Failure to recognize or respond to workplace fraud costs U.S. businesses millions each year. While circumstances leading to fraudulent behavior vary widely among companies, recent studies may reveal why some institutions ignore illegal activity – even when it’s happening in plain view.

Here are some reasons companies turn a blind eye to expensive, systemic insider fraud:

Trust & Seniority

Let’s say you suspect a senior colleague may be guilty of workplace fraud. What if that person has already built trust with your department for over a decade? What if you feel at risk for professional or personal reprisal were you to report your suspicions?

What if the suspect is your boss?

According to a recent Symantec report on insider intellectual property (IP) theft, a majority of IP thieves are males in their mid-30s. Their positions are high enough in the corporate value chain that their own signatures regularly appear on IP agreements, and many are managers.

Similarly, a 2011 global fraud analysis by KPMG finds that fraudsters have typically been with their employer for over 10 years with more than half in upper management or board positions. With so many guilty parties in positions of authority, it’s no mystery why many of their colleagues choose to ignore dubious activity.

Ignorance of Warning Signs

Of course, not every fraudster operates in the company’s upper echelons. What’s more, many instances of unreported fraud may not be intentional but due instead to a lack of knowledge about fraud’s warning signs.

KPMG’s report names certain “red flag” behaviors that could indicate an employee is committing insider fraud. The employee’s colleagues simply must be aware of what those behaviors are. Some of them include:

• Maintaining exclusive relationships with vendors
• Refusal to take leave or time off for holidays
• Unexpected disappearances from the office
• Not producing certain records or information upon request
• Excessive lifestyle for his or her income
• Developing a serious addiction to alcohol, drugs, or gambling

A better understanding of these behaviors by all employees – especially those in HR departments – could go a long way toward averting future fraud prevention failures.

Lack of Prevention Policies

The absence of effective fraud protocols is another big reason companies brush aside fraud prevention failures.

Developing and enforcing fraud prevention policies isn’t just a formality – it’s an investment in the continued prosperity of your company. The specifics of that policy will depend on the types of fraud to which your organization is most vulnerable, and many may choose to build enterprise fraud management software into their long-term strategies.

After all, software may very well identify suspicious activity that employees – for fear of reprisal or otherwise – fail to report to management.

Creating teams of legal and HR experts, implementing fraud education programs for employees, and a performing a thorough evaluation of your unique fraud risks are preventative measures all organizations should take.

Collecting data and preparing reports for an auditor can seem burdensome and confusing. With so many regulations in place, the paperwork never seems to end.
But the regulatory process is actually good for your business. After all, regulations were put in place by industry groups and government agencies to protect the public and shareholder interests. Those protections have benefits for your organization:
• The public, aka your customers, will trust you to continually guard their confidential and financial information. These relationships are the heart and soul of your business.
• A compliance system reduces your risk. It protects you from the people who can access your sensitive information and operations in the course of doing business every day—your employees, consultants and partners.
• It safeguards your reputation by preventing security breaches that play out in the public’s eye.
• The process of meeting reporting requirements can present an opportunity for streamlining disparate business systems for collecting and reporting data.
The ABC’s of Corporate Compliance
You most likely need to comply with multiple regulations, but the good news is that all of them require the same basic data: a complete and accurate trail of user access to confidential information.
With Attachmate Luminet fraud management software, you can do that and much more. It enables you to track all user activity on an application-by-application basis, then store that information in a secure repository, allowing you to analyze and detect violations, and to efficiently generate specific reports for various regulatory bodies. Here are the details.
Observe and Capture Data of User Activity Across an Enterprise Network
Fraudulent behavior typically takes multiple steps and involves several applications. Capturing this data on an enterprise network is tricky. Every large organization has a mix of legacy and new applications and databases. For example, a user might access a sophisticated CRM database to update a user account, then share related information on an intranet via an ancient web-based app. Tracking all user activity in these conditions requires pulling log data (if an application even creates it) from numerous applications; then the data must be correlated with user authentications and behaviors— what a mind-boggling task.
Luminet erases the need to piece together data from multiple applications and databases. It captures data from user activity on an application level in real time, which allows fraud investigators to visually replay user actions, screen-by-screen and keystroke-by-keystroke.

