Organizations lose millions to fraud. According to the most recent ACFE Report to the Nations, organizations lose about 5% of their annual revenue to fraud. That number is staggering. What’s even more troubling is all the different ways organizations are “paying” for the hidden fraud in their companies today. Here are just a few of the ways that fraud impacts the bottom line:

The Reality of Fines
Regulations have been part of data protection for over a decade. The heavy hitters, HIPAA, GLBA, FISMA, NIST, PCI-DSS, are all designed to reduce risk of information loss or exposure. And increasingly, these regulations carry fines. Think of it as a “carrot and stick” approach to regulation. Fines in banking are fairly common and regularly metered out. What’s interesting from an industry watcher’s perspective is the growing maturity of fines in other industries.

Most recently, eyes have been on HIPAA. The U.S. Department of Health and Human Services issued a $4.3M HIPAA fine to Maryland healthcare provider Cignet. In May of 2012, the agency also levied a HIPAA fine of $100,000 against a private practice. In doing so, the agency indicated that the size of violator is not an indication of the likelihood of getting fined. It’s a trend that’s likely to continue and put a laser focus on correcting HIPAA violations.

What about Reputational Risk?
By far, the biggest opportunity for losses is brand damage. These costs only grow when you tot up things like litigation, loss of customers, a slide in shareholder value, etc. If there is one issue troubling the C-Suite, it’s this one. It consistently outranks other concerns like theft of IP and theft of assets. It even trups privacy concerns at many institutions. Why might that be, you ask? It’s a top concern year after year because reputational damage, damage to your brand, can wipe out profits in an instant. Customer leave institutions that fail to protect privacy in droves. And they oftentimes don’t come back. So in addition to the loss generated by the theft or breach, the drop in shareholder value, reduced business and litigation expense, you can add the cost of attracting new customers. If you’re industry is private banking, it may only take the loss of a handful of key accounts to really feel a pinch. Doesn’t it make sense to protect the data entrusted to you with the same zeal you have for making money for your clients?

Over-paying for Insurance Premiums
Banks, financial institutions, hospitals and even insurers have insurance policies to cover fraud losses. While carrying those protections is probably prudent (after all, there has to be real risk or people wouldn’t need to hedge against it), those policies cost real money and any step to reduce risk and reduce premiums is more money in your pocket.

The Problem with Write Offs
For years, there’s been an acknowledged problem with banking fraud. In an interview, noted security expert Juval Aviv, reported the scope of the problem a few years back when he stated, “People are stealing billions every year (from banks) and getting away with it. Fraudsters know that if they are going to do it, they have to do it big and then complicate the investigation by moving the money across several banks in several countries.” He added, “Banks then write off these losses and the fraudsters know this.” The problem with this attitude is that it contributes to the problem. By failing to prosecute, banks are giving a kind of tacit permission to thieves to operate in their systems. I know that prosecution is hard. I know that information trails are notoriously incomplete—logs just don’t have the data to make an effective case against fraudsters the majority of the time. But there are technologies out there that can create a more comprehensive trail and contribute greatly to a layered security model. Looking at those tools, like Luminet from Attachmate, has got to be better than turning a blind eye.

Conclusion
It’s fairly common in this industry to hear the refrain, “Fraud is just a cost of doing business.” It doesn’t have to be. If you’re interested in moving the bar on security and risk, it shouldn’t be. Permitting an “acceptable level of loss” means the bad guys are allowed to operate freely in your systems. Is that really OK?

Stratfor specializes in “strategic intelligence on global business, economic, security and geopolitical affairs,”

It appears Stratfor failed to encrypt any of its credit card information, despite promises “to maintain safeguards to protect the security of these servers and your personally identifiable information,” according to its privacy policy.”

http://www.scmagazine.com/anonymous-shreds-intelligence-firm-stratfor-in-latest-hack/article/220781/?DCMP=EMC-SCUS_Newswire

I just wonder when will corporations and their executives start being held criminally liable for such egregious security blunders? Until then, there is very little reason for many of them to change….just my two pennies. Sales point is that no one is safe and all should at least entertain a conversation with you about your security solutions, right?

Happy New Year.

Use the next generation of fraud management software to detect and prevent fraud.

Financial losses from the recent data hacks on banks and online services are being revealed bit by bit. For example, last month Citigroup disclosed that its credit card customers suffered losses of around $2.7 million from their account details being stolen.

 While  the loss is serious it actually only applied to 1% of the cards affected by the breach. This, and the fact that this represents 0.01% of all Citigroup credit cards puts the financial damage done by the external hackers into perspective, especially against the estimated scale of financial losses from insider fraud and theft.

 When it comes to internal fraud, the ACFE report on occupational fraud and abuse estimates a typical organization loses five% of annual revenue to fraud committed by people inside the organization. This translates to a potential total global fraud loss for all organizations of more than $2.9 trillion in 2009.

Protect Your Data Against Fraud

This difference has been pointed out before, but it is worth repeating: organizations urgently need to review their data protection strategies. Protection from internal threats is key, especially given the reputational damage that can be caused. Real financial losses do arise but the greater losses arise from how online services have had to be taken offline to protect customers. Losses from external frauds are harder to quantify and when revealed their scale can be relatively low.

 Protection from internal threats by monitoring for internal frauds stems serious losses that may be systemic and longstanding. Typically fraudulent acts can run for 18 months and add up to around $160,000 on average. What’s more the opportunity for recovering losses is potentially substantial because currently occupational frauds are more likely to be detected by a tip off, according to the ACFE.

Through applying comprehensive anti-fraud controls internally, alongside implementing stronger data protection controls against external threats, organizations can manage these risks holistically with greater assurance and less likelihood of suffering serious financial losses.

By Dan Dunford, Security Product Specialist, Attachmate