
Fraud risk management has to be regarded as a function meant to mitigate or eliminate exposure to such a risk. It cannot, therefore, be viewed as an independent, non-strategic activity, where the issues pinpointed and analyzed are only addressed from the perspective of the impact of possible fraud.
In order to combat fraud, organizations first have to understand their limitations and identify the risk they may be exposed to, which cannot be achieved without a structured, comprehensive analysis of their current position.
It is essential for organizations to construct an appropriate framework for managing corporate fraud risk, which is aligned with the organization's strategic goals and backed by well-planned, targeted actions.
They cannot expect to contain fraud risk without developing a framework that takes governance, business processes, technological advancements, and organization maturity into consideration in relation to risk and fraud issues.
A diverse array of frameworks are available that can help organizations to manage their fraud risks successfully. It is important to be familiar with them and reference them so that organizations can work in accordance with their true needs.
Fraud risk management is a process that has to be developed at all levels of the organization. It is essential for policies, rules, and procedures to be established and implemented and to ensure that the processes and technology that are going to be used correspond to the realities of the business.
In order to combat fraud effectively, these components must be applied in an integrated manner.
A company's principles, culture, and ethics provide a practical guide to the organizational behavior sought for everyday governance and management. It includes activities that not only help to determine the way forward but also to establish a code of conduct and oversight that drives the development of an anti-fraud culture.
A culture of this kind makes fraud more difficult to commit; thus, when it is detected, it is identified and treated efficiently and effectively.
It is at this point that technology must play a decisive role. Organizations need to manage and maintain a balance between oversight and incident analysis speed in order to recognize threats and have the capability to work on them deftly.
Risk management must focus on preserving IT assets so that the integrity, reliability, and availability of information are not compromised and it is at the disposal of the organization.
In the current scenario, behavioral biometrics technology can be used to identify suspicious user-based patterns to detect and prevent impersonation or manipulation attacks that lead to account takeovers. Deploying this technology provides organizations the best defense from the continuous evolution of cybercriminals, who adapt swiftly and who are continually upgrading their attack vectors.
Organizations must be prepared to foresee these attacks by using the most effective means to identify changes in user behavior based on behavioral biometrics. Changes in how a user types, swipes, logs in along with a number of identifiers are needed to detect the smallest anomaly to detect and prevent online fraud.
We are currently seeing organizations that combat fraud more successfully are those that adopt an integrated, layered approach to managing risk and fraud attacks. They use a guiding framework to create an organization accepting of all the necessary components; governance, process, technology, along with organizational maturity.
In their cultures, these organizations have realized that fraud risk prevention belongs in an ecosystem comprised of integrated systems and processes, all supported by a technology strategy that meets the requirements defined by the organization.
A technology strategy that integrates behavioral biometrics systems and predictive, AI-based analytics that takes into consideration a broad set of attributes (e.g. identity, relations, behaviors, patterns, anomalies, visualization). These functions are of vital importance for containing fraudulent actions and providing users with the necessary security.
Fraud risk management must, therefore, be an ongoing process that forms part of an organization's strategy in a systematic manner in order to ultimately ensure that their capabilities never cease to evolve.
Carlos Guerra is an IT manager. He has an MBA in Administration and Finance from INSPER Business School, São Paulo, Brazil, and a Mathematical and Computational Science degree from Mackenzie University, Brazil.
He has focused his professional career on software development, specializing in management and risk systems. He has run development teams and worked as the CIO of a business unit at the Accor group. He is a process mapping and project management specialist.
He also specializes in Financial Management, with an emphasis on Board oversight and counseling. As a COBIT-certified assessor, he has taught several courses on this subject. He has been linked to services for companies such as Eco Vias, Dieboldi, GR S / A, Colinas Carreteras, Hospital Albert Einstein and Pro-business.
Guerra is a GCN project specialist and has led projects for companies such as UNICRED and Capgemini, to name but a few. He currently works for his own company as a consultant and combines his professional career with the management of the Brazilian chapter of the Information Systems Audit and Control Association (ISACA).