Analyzing Data to Detect Fraud
Luminet stores user-activity data in a secure, digitally signed repository. Its powerful analytics engine lets you search its store of current on recorded activity to identify suspicious behavior based on business rules that you define. When Luminet uncovers potentially fraudulent activity, it generates an alert to warn you to immediately evaluate the behavior.

Generating Reports for Auditors
Two aspects of an audit are guaranteed. First, you won’t know the exact format a report will take until the auditors ask for it. And secondly, you will know auditors will also expect comprehensive, detailed information on how thousands of employees access sensitive customer information.
Since Luminet stores data from user activity on an application basis, you can easily provide auditors with the specific information they need. And, if an auditor asks for a different view into the data, there’s no need to pull more data from disparate application log files. You adjust your business rules and let Luminet’s reporting capabilities generate new charts, graphs, dashboards, and reports.
Creating a Culture of Integrity and Transparency
Instituting a corporate compliance program sends the message that you care about protecting your customers’ personal information. With Luminet fraud software, you can ensure all data stays private and your business realizes the benefits from putting a process in place. Luminet will help you better manage risk of exposing sensitive data; streamline systems and operations; and help compliance personnel be more efficient.
Yes, regulatory compliance takes work. But we believe the pain is mitigated by gain.

Healthcare institutions are working hard to map audit and compliance efforts throughout their organization–especially across critical applications and mainframe systems with legacy applications. All of this effort will result in more secure EHRs and improvements in patient privacy protections. But in a world of constrained resources, where should care providers focus the bulk of their improvements? Oftentimes, it comes down to priorities–the organizational objectives–that will drive the process.

As related in a recent whitepaper from Coalfire, Andrew Hicks shares the following distinctions:
“HIPAA and HITRUST assessments each share the common objective of safeguarding healthcare information, however the similarities end there. A HIPAA Security assessment will provide an organization reassurance that when all audit recommendations have been resolved, the organization will be compliant with the HIPAA requirements.

A HITRUST assessment and certification, on the other hand, takes a more risk-based approach, scaling the requirements to the risk characteristics of the organization and focusing on controls related to the leading causes of breaches in the healthcare industry. This approach also considers compliance with regulations such as HIPAA, allowing organizations to take a more holistic approach towards protecting sensitive information.”
(To access this whitepaper, look for “HIPAA versus HITRUST – FAQ” by Andrew Hicks, MBA, CISA, CCM, CRISC, HITRUST CSF Practitioner Director, Healthcare Practice Lead, Coalfire Systems, Inc. www.coalfire.com)

For leading healthcare institutions, checking the box for HIPAA compliance is often not enough. These organizations focus instead on addressing risks to patient information and potential security violations. In cases where the priority is protecting patient data and safeguarding access to EHRs (electronic health records) is paramount, the priority shifts to address risk across the organization.

In one of our recent engagements, a major care facility in the north east was seeking to understand access to patient records. Here are some of the things they wanted to be able to examine as part of their approach to risk:
• VIP record snooping
• Executive record snooping
• Patient / employee record snooping
• Family member and self -examination of records
• Neighbor record snooping
• Identity Theft
• Medical Identity Theft
• Areas of potential non-compliance with federal and state regulations

Monitoring for these indicators and correlating that data across multiple systems was well within Luminet’s capabilities. In addition to capturing EPIC, Kronos, Cerner, Meditech, and other log data, the Luminet solution was able to monitor the existing mainframe applications and correlate that information so that is alerted on suspicious activity in real-time.

Then, as part of a comprehensive risk approach, we were able to add visibility into the hospital’s accounting and payroll systems. Luminet’s ability to monitor Lawson and other accounting systems enabled a new level of visibility and added clarity to the financial operations side of the house. This benefit wasn’t available with other monitoring systems focused exclusively on EHR and patient data.
When considering whether to address HIPAA or HITRUST concerns, organizations would be well served to take a long view and invest in systems flexible enough to meet their present and future needs. A number of modern systems can address HIPAA, PCI-DSS, state regulations like SB 1386, Meaningful Use, and Accounting of Disclosure. But if it is time to make an investment, wouldn’t it be best to select a technology partner and a solution that can help address risk across all your critical systems?

