Deception is the name of the game when it comes to fraud but criminals are increasingly becoming more sophisticated in the techniques they use. From phishing to whaling and from fake cheques to invoice fraud, the problem of fraud is evolving. Yet unfortunately many businesses are poorly equipped to spot or fight fraud.
According to the KPMG Fraud Barometer published in August, businesses, particularly SMEs, fell victim to fraud totalling £95million out of a total £328m recorded during the first six months of 2016. The report found most fraud was carried out internally through the abuse of access privileges associated with their role, although two other cases involved social engineering and criminal scams.
For the financial department this creates a dilemma. If most cases of fraud are either deliberately or inadvertently carried out by the very people trusted to manage company funds, how can you stop these from happening? The answer is of course through the application of security process and techniques but what the study illustrates is 1) that this overlay of security over business process isn’t happening and 2) that SMEs are particularly vulnerable and lax in this area. This is often because job roles may be multi-purpose or access privileges high.
To combat these two issues, SMEs need to look at implementing a joined-up security offering that looks at external and internal threats but which also then provides actionable intelligence that can be applied to the business. So if a threat is detected or even realised, there are clear processes in place to identify, diagnose and mitigate the threat leading to forensic analysis and incident response. Those may sound like the processes more readily associated with a large corporate but SMEs can apply these using outsourced security-as-a-service solutions.
For example, when it comes to whaling attacks, whereby emails purporting to come from the CEO or senior management instruct staff to carry out a funds transfer, SMEs can tend to place too much faith in AV and spam filtering. While email monitoring has value, there should also be steps in place to ensure staff are aware of and observe email policy. Show staff what to look out for, from suspicious email addresses to suspect URLs, and instruct them never to fulfill an email requesting a direct financial transfer without other authorisation. Finally, ensure that they know what steps to take to sound the alarm.
If you do fall victim to financial fraud, the organisation needs to have sufficient resource to identify the attack vector, stem the flow and recover. Ensure logs of network traffic are stored securely and for a long enough period to enable interrogation in the event that a digital forensics exercise needs to be performed. Look at your reporting processes. Will you need to inform any regulatory bodies? Are any external parties affected? Will you need to take disciplinary action?
In addition, ensure you have an effective tried and tested Incident Response plan in place. This should NOT be taken from a template as it needs to be tailored to the organisation. However, a basic outline should include identification, containment, eradication, recovery and realisation in terms of the lessons learned.
While this kind of end-to-end provisioning makes sense, complemented by security solutions, it’s often outside the remit of the busy SME which is why it can often make sense to seek assistance from a security consultancy that can design and implement such a service, potentially saving the enterprise thousands or even millions.