One of the greatest challenges posed by business today is, quite simply, fraud. To be sure we're on the same page, let's look at the definition of fraud as it is stated in the Accountants Handbook of Fraud and Commercial Crime:
Fraud is criminal deception intended to financially benefit the deceiver.”
The handbook goes on to define the four elements of fraud:
- The commission of the act itself;
- Intention to commit the act;
- Concealment of the act; and
Let's take a look at how that maps from the physical to the cyber world. The commission of the act quite simply equates to engaging in the criminal activity, such as creating false invoices for products that were never delivered or services that were never rendered. The intention is where the planning for the deliberate and willful action takes place. Concealment is an area that concerns many computer forensics experts because this is where their skills are mostly required – piecing together fragments of the action. Forensic work encompasses not only computer forensics, but Internet forensics as well – quite simply, following the “cookie crumbs” of activity is critical in this day and age of unprecedented “connectedness.” Finally there is loss. This is what organizations experience when the perpetrator engages in, and completes, the first element.
To get a basic understanding of what drives fraudsters, I'll attempt to provide some insight as to what makes them tick. American criminologist Donald Cressey formulated a theory called the “fraud triangle.” He developed this to attempt to discover why people commit fraud. According to Cressey, the fraud triangle is comprised of:
- Motivation – the desire to live beyond one's current means or to recover from a financial hardship;
- Perceived opportunity – access to unencrypted customer data, low-cost crimeware toolkits, get rich quick schemes; and
- Rationalization – the most popular is the self-deceiving statement that “it is a victimless crime”
Cyber fraud in small- to medium-sized businesses is even more critical because those organizations are quite vulnerable due to the revenue generation and smaller (or non-existent) budgets for anti-fraud and other security monitoring and controls. This doesn't mean that large businesses aren't prone to this as well. As with all things, the problem scales with the size of the business and there's significant historical context to support this without having to add multiple cases to this blog entry.
Now here's the WIIFM (what's in it for me) part of this article: Fraud has already, and continues to impact, businesses in long-term ways. For instance, in 2008 Gartner published the results of a survey where 15 percent of consumer respndents stated that they stopped spending online due to concerns over fraud. This is a reversal of the trend to do more and spend more online. Also, according to a 2009 Trustwave report, 38 percent of cyberattacks in 2009 were directed at hotels. This mirrors the statement I heard last Friday from Brad Bonnell, the director of global security at Intercontinental Hotels Group. According to him, hotels, in particular, are frequently targeted for both cyber and physical attacks because they have a history of a much stronger focus on revenue generation than security. This can only be expected in industries where margins are thin and security's ROI is often looked at as insurance rather than controls and deterrence.
There is clearly a strong need for consumer confidence to move in a positive direction in regard to the global economy – and from a security perspective, the same increase in confidence is necessary for continued growth of online sales – which, in this ever-so-dependent world, means that it would be an economic boost for businesses. There are several ways consumer confidence in online (and offline) shopping can be increased, but the singular most impactful change would be E3 (end-to-end encryption) – which we will get to in the second part of this article.