Recently, an Executive Memo was released addressing the vexing issue of insider threat within departments and agencies of the federal government. This presidential memorandum,“National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs,” was issued on Nov. 21, 2012. The text of the memo is captured below:

This Presidential Memorandum transmits the National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs (Minimum Standards) to provide direction and guidance to promote the development of effective insider threat programs within departments and agencies to deter, detect, and mitigate actions by employees who may represent a threat to national security. These threats encompass potential espionage, violent acts against the Government or the Nation, and unauthorized disclosure of classified information, including the vast amounts of classified data available on interconnected United States Government computer networks and systems.

The Minimum Standards provide departments and agencies with the minimum elements necessary to establish effective insider threat programs. These elements include the capability to gather, integrate, and centrally analyze and respond to key threat-related information; monitor employee use of classified networks; provide the workforce with insider threat awareness training; and protect the civil liberties and privacy of all personnel.

The resulting insider threat capabilities will strengthen the protection of classified information across the executive branch and reinforce our defenses against both adversaries and insiders who misuse their access and endanger our national security.

SIGNED: BARACK OBAMA

For such a brief memo, it has not been without controversy. Some pundits have stated that it will put a chill on whistleblowers while others have argued that such a statement indicates that “Big Brother” has landed. I just don’t see it that way.

The ability to monitor employee interactions with company data has long been available in the private sector. Organizations regularly monitor access to critical or protected information–and if they aren’t, they should be. Insider threats, abuse and misuse of data, and malfeasance are common in companies all around the globe. Why should we expect the same is not true in our federal, state, and local governments. I, for one, feel safer with a “trust but verify” approach for the data we all share with federal agencies.

The Meaningful Use program was first established by the U.S. Federal Government as part of the 2009 HITECH Act. The goal was to foster the creation of the infrastructure needed to support healthcare reform. As the 2014 deadline for Meaningful Use Stage 2 draws closer, organizations are planning now for improvements in the way they provide privacy protection and data security for PHI. While moving toward these goals is important, it might be good to take a step back and consider how we got here.

According to the CDC, the original concept of meaningful use rested on the ’5 pillars’ of health outcomes policy priorities. These are:

1. Improving quality, safety, efficiency, and reducing health disparities
2. Engage patients and families in their health
3. Improve care coordination
4. Improve population and public health
5. Ensure adequate privacy and security protection for personal health information

To encourage the transitions necessary to create greater efficiencies, improved information sharing, and better protections for patient privacy, an incentive program was established to support the “meaningful use” of a certified “Electronic Health Record” (EHR). This initiative was rolled out in stages:

Meaningful Use Stage 1:
The first stage of Meaningful Use emphasizes proper data capture and data sharing–primarily focusing on the transition from paper records to electronic records generally referred to as EHRs or EMRs.

What are the Requirements of Stage 1 Meaningful Use?
• Reporting through attestation; Reporting period is 90 days for first year and 1 year subsequently
• To meet certain objectives/measures, 80% of patients must have records in the certified EHR technology

Eligible Professionals must complete:
• 15 core objectives, 5 objectives out of 10 from menu set
• 6 total Clinical Quality Measures (3 core or alternate core, and 3 out of 38 from additional set)

Hospitals must complete:
• 14 core objectives, 5 objectives out of 10 from menu set
• 15 Clinical Quality Measures

* For a complete listing of these objectives, refer to: http://www.healthit.gov/sites/default/files/pdf/FINAL_MU_RECOMMENDATIONS_TABLE.pdf

As hospitals increasingly move toward electronic records, it is assumed that the first four pillars of health outcomes policy will improve. However, the fifth pillar, ensuring adequate privacy and security protection for personal health information, may require additional actions by hospitals and care providers.
Specifically, organizations must take additional measures to safeguard patient records and guarantee privacy. Leading institutions and others must consider how to move beyond “checking the box for compliance” and move toward addressing risks to patient data. In our next post, we’ll discuss how that can be done and how it becomes increasingly more important as organizations address Meaningful Use Stages 2 and 3.

The business risks—financial loss, failed audits, regulatory fines, and brand damage—of insider threats to your corporate data are too devastating to ignore. Here’s how learning from industry best practices can help you prevent these threats, including fraud and information leakage, and protect your business:

Demand 100% visibility so nothing gets missed
Capturing data in logs is a traditional method of understanding system activity but it doesn’t go far enough. Modern business intelligence tools tap into a hidden, information-rich data layer by capturing a complete, real-time, over-the-shoulder view of user activity across multiple data channels. This data should include queries and other read-only transactions that typically do not leave any traces in corporate databases or logs. This way, internal auditors, investigators and line of business managers can visually replay user actions screen by screen, keystroke by keystroke, just as if they were looking over the user’s shoulder. Not only can they see everything, but they can also place it into context.

