Fraud on the rise

While it’s long been rumored that corporate fraud is carried out by individuals, no-one quite expects to discover that nearly 90 percent of these white-collar crimes are committed by a company’s own staff ¬– of which 60 percent are senior management and board members. This is according to international audit and advisory firm, KPMG.

Their survey – which took results from over 300 organizations – found that fraud had more than doubled in GCC countries over the past three years. Financial and real estate sectors were targets in particular. It transpires that 40 percent of respondents said fraud had now become a major hurdle when doing business in the region.

Respondents said total losses from fraud at their organizations grew from US$22.9 million (Dh84m) in 2004 to more than US$45m last year.

“The survey is a GCC-wide survey involving government organizations, private groups and individuals to identify the rate of fraud in the region. Though, we are in the final stages of compiling the data, preliminary indicators point out a two or three fold increase in fraud in the GCC,” said Colin Lobo, a partner at KPMG’s Forensic Department.

The initial indicators of the 2007 survey show an upward trend for illegal financial activity in the region when compared to a similar survey conducted by KPMG in 2004. “Around 40 percent of respondents said they believe that fraud is a major problem in doing business in the region. And the level of corruption and fraud are closely intertwined with financial crimes,” he said.

“One of the findings that is certain from the survey is that incidence of fraud has increased in the financial and real estate sectors. There have been a spate of frauds in the two sectors, and it can be well tied to the economic boom they have witnessed.”

Meanwhile, the healthcare and pharmaceutical sectors were correlated with the lowest incidences of fraud. But even they are not spared: a recent study of community health clinics found that more than 40 percent had experienced some type of financial crime during the previous five years. As bad as it sounds, in reality, the situation is probably even worse: an estimated 75 percent of embezzlement, fraud and related financial crimes go unreported.

Identity fraud, a growing problem in the USA and Europe is becoming more common in the Gulf. “This again has much to do with the economic scenario where even the market place is witnessing an increase in pilfering,” Lobo said.

In KPMG’s 2004 survey results, misappropriation of funds was reported as the largest single fraud incident type, as 23.7 percent of respondents said it was present in their organizations. It was followed by false invoicing at 11.8 percent, kickbacks, bribery or procurement fraud at 7.9 percent and funds obtained through misrepresentation, which stood at 6.6 percent.

Fraud attacks that come from the inside can be difficult to mitigate. Unfortunately, numerous financial institutions have found – often too late – that their own employees were misusing debit cards issued by the financial institution. The perpetrator can be a recent hire or a seasoned employee who sees an opportunity because no one is watching. Either way, the fraud activity usually results in both financial loss and wasted staff time spent tracking and documenting fraud-related events.

The SANS Institute, the most trusted and by far the largest source for information security training and certification in the world have put together an overview of their top 20 internet security risks to help the entire information security community.

Top risks that are particularly difficult to defend:
1. Critical vulnerabilities in web applications enabling the web site to be poisoned, the data behind the Web site to be stolen, and other computers connected to the web site to be compromised.

Best defenses: web application firewall, web application security scanner, application source code testing tools, application penetration testing services, and most importantly a formal policy that all important Web applications will be developed using a valid secure development life cycle and only by developers who have proven (through testing) that they have the skills and knowledge to write secure applications.

2. Gullible, busy, accommodating computer users, including executives, IT staff, and others with privileged access, who follow false instructions provided in spear phishing emails, leading to empty bank accounts, compromise of major military systems around the world, compromise of government contractors, industrial espionage and much more.

Best defenses: This is the most challenging risk. Security awareness training is important but is definitely not sufficient to solve this problem. Two defenses seem promising: (a) inoculation in which all users are sent periodic spear phishing emails that are benign. Those who err are educated or cut off, (b) admit that this problem cannot be solved in all cases and establish new monitoring and forensics systems that constantly search network traffic and systems for evidence of deep penetration and persistent presence.

Other priorities that have grown in importance but have reasonable technical defenses:
3. Critical vulnerabilities in software on personal computers inside and outside enterprises (client-side vulnerabilities) allowing these systems to be turned into zombies and recruited into botnets and also allowing them to be used as back doors for stealing information from and taking over servers inside large organizations.
• Web browsers
• Office software
• Email clients
• Media players

Best defenses: firmly enforced secure configurations (at installation time) for all applications, constantly verified patching and upgrading of both applications and system software, constant vulnerability scanning and rapid resolution of problems found, tightly configured firewalls and intrusion prevention systems, up-to-date anti-virus and anti-spyware at gateways as well as on desktops.

4. Critical vulnerabilities in the software and systems that provides the operating environment and primary services to computer users (server side software)
• Windows services
• Unix and Mac OS services
• Backup software
• Anti-virus software
• Management servers
• Database software
• VOIP servers

Best defenses: (mostly the same as group 3) firmly enforced secure configurations (at installation time) for all applications, constantly verified patching and upgrading of both applications and system software, tightly configured firewalls and intrusion prevention systems.

