Tag Archives: Data Breaches

Fraud Prevention Oriented Data Mining

One of the most useful components of our Chapter’s recently completed two-day seminar on Cyber Fraud & Data Breaches was our speaker, Cary Moore’s, observations on the fraud fighting potential of management’s creative use of data mining. For CFEs and forensic accountants, the benefits of data mining go much deeper than as just a tool to help our clients combat traditional fraud, waste and abuse. In its simplest form, data mining provides automated, continuous feedback to ensure that systems and anti-fraud related internal controls operate as intended and that transactions are processed in accordance with policies, laws and regulations. It can also provide our client managements with timely information that can permit a shift from traditional retrospective/detective activities to the proactive/preventive activities so important to today’s concept of what effective fraud prevention should be. Data mining can put the organization out front of potential fraud vulnerability problems, giving it an opportunity to act to avoid or mitigate the impact of negative events or financial irregularities.

Data mining tests can produce “red flags” that help identify the root cause of problems and allow actionable enhancements to systems, processes and internal controls that address systemic weaknesses. Applied appropriately, data mining tools enable organizations to realize important benefits, such as cost optimization, adoption of less costly business models, improved program, contract and payment management, and process hardening for fraud prevention.

In its most complex, modern form, data mining can be used to:

–Inform decision-making
–Provide predictive intelligence and trend analysis
–Support mission performance
–Improve governance capabilities, especially dynamic risk assessment
–Enhance oversight and transparency by targeting areas of highest value or fraud risk for increased scrutiny
–Reduce costs especially for areas that represent lower risk of irregularities
–Improve operating performance

Cary emphasized that leading, successful organizational implementers have tended to take a measured approach initially when embarking on a fraud prevention-oriented data mining initiative, starting small and focusing on particular “pain points” or areas of opportunity to tackle first, such as whether only eligible recipients are receiving program funds or targeting business processes that have previously experienced actual frauds. Through this approach, organizations can deliver quick wins to demonstrate an early return on investment and then build upon that success as they move to more sophisticated data mining applications.

So, according to ACFE guidance, what are the ingredients of a successful data mining program oriented toward fraud prevention? There are several steps, which should be helpful to any organization in setting up such an effort with fraud, waste, abuse identification/prevention in mind:

–Avoid problems by adopting commonly used data mining approaches and related tools.

This is essentially a cultural transformation for any organization that has either not understood the value these tools can bring or has viewed their implementation as someone else’s responsibility. Given the cyber fraud and breach related challenges faced by all types of organizations today, it should be easier for fraud examiners and forensic accountants to convince management of the need to use these tools to prevent problems and to improve the ability to focus on cost-effective means of better controlling fraud -related vulnerabilities.

–Understand the potential that data mining provides to the organization to support day to day management of fraud risk and strategic fraud prevention.

Understanding, both the value of data mining and how to use the results, is at the heart of effectively leveraging these tools. The CEO and corporate counsel can play an important educational and support role for a program that must ultimately be owned by line managers who have responsibility for their own programs and operations.

–Adopt a version of an enterprise risk management program (ERM) that includes a consideration of fraud risk.

An organization must thoroughly understand its risks and establish a risk appetite across the enterprise. In this way, it can focus on those area of highest value to the organization. An organization should take stock of its risks and ask itself fundamental questions, such as:

-What do we lose sleep over?
-What do we not want to hear about us on the evening news or read about in the print media or on a blog?
-What do we want to make sure happens and happens well?

Data mining can be an integral part of an overall program for enterprise risk management. Both are premised on establishing a risk appetite and incorporating a governance and reporting framework. This framework in turn helps ensure that day-to-day decisions are made in line with the risk appetite, and are supported by data needed to monitor, manage and alleviate risk to an acceptable level. The monitoring capabilities of data mining are fundamental to managing risk and focusing on issues of importance to the organization. The application of ERM concepts can provide a framework within which to anchor a fraud prevention program supported by effective data mining.

–Determine how your client is going to use the data mined information in managing the enterprise and safeguarding enterprise assets from fraud, waste and abuse.

Once an organization is on top of the data, using it effectively becomes paramount and should be considered as the information requirements are being developed. As Cary pointed out, getting the right data has been cited as being the top challenge by 20 percent of ACFE surveyed respondents, whereas 40 percent said the top challenge was the “lack of understanding of how to use analytics”. Developing a shared understanding so that everyone is on the same page is critical to success.

–Keep building and enhancing the application of data mining tools.