Leading organizations use this data in a number of ways. Let’s explore a few of them:

Take a pre-emptive approach to eradicate risk
Most solutions address insider threats after the user has already gained access to the target information and is trying to transfer it out of the organization. Network-level solutions work by looking for sensitive data created in outbound messages (e.g., emails and instant messages). Desktop-level solutions look in media created at the desktop (e.g., via printing, writing to USB flash disks, or writing to CDs).

These approaches are highly problematic. Once sensitive data is displayed on a user’s screen, it can be transferred in undetectable ways—e.g., copied down on paper or photographed with a cell phone camera. At this point, it’s already too late.

Leading next generation detection technologies takes a different approach, working at the application level to address threats before they occur. More specifically, these solutions monitor application usage so that you know exactly when sensitive information is being displayed on the user screen. When applications are monitored pro-actively, the fraudulent behavior that occurs prior to a leak can be detected. The leak can then be prevented at the point of data access—regardless of the strategy for leaking the data.

Use real-time alerts to trigger fast action
The powerful analytical engines in the modern detection solutions track user behavior in real time, detecting cross-channel patterns and activities. In this way, it can pinpoint suspicious actions—based on business rules and weighted scores that you’ve defined—and generate real-time alerts related to questionable behavior. For example, here’s how Luminet does it:

A bank clerk who excessively searches for high- profile customer information, by customer name, much more than other clerks.
A user who displays 500 customer accounts on a specific day, spending only a few seconds with each account, while on average he accesses only 100 customer accounts per day.

Alerts can be sent to internal auditors, who can use them to zero in on anomalies, eliminate false positives, and facilitate after-the-fact investigations. When these solutions are integrated with an operational system, the alerts can also trigger automatic actions—for example, the initiation of a “suspend user” process in the operational system.

Faster, Easier Audit Prep
Your auditors expect precise and detailed information about how the thousands of people across your enterprise are accessing sensitive information on hundreds of applications each day. This often amounts to tens of thousands of screens of data and log entries. They also expect to see this information presented in a format that aligns with their unique regulatory requirements. With the next generation of business insight and compliance software, this information can be easily indexed, analyzed and distilled into meaningful reports–often at the click of a button.

——————————————————————————–

Real life examples. Real results.

Tax Collection Agency Cuts Investigation Time by 76%A large tax collection agency, which manages tax collection for more than 110 million citizens, wanted to gain visibility into the nonlogged activities of trusted insiders and respond to new scrutiny around data protection. With Luminet, the agency has reduced fraud and prosecuted violators while cutting investigation time by 76%.

——————————————————————————–

Nonprofit Mutual Insurance Firm Demonstrates Compliance with HIPAA and PCI DSS A nonprofit mutual insurance firm, part of a large consortium of health insurance providers, needed a fraud prevention and compliance solution that would help them uncover privacy violations and demonstrate compliance with HIPAA and PCI DSS.

The firm, which serves well over a million members, chose Luminet because of its comprehensive approach to data collection, reporting, and analysis. Luminet provides 100 percent visibility into user activity across all applications. It also triggers real-time alerts for exceptions. And its interactive tools detect the cross-channel patterns and trends of users across diverse departments and applications.

Armed with Luminet, the firm can help catch privacy violations, facilitate regulatory compliance, and reduce expenses related to audits, compliance reporting, and HIPAA-associated fines.

——————————————————————————–

Credit Card Company Immediately Detects Employee Misuse A credit card company employed the Luminet technology for its ability to see, record, and analyze user activity across internal enterprise applications—thereby providing the intelligence needed to take informed action. Corporate IT used business rules available in Luminet to track user behavior patterns and generate real-time alerts on suspicious activity. And their work paid off. Just weeks after installation, the company identified an employee who was misusing his authorized access.

——————————————————————————–

Government Agency Deters Fraud and Prevents Info Leak A government agency with more than 11,000 employees deployed the Luminet technology to view and record all user interactions with internal business applications. Employees and contractors were given fair warning: From now on their application activity would be recorded in real time—screen by screen, keystroke by keystroke—creating a complete audit trail directly from the network.