5. Policy and enforcement problems that allow malware to do extra harm and that lead to loss of large amounts of data
• Excessive user rights and unauthorized devices
• Unencrypted laptops and removable media
Best defenses: no-exception policies, constant monitoring, substantial penalties for failure to comply.

6. Application abuse of tools that are user favorites leading to client and server compromise, loss of sensitive information, and use of enterprise systems for illegal activity such as serving child pornography
• Instant messaging
• Peer-to-peer programs
Best defenses: use only tightly secured versions of these tools, or prohibit them entirely.

7. Zero-day attacks
Best defenses: Build much more restrictive perimeters with deny-all, allow some firewall rules and redesign networks to protect internal systems from Internet-facing systems

The bottom line: what is not being done to protect systems?
Preventing the top 20 risks
1. Configure systems, from the first day, with the most secure configuration that your business functionality will allow, and use automation to keep users from installing/uninstalling software
2. Use automation to make sure systems maintain their secure configuration, remain fully patched with the latest version of the software (including keeping anti-virus software up to date)
3. Use proxies on your border network, configuring all client services (HTTP, HTTPS, FTP, DNS, etc.) so that they have to pass through the proxies to get to the internet
4. Protect sensitive data through encryption, data classification mapped against access control, and through automated data leakage protection
5. Use automated inoculation for awareness and provide penalties for those who do not follow acceptable use policy.
6. Perform proper DMZ segmentation with firewalls.
7. Remove the security flaws in Web applications by testing programmers security knowledge and testing the software for flaws.

In other words: trust, but verify through automation and testing. Only vigilance and awareness will protect your company from fraud and the damage it will potentially do to your brand.

Data theft vs. IP theft
Data theft and IP theft are frequently confused with each other although they describe different types of electronic content acquisition that is criminal in nature.

Data theft usually describes the criminal acquisition of records such as credit card numbers, driver’s license numbers, passwords, or bank account numbers.

IP theft refers to the criminal acquisition of intellectual property material that is copyrighted, patented, or considered to be a trade secret such as blueprints or software code.

Source: Frost & Sullivan, Securing A Business: What SMBs Need To Know

Securing business
In order to adequately tackle the challenges of securing a business, Frost & Sullivan recommends four key areas for businesses to consider when critically examining the security of the organization.

1. Layered architecture – Remember that no single solution will solve all security problems. Businesses must employ multiple security layers, starting at the perimeter and moving out to the endpoint itself.

2. Vulnerability assessment – Regularly scheduled vulnerability assessments are important in helping businesses look at numerous risk factors and determining which are the most critical. Regular assessments also ensure that security patches and changes are effective and have been implemented methodically across the organization without overlooking any devices connected to the network.

3. Employee education – All businesses need the help of employees to secure the business. Educating employees drastically reduces the success of social engineering attacks associated with viruses, Trojans, worms, and phishing. Employee education should also explain the importance of security and help to prevent inadvertently giving away sensitive information that can be used to attack the business, for example, weak or unprotected passwords, which can seriously undermine efforts to secure the business.

4. Disaster recovery – The data that resides on networked computers and storage devices is mission-critical for SMBs and must be available on demand seven days a week. Thus, when a SMB becomes a victim of malicious code, it can be a traumatic and financially painful event. A forced work stoppage can result as the network and individual computers crash or have to be shut down to contain the security threat. The impact of an attack can continue to drag productivity and revenues down even after the threat is eliminated when it is discovered that data has been corrupted or lost. Having a well-planned disaster recovery strategy in place can ensure that recovery will be swift and guaranteed after an attack. However, the best way to avoid using a disaster recovery plan is to proactively secure your network against possible threats before disaster strikes.

Source: Frost & Sullivan, Securing A Business: What SMBs Need To Know

Profile of a fraudster:

70% of fraudsters are aged between 36 and 55
85% of cons were men
68% of the time fraudsters act alone
89% are staff acting against their firms
60% are members of senior management
36% worked for the firm for at least five years before fraud
91% of perpetrators did not stop at one fraudulent act
25% of the identified conmen in the Middle East stole Dh5.3m

(Source: an April 2007 survey)

Protecting customer satisfaction – and your brand

Good business managers know that acquiring new customers is five times as costly as satisfying and retaining your current customer base. However, the cost associated with losing customers also multiplies over time by slowly eroding the brand equity of a business, making it easier for competitors to gain market share.

As newspapers around the world continue to report on data security breaches, one of the most important acts a company can do to protect brand equity and customer satisfaction is to protect customer data. This data includes information such as addresses, driver’s license numbers, phone numbers, credit card numbers, and products or services purchased to name a few examples.

Perhaps one of the worst outcomes of a customer data breach is identity theft, which can result in financial ruin, false arrest for criminal activity, and more. In these unfortunate cases, a single customer can easily make a well publicized accusation against the company whose data breach led to criminal activity and cause irreparable harm to its brand and future revenues for years to come.