Subscribe by email
Organizations lose millions to fraud. According to the most recent ACFE Report to the Nations, organizations lose about 5% of their annual revenue to fraud. That number is staggering. What’s even more troubling is all the different ways organizations are “paying” for the hidden fraud in their companies today. Here are just a few of the ways that fraud impacts the bottom line:
The Reality of Fines
Regulations have been part of data protection for over a decade. The heavy hitters, HIPAA, GLBA, FISMA, NIST, PCI-DSS, are all designed to reduce risk of information loss or exposure. And increasingly, these regulations carry fines. Think of it as a “carrot and stick” approach to regulation. Fines in banking are fairly common and regularly metered out. What’s interesting from an industry watcher’s perspective is the growing maturity of fines in other industries.
Most recently, eyes have been on HIPAA. The U.S. Department of Health and Human Services issued a $4.3M HIPAA fine to Maryland healthcare provider Cignet. In May of 2012, the agency also levied a HIPAA fine of $100,000 against a private practice. In doing so, the agency indicated that the size of violator is not an indication of the likelihood of getting fined. It’s a trend that’s likely to continue and put a laser focus on correcting HIPAA violations.
What about Reputational Risk?
By far, the biggest opportunity for losses is brand damage. These costs only grow when you tot up things like litigation, loss of customers, a slide in shareholder value, etc. If there is one issue troubling the C-Suite, it’s this one. It consistently outranks other concerns like theft of IP and theft of assets. It even trups privacy concerns at many institutions. Why might that be, you ask? It’s a top concern year after year because reputational damage, damage to your brand, can wipe out profits in an instant. Customer leave institutions that fail to protect privacy in droves. And they oftentimes don’t come back. So in addition to the loss generated by the theft or breach, the drop in shareholder value, reduced business and litigation expense, you can add the cost of attracting new customers. If you’re industry is private banking, it may only take the loss of a handful of key accounts to really feel a pinch. Doesn’t it make sense to protect the data entrusted to you with the same zeal you have for making money for your clients?
Over-paying for Insurance Premiums
Banks, financial institutions, hospitals and even insurers have insurance policies to cover fraud losses. While carrying those protections is probably prudent (after all, there has to be real risk or people wouldn’t need to hedge against it), those policies cost real money and any step to reduce risk and reduce premiums is more money in your pocket.
The Problem with Write Offs
For years, there’s been an acknowledged problem with banking fraud. In an interview, noted security expert Juval Aviv, reported the scope of the problem a few years back when he stated, “People are stealing billions every year (from banks) and getting away with it. Fraudsters know that if they are going to do it, they have to do it big and then complicate the investigation by moving the money across several banks in several countries.” He added, “Banks then write off these losses and the fraudsters know this.” The problem with this attitude is that it contributes to the problem. By failing to prosecute, banks are giving a kind of tacit permission to thieves to operate in their systems. I know that prosecution is hard. I know that information trails are notoriously incomplete—logs just don’t have the data to make an effective case against fraudsters the majority of the time. But there are technologies out there that can create a more comprehensive trail and contribute greatly to a layered security model. Looking at those tools, like Luminet from Attachmate, has got to be better than turning a blind eye.
Conclusion
It’s fairly common in this industry to hear the refrain, “Fraud is just a cost of doing business.” It doesn’t have to be. If you’re interested in moving the bar on security and risk, it shouldn’t be. Permitting an “acceptable level of loss” means the bad guys are allowed to operate freely in your systems. Is that really OK?