By capturing a complete over-the-shoulder view of user activity, the agency was able to deter fraud and prevent sensitive info from leaking into the wrong hands.

——————————————————————————–

International European Insurance Company Tracks Privileged Users A European insurance company deployed the Luminet technology to help detect internal fraud. More specifically, one of the company’s objectives was to track the activity of privileged IT users, including database administrators, system administrators, and programmers. Trusted users, with their technical knowledge and authorized access to internal systems and resources, have the potential to devastate an institution.

Using the Luminet technology, the company implemented business rules that generated real-time alerts on questionable activity patterns; e.g., a privileged user’s attempt to update information in a production database using a utility that could not otherwise be traced.

Insider threats—the most challenging for organizations to address—are often difficult to spot and pose huge risks for your organization. While many of the motivations are the same, there are three distinct types of fraudulent insiders. Read part one of our series to understand who commits fraud. Part two will focus on what to look for and how to spot trouble before it starts.

You’re probably familiar with this classic bad-guy image: A disgruntled employee enters a building in secret under cloak of night and begins to steal trusted information from a business. This image may even have kept you awake at night. In this scenario, the individual in question has privileged access to proprietary data and enough knowledge and intent to defraud the organization.
As widespread as this image is, the true risks from insiders come from a few different areas and are often far less dramatic.

The policy violator
Despite the commonly accepted vision we all have of nefarious actors within our systems, individuals misusing company resources are, for the most part, not doing so with the intent to harm. Frequently, they are motivated to “just get the job done.” In this way, good employees may be breaking policies and creating risk without ever meaning to.
Consider, for example, the well-meaning employees who exploit a back door in a legacy system in an effort to move through their workflow more efficiently. Surely they mean no harm, but without visibility to those actions, these employees may be introducing risk that not only threatens data integrity but also leaves no trace. That activity could go undiscovered until the day something goes dramatically wrong.
Making internal actors aware of these risks is an important part of mitigating insider misuse. Gaining visibility into such activity, especially at the application layer, is essential. Taking steps to reduce misuse and error has the added benefit of protecting against more harmful insider threats as well.

The low and slow fraudster
The most common type of fraud today is not the headline-grabbing theft of millions of credit card records. It’s the small crimes of opportunity that occur quietly, steadily, and repeatedly at the hands of your most trusted insiders—your employees, vendors, consultants, and contractors. This type of fraud occurs daily, and often goes undetected for weeks or months at a time.
When it comes to actual fraud inside an organization, businesses might be surprised at the profile of the typical fraudster. According to research conducted by the CERT Insider Threat Center of Carnegie Mellon University’s Software Engineering Institute, on average, insiders are on the job for more than five years before they start committing fraud and that it takes nearly three years for their employers to detect their crimes. They are often trusted employees or managers who experience a life-changing event.

This study, funded by the Department of Homeland Security Science and Technology Directorate, examined 80 fraud cases that occurred between 2005 and 2012 to identify technical and behavioral patterns. The result? The study found that those individuals that operated “under the radar” escaped detection for longer periods of time and cost the target organization an average of $382,000 or more depending on how long they were able to operate without detection.

Commenting on the study, Randy Trzeciak, the technical lead of the Insider Threat Research Team, stated, “We also found that nearly 93% of fraud incidents were carried out by someone who did not hold a technical position within the organization or have privileged access to organizational systems.” In short, anyone in the organization has the potential to do harm.
So, how do you address the issue of good employees gone bad? Again, visibility is the key. By being able to baseline an employee’s behavior over time and identify changes or spikes in activity that is different, you can spot this type of fraudster. Correlating this data over time and across multiple data channels can be difficult for humans. In these cases, where you need to manipulate “big data,” technology purpose-built for fraud and anomaly detection can give you an edge.

