Addressing cyber complexity: An operational fraud program
Addressing cyber complexity: An operational fraud program
It's Friday night at 7 p.m. and your cellphone rings. It's your organization's information security manager who informs you that suspicious activity seems to be occurring within several accounts managed by your organization. It appears account holders external to your organization have become aware of these suspicious activities. The information security manager has received calls from several government agencies and industry fraud colleagues for assistance on activities around these accounts. You soon learn from your internal public relations manager that the media has also contacted your organization and would like to know if your company can comment on the story that they are preparing for the Monday edition newspaper involving these suspicious activities that may be fraud related.

Does this scenario sound familiar' Do you have an enterprise-wide incident response plan or operational fraud program to address the occurrence of fraudulent activities, identity theft incidents and insider threats' How does operational fraud play a role in reducing these demands'

Operational fraud is the risk of incurring fraudulent loss to assets due to an organization's exposure to deception, theft, diversion or mismanagement of transactions, customer information, account information and data transfers. Operational fraud blends traditional fraud, corporate security, forensic investigation and information security disciplines, and infuses information sharing with the law enforcement community and industry colleagues to reduce potential fraudulent risks and losses.

As cyberterrorist exploits evolve, fraudulent schemes  --  such as phlishing, identity theft or account takeovers  --  become more complex. It is incumbent on fraud departments to understand these schemes as they evolve so that anti-fraud monitoring activities and countermeasures can be developed and incorporated into organizational business processes. By taking these proactive measures to recognize warning signs of fraudulent activities and identify potential countermeasures, the impact of operational fraud activity to the organization may be reduced. Communication strategies are key aspects of operational fraud programs. As incidents are identified within an organization, fraud departments should leverage information sharing (as defined in the communication strategy) with appropriate local, state and federal stakeholders to establish and maintain a data sharing platform to track, trend and analyze fraudulent patterns so that the organization can mitigate fraud risks.

An operational fraud program should have three core program areas: governance, approach and maintenance. Establishing these core programs areas will help create and support a fraud resilient culture.

Governance: An effective operational fraud program starts with a ‘tone at the top' charter and definition of the control environment. An operational fraud policy should be developed by incorporating relevant elements of the organization's code of conduct/ethics policy to help establish authority and visibility. Once governance is established, the approach or implementation phase should begin.

Approach: This phase involves outlining the elements and supporting detail involved in implementing a formal operational fraud program. The operational fraud approach phase should incorporate the following key elements: operational fraud risk assessment program (to identify potential threats and vulnerabilities related to fraud controls or safeguards), operational fraud procedures and practices, anti-fraud and social engineering awareness training program (for employees), continuous monitoring activities, operational fraud countermeasures, communication strategy and memorandum of understanding (for sharing information with industry colleagues and the law enforcement community), and an information sharing platform (specific, repeatable, measurable and actionable procedures for sharing fraud information with industry colleagues and the law enforcement community (i.e., FinCrime.com, Financial ISAC, etc.).

Maintenance: The operational fraud maintenance phase is a crucial pillar. In order to effectively integrate the operational fraud program into business processes, the plan should be regularly tested and audited. Fraud program metrics should be established and provided to executives in order to objectively demonstrate where progress has be made and where program improvements are needed. The operational fraud maintenance phase should include, at a minimum, a program testing plan (regular drills and tabletop exercises), program audit plan, integration with organization's existing enterprise risk management program (i.e., incident response plan, disaster recovery plan, business continuity plan), a program adjustment procedures (change management process), and metrics and reporting.

The operational fraud strategy will align with an organization's existing security model. This fraud strategy supports the security concept of ‘protection in-depth' as the strategy focuses on deterring, delaying, detecting, denying and preventing an adversary from exposing an organization to losses resulting from fraudulent activities. Operational fraud risks will continue to evolve and will require organizations to proactively evaluate and expand capabilities to maximize the value and effectiveness of anti-fraud controls.

There are several key regulatory or industry mandates requiring fraud control reviews to reduce or mitigate fraud. These regulatory mandates include, but are not limited to, the Identity Theft Red Flags under the Fair and Accurate Credit Transaction Act of 2003, USA Patriot Act and the Money Laundering Suppression Act. The key focal point to reducing fraud risk from emerging threats is transitioning toward a resilient fraud enterprise.



This article was co-authored by Rich Baich, principal, and William Anderson II, manager, security & privacy group Deloitte & Touche.