As indicated above, a tried and true approach is to begin with the lower hanging fruit, something that will get your client started and will provide an opportunity to learn on a smaller scale. The experience gained will help enable the expansion and the enhancement of data mining tools. While this may be done gradually, it should be a priority and not viewed as the “management reform initiative of the day. There should be a clear game plan for building data mining capabilities into the fiber of management’s fraud and breach prevention effort.

–Use data mining as a tool for accountability and compliance with the fraud prevention program.

It is important to hold managers accountable for not only helping institute robust data mining programs, but for the results of these programs. Has the client developed performance measures that clearly demonstrate the results of using these tools? Do they reward those managers who are in the forefront in implementing these tools? Do they make it clear to those who don’t that their resistance or hesitation are not acceptable?

–View this as a continuous process and not a “one and done” exercise.

Risks change over time. Fraudsters are always adjusting their targets and moving to exploit new and emerging weaknesses. They follow the money. Technology will continue to evolve, and it will both introduce new risks but also new opportunities and tools for management. This client management effort to protect against dangers and rectify errors is one that never ends, but also one that can pay benefits in preventing or managing cyber-attacks and breaches that far outweigh the costs if effectively and efficiently implemented.

In conclusion, the stark realities of today’s cyber related challenges at all levels of business, private and public, and the need to address ever rising service delivery expectations have raised the stakes for managing the cost of doing business and conducting the on-going war against fraud, waste and abuse. Today’s client-managers should want to be on top of problems before they become significant, and the strategic use of data mining tools can help them manage and protect their enterprises whilst saving money…a win/win opportunity for the client and for the CFE.

The Threat Within

Our Chapter’s May 16th and 17th upcoming training seminar on CYBER FRAUD AND DATA BREACHES emphasizes that corporate insiders represent one of the largest threats to an organization’s vital information resources. Insiders are individuals with access or inside knowledge about an organization, and such access or knowledge gives them the ability to exploit that organization’s vulnerabilities.  Insiders enjoy two critical openings in the security structure that put them in a position to exploit organizations’ information security vulnerabilities:

• the trust of their employers
• their access to facilities

Information theft by insiders is of special concern when employees leave an organization. Often, employees leave one organization for another, taking with them the knowledge of how their former organization operates, as well as its pricing policies, manufacturing methods, customers, and so on.

The ACFE tells us that insiders can be classified into three categories:

• Employees:  employee insiders are employees with rights and access associated with being employed by the organization.
• Associates: insider associates are people with physical access to an organization’s facilities, but they are not employees of the organization (e.g., contractors, cleaning crews).
• Affiliates: insider affiliates are individuals connected to pure insiders or insider associates (e.g., spouse, friend, client), and they can use the credentials of those insiders with whom they are connected to gain access to an organization’s systems or facilities.

There are many types of potential insider threats, and they can be organized into the following categories:

• Traitors
• Zealots
• Spies
• Browsers
• Well-intentioned insiders

A traitor is a legitimate insider who misuses his or her insider credentials to facilitate malicious acts.  When a trusted insider misuses his or her privileges to violate a security policy, s/he becomes a traitor. Below are some signs that an insider may be a traitor:

• Unusual change in work habits;
• Seeking out sensitive projects;
• Unusual work hours;
• Inconsistent security habits;
• Mocking security policies and procedures;
• Rationalizing inappropriate actions;
• Changes in lifestyle;
• Living beyond his or her means.

Zealots are trusted insiders with strong and uncompromising beliefs that clash with their organization’s perspectives on certain issues and subjects. Zealots pose a threat because they might exploit their access or inside knowledge to “reform” their organizations.
Zealots might attempt reform by:

• Exposing perceived shortcomings of the organization by making unauthorized disclosures of information to the public or by granting access to outsiders;
• Destroying information;
• Halting services or the production of products.

Zealots believe that their actions are just, no matter how much damage they cause.

A spy is an individual who is intentionally placed in a situation or organization to gather intelligence. A well-placed corporate spy can provide intelligence on a target organization’s product development, product launches, and organizational developments or changes.

Spies are common in foreign, business, and competitive intelligence efforts.

Browsers are insiders who are overly curious about information to or of which they do not need access, knowledge or possession to carry out their work duties. Their curiosity drives them to review data not intended for them.  Browsers might “browse” through information that they have no specific need to know until they find something interesting or something they can use. Browsers might use such information for personal gain, or they might use it for:

• Obtaining awards;
• Supporting decisions about promotions;
• Understanding contract negotiations;
• Gaining a personal advantage over their peers.

Browsers can be the hardest insider threat to identify, and they can be even harder to defeat.