The imposter
Insider threat committed by imposters is a reality. Every organization has a mix of employees, consultants, management, partners, and complex infrastructure and that makes finding and handling insider threats a challenge. Motivated by money or revenge, these insiders do commit fraud and steal valuable information. To make matters worse, these individuals do not want to be found. In an effort to operate undetected, they will often steal credentials and operate as if they were someone else. In short, you’ve just met the imposter. The problem is, you might not recognize her.
An individual using someone else’s credentials can be very difficult to discover, track, and ultimately shut down. Their activity can remain hidden or even besmirch the reputation of a valued and honest employee. With all the machine data rattling around in the system, you may find the wolf. But could you tell if it was cloaked in sheep’s clothing?
What if you could correlate data from multiple sources and compare the results to create a more comprehensive user profile. In an instant you could correlate access data with other sources. Imagine using technology to draw out these answers. Why is Janie at work? She didn’t scan her badge and her payroll record has her marked as taking a sick day, for example. Or, why is Bob accessing unusual data after hours from a machine or IP address that isn’t one he normally uses? Doesn’t that strike you as odd? It might be explainable behavior, but it’s probably worth investigating.

Your reality
Insider threats are hard to detect. The traditional methods of identifying and alerting on outside attacks such as network perimeter security is useless when you are dealing with a privileged user or stolen credentials that permit an attacker to masquerade as something they are not. Even a good layered defense can be vulnerable to insiders if you’re not taking the time to examine the risks from an inside attack.
Think about the levels of control you have in place today. You’ve probably done a good job hardening your defense from the outside in. You likely have policies, procedures, and technical controls to help keep your core assets safe. But without visibility—the ability to see beyond logs and really understand what your machines are telling you—can you really tell the good guys from the bad guys? Can you see the difference between accidental policy violations from persistent fraud? Probably not.

Next time, we’ll show you how some of the world’s leading institutions do it.

Health privacy violations are lethal. They can create reputation management nightmares and generate stiff fines. Even a single HIPAA violation has serious financial consequences. The minimum fine now stands at $50,000, with a maximum penalty per year of up to $1.5 million per each provision of the rules. Since many healthcare privacy breaches involve multiple violations, the cost of not protecting patient privacy can grow very quickly. We’ve even begun to see this demonstrated in the more recent HIPAA compliance enforcement actions. Care providers large and small are feeling the pressure. Even government agencies are not immune.

While headline-grabbing events like the HIPAA fine levied at the State of Alaska are being widely covered, there is another, hidden reality that is far more pervasive: Small-scale snooping is actually far more common than large scale theft or dramatic losses of equipment containing PHI. In fact, in the 2011 Survey of Patient Privacy Breaches*, about 70% of the survey respondents reported that they had experienced a HIPAA breach of some level—with the majority of those violations occurring as a result of snooping activity. Insiders were responsible for the majority of breaches, with 35 percent snooping into medical records of fellow employees and 27 percent accessing records of friends and relatives. More than half of the respondents stated that they lacked the appropriate tools for monitoring inappropriate access to PHI.

Organizations will continue to be held accountable for responding to audit and information requests. There are tools, like Attachmate Luminet, that support HIPAA compliance reporting requirements and Accounting of Disclosure requests are available today. These leading solutions exist to help stop misuse and curtail privacy violations by seeing, recording, and analyzing user activity across all applications. In this way, these solutions can help you address a wide variety of PHI access and policy scenarios. When examining technology of this kind, make sure it can help you answer the following questions:

• Is an employee logged in at multiple locations or accessing systems after hours while on vacation or absent from work?
• Is an employee accessing areas not appropriate for their job or function?
• Are physicians accessing records outside their specialty?
• Are employees accessing high profile or VIP accounts inappropriately?
• Are employees inappropriately accessing PHI within the institution?
• Are employees accessing accounts more than 30 days after the date of service? Has key account information—e.g., address or services rendered—changed?

When evaluating a solution provider, look for the ability to see beyond logs—to capture the query-only activity that happens when staff and care providers only want a “quick peek.” It may seem like harmless curiosity, but it represents a privacy violation that can land an institution into very hot water.

*The 2011 Survey of Patient Privacy Breaches was conducted by Veriphyr.

Organizations lose millions to fraud. According to the most recent ACFE Report to the Nations, organizations lose about 5% of their annual revenue to fraud. That number is staggering. What’s even more troubling is all the different ways organizations are “paying” for the hidden fraud in their companies today. Here are just a few of the ways that fraud impacts the bottom line:

The Reality of Fines
Regulations have been part of data protection for over a decade. The heavy hitters, HIPAA, GLBA, FISMA, NIST, PCI-DSS, are all designed to reduce risk of information loss or exposure. And increasingly, these regulations carry fines. Think of it as a “carrot and stick” approach to regulation. Fines in banking are fairly common and regularly metered out. What’s interesting from an industry watcher’s perspective is the growing maturity of fines in other industries.

Most recently, eyes have been on HIPAA. The U.S. Department of Health and Human Services issued a $4.3M HIPAA fine to Maryland healthcare provider Cignet. In May of 2012, the agency also levied a HIPAA fine of $100,000 against a private practice. In doing so, the agency indicated that the size of violator is not an indication of the likelihood of getting fined. It’s a trend that’s likely to continue and put a laser focus on correcting HIPAA violations.

What about Reputational Risk?
By far, the biggest opportunity for losses is brand damage. These costs only grow when you tot up things like litigation, loss of customers, a slide in shareholder value, etc. If there is one issue troubling the C-Suite, it’s this one. It consistently outranks other concerns like theft of IP and theft of assets. It even trups privacy concerns at many institutions. Why might that be, you ask? It’s a top concern year after year because reputational damage, damage to your brand, can wipe out profits in an instant. Customer leave institutions that fail to protect privacy in droves. And they oftentimes don’t come back. So in addition to the loss generated by the theft or breach, the drop in shareholder value, reduced business and litigation expense, you can add the cost of attracting new customers. If you’re industry is private banking, it may only take the loss of a handful of key accounts to really feel a pinch. Doesn’t it make sense to protect the data entrusted to you with the same zeal you have for making money for your clients?

Over-paying for Insurance Premiums
Banks, financial institutions, hospitals and even insurers have insurance policies to cover fraud losses. While carrying those protections is probably prudent (after all, there has to be real risk or people wouldn’t need to hedge against it), those policies cost real money and any step to reduce risk and reduce premiums is more money in your pocket.

The Problem with Write Offs
For years, there’s been an acknowledged problem with banking fraud. In an interview, noted security expert Juval Aviv, reported the scope of the problem a few years back when he stated, “People are stealing billions every year (from banks) and getting away with it. Fraudsters know that if they are going to do it, they have to do it big and then complicate the investigation by moving the money across several banks in several countries.” He added, “Banks then write off these losses and the fraudsters know this.” The problem with this attitude is that it contributes to the problem. By failing to prosecute, banks are giving a kind of tacit permission to thieves to operate in their systems. I know that prosecution is hard. I know that information trails are notoriously incomplete—logs just don’t have the data to make an effective case against fraudsters the majority of the time. But there are technologies out there that can create a more comprehensive trail and contribute greatly to a layered security model. Looking at those tools, like Luminet from Attachmate, has got to be better than turning a blind eye.

Conclusion
It’s fairly common in this industry to hear the refrain, “Fraud is just a cost of doing business.” It doesn’t have to be. If you’re interested in moving the bar on security and risk, it shouldn’t be. Permitting an “acceptable level of loss” means the bad guys are allowed to operate freely in your systems. Is that really OK?

Government agencies around the globe are at risk from within. Just as in the private sector, more error and misuse occurs from internal employees and partners and suppliers than from anyone else. A recent study from Price Waterhouse Coopers indicates that the problem may be getting worse. According to the consultancy’s latest Global Economic Crime Survey, nearly half of organizations in the public sector have been hit by economic crime in the past 12 months. Cyber crime, employee and supplier fraud in particular are on the rise. The survey also found 46 per cent of respondents had experienced one or more incidents of such crime in the past year. That’s quite a jump from 37 percent in 2009 and considerably higher than the average of 34 per cent across all sectors.
Some of the other key findings from the survey are equally alarming:
• More than two-thirds of the crimes experienced in the past 12 months were committed by public sector employees, compared with just over half in 2009.
• Supplier fraud jumped from 13 per cent to 32 per cent over the same period.
• Over 50% of those surveyed said they had the resources to detect cyber crime, but most lack the forensic capabilities needed to investigate such incidents.
Source: 2011 Global Economic Crime Survey, PWC: http://www.pwc.com/en_GX/gx/economic-crime-survey/assets/GECS_GLOBAL_REPORT.pdf
Further, the study links this rise in activity to the cuts in public sector spending—a trend that is likely to continue and deepen if the current economic reality remains unchanged.
Government agencies are clearly struggling to address internal fraud. Their efforts are complicated by shifting compliance requirements, impaired visibility into user activity, legacy systems that house mission-critical processes, and the limited effectiveness of existing controls and traditional logging capabilities.