The well-intentioned insider is an insider who, through ignorance or laziness, unintentionally fosters security breaches. Well-intentioned insiders might foster security breaches by:

• Disabling anti-virus software;
• Installing unapproved software;
• Leaving their workstations or facilities unlocked;
• Using easy-to-crack passwords;
• Failing to shred or destroy sensitive information.
While well-intentioned individuals might be stellar employees when it comes to work production, their ignorance or laziness regarding information security practices can be disastrous.

CFE’s need to understand that there are numerous motivations for insider attacks including:
• Work-related grievances;
• Financial gain;
• Challenge;
• Curiosity;
• Spying for competitors;
• Revenge;
• Ego;
• Opportunity;
• Ideology (e.g., “I don’t like the way my organization conducts business.”)

There are many ways our client organizations can combat insider threats. The most effective mitigation strategies recommended by the ACFE are:

• Create an insider threat program. To combat insider threats, management should form an insider threat team, create related policies, develop processes and implement controls, and regularly communicate those policies and controls across the organization.
• Work together across the organization. To be successful, efforts to combat insider threats should be communicated across the silos of management, IT, data owners, software engineers, general counsel, and human resources.
• Address employee privacy issues with general counsel. Because employees have certain privacy rights that can affect numerous aspects of the employer-employee relationship, and because such rights may stem from, and be protected by, various elements of the law, management should consult legal counsel whenever addressing actions impacting employee privacy.
• Pay close attention at times of resignation/ termination. Because leaving an organization is a key time of concern for insider threats, management should be cautious of underperforming employees, employees at risk of being terminated, and of employees who will likely resign.
• Educate managers regarding potential recruitment. Management should train subordinates to exercise due diligence in hiring prospective employees.
• Recognize concerning behaviors as a potential indicator. Management must train managers and all employees to recognize certain behaviors or characteristics that might indicate employees are committing or are at risk of committing a breach. Common behavioral red flags are living beyond one’s financial means, experiencing financial difficulties, having an uncommonly close relationship with vendors or customers, and demonstrating excessive control over their job responsibilities.
• Mitigate threats from trusted business partners. Management should subject their organization’s contractors and outsourced organizations to the same security controls, policies, and procedures to which they subject their own employees.
• Use current technologies differently. Most organizations have implemented technologies to detect network intrusions and other threats originating outside the network perimeter, and organizations with such technologies should use them to the extent possible to detect potential indicators of malicious insider behavior within the network.
• Focus on protecting the most valuable assets. Management should dedicate the most effort to securing its most valuable organizational assets and intellectual property against insider threats.
• Learn from past incidents. Past incidents of insider threats and abuse will suggest areas of vulnerability that insiders will likely exploit again.
Additionally:
• Focus on deterrence, not detection. In other words, create a culture that deters any aberrant behavior so that those who continue to practice that behavior stand out from the “noise” of normal business; focus limited investigative resources on those individuals.
• Know your people—know who your weak links are and who would be most likely to be a threat. Use human resources data to narrow down threats rather than looking for a single needle in a pile of needles.
• Identify information that is most likely to be valuable to someone else and protect it to a greater degree than the rest of your information.
• Monitor ingress and egress points for information (e.g., USB ports, printers, network boundaries).
• Baseline normal activity and look for anomalies.
Other measures organizations might consider taking to combat insider threats include:
• Educate employees as to what information is proprietary and confidential.
• Require that all employees and third-party vendors and contractors sign nondisclosure agreements; written agreements providing that all proprietary and confidential information learned during their relationship must be kept confidential and must not be disclosed to anyone, upon the commencement and termination of employment or contracts.
• Ensure that all an organization’s third-party vendors and contractors perform background checks on all third-party employees who will have access to the organization’s information systems.
• Prohibit employees, contractors, and trusted business partners from printing sensitive documents that are not required for business purposes.
• If possible, avoid connecting information systems to those of business partners.

Also, when possible, management should conduct exit interviews with departing employees. During an exit interview, the departing employee should be advised about the organization’s trade secrets and confidential information, as well as any obligation not to disclose or use such information for his or her own benefit or for the benefit of others without express written consent. Also, the employee should be given a form to sign stating that s/he was informed that any proprietary information should not be disclosed and that s/he agrees not to disclose any such information without consent.

Finally, when management terminates its relationship with an insider, it should immediately deactivate the insider’s access to company tools and resources.

Please consider joining us for at our May 16th and 17th Spring training event, Cyber Fraud and Data Breaches for 16 CPE credits!  You may register and pay on-line here!