Information technology moves fast. Recent advances have led to streamlined business operations and innovative products and services. They have also opened up new avenues for fraud. Breach announcements disclosing information leaks and theft of privacy data are so commonplace, many of us turn a deaf ear to them and a blind eye to the underlying vulnerabilities they represent. But should we? What is it that these events actually represent?

In some cases, these incidents are the result of an outside-in attack. Worms, malware, phishing scams come to mind. However, it’s easy to overlook the insider threats that lurk in every business. No one likes to think that their trusted insiders–employees, contractors, consultants, and even trusted business partners–could be committing fraud and data abuse from within their systems. Frankly, it is an ugly thought. And, unfortunately, it’s a reality. The wide array of threats that businesses face often originate from the inside.

In today’s fast paced, connected business environments, anyone can exploit the privileges and knowledge they have acquired about business operations and practices to commit fraud, violate privacy protections, and steal valuable confidential information. Fortunately, detection and prevention practices and applications are adapting to the threats posed by malicious insiders.

As you consider your risk profile and how to mitigate such abuses within your own systems, consider the power of continuous monitoring and continuous audit. With the next-generation monitoring technologies, you and your auditors can have greater confidence that data is safe and protected, that your policies are actually being followed and that you can quickly spot “bad actors” intent on doing harm or introducing error.

Enterprise fraud and workplace policy abuse come in many forms, and every business is at risk.

 Unfortunately, it’s not always obvious when workplace fraud occurs. Perpetrators are often insiders – long-time employees or trusted staff members who have access to sensitive information.

 The very idea that these people would cheat you can be hard to accept. It may even be tempting to think, “It could never happen here.” But it could. And the less you do to prevent it, the more likely it is to occur.

 Workplace fraud could mean failed compliance audits, hefty fines, or irreparable damage to your brand. It could also mean a serious blow to your bottom line.

 So don’t let others profit unethically at your expense – take steps to stop them. Here are four common types of workplace fraud and some suggestions for avoiding an all-out fraud nightmare.

1. Accounting mischief

 If your accounts are vulnerable, employees can use them to their advantage. Think “skimming” small amounts of money from the tops of checks or taking unreported cash payments.

 When the amounts are small, this type of fraud can be hard to detect. And if you never perform any audits, it could be virtually untraceable. While internal audits are an option, they’re often difficult to conduct. Slinging together data in an attempt to create a complete audit trail can quickly become a nightmare.

 On the other hand, by bringing in external auditors, you’ll be able to keep your accounts in check. Make external audits routine, and you can prevent accounting fraud before it even starts.

2. Exchanged credentials

 Or falsified ones. With counterfeit documents, records, or licenses, scammers may seek employment at your organization. They may also use someone else’s credentials to gain access to your office or work facility.

 Don’t forget: In hiring, even one fake reference represents a serious case of fraud.

 Always call professional references, verify credentials, and conduct background checks of each new hire. After all, you should be confident in the employees who represent your organization, not suspicious of them.

3. Unauthorized data access

 The use of false credentials can also help employees access data that was never theirs to consume.

 When this happens, the privacy of your patients or customers – not to mention confidential business information – could be in jeopardy. And what if employees don’t even need to use false credentials? What if they’re accessing sensitive information because it’s already easy to do so without being caught?

 That’s why you must implement data-handling policies that specify who has access to what. Also establish a system for verification before anyone can access sensitive material. Things like passwords and account numbers should never be shared and, if possible, should be changed often.

4. The address swap

 This is what happens when an employee changes the address to which a check is sent – presumably to his or her own – and then changes it back.

 To combat this kind of fraud, conduct regular reviews of all purchases. Consistent audits of accounts and contracts will also help protect you. While you don’t want to create a culture of surveillance that makes employees feel like Big Brother is lurking behind every corner, audits and reviews should create an atmosphere of accountability.

 Because when employees are accountable for their actions, you’ll enjoy greater security.

 For more information about Enterprise Fraud Management, be sure to check back here on Insider Fraud Spotlight!

I was speaking with a friend the other day about Medical Identity Theft, HIPAA compliance and enterprise fraud management. We were discussing a survey report published in March by the Ponemon Institute that found roughly 1.5 million Americans are victims of medical ID theft. In the survey, fourteen percent of respondents said the breach occurred at a health care office, and 10% said employees at a health care organization’s office had stolen the data.

 It occurred to me that medical identity theft is one of those “wild west” opportunities for identity thieves at the moment. While everyone is pretty familiar with the concept of financial fraud and what happens when your credit card information is stolen, what happens when someone pretends to be you to access medical care can have far more devastating consequences.

According to the Federal Bureau of Consumer Protection, here are some indications that might indicate that someone has been a victim of medical identity theft. Victims may:

• get a bill for medical services they didn’t receive;
• be contacted by a debt collector about medical debt they don’t owe;
• see medical collection notices on their credit report that they don’t recognize;
• be told by their health plan that they’ve reached their limit on benefits; or
• be denied insurance because their medical records show a condition they don’t have.

Source: http://business.ftc.gov/documents/bus75-medical-identity-theft-faq-health-care-health-plan

Whoa—think about that for a moment. Those are significant impacts. Then, spin the scenario out a bit further. What happens if medical records become co-mingled at the provider level? Can you get to a point where the records of the thief are entered into the medical history of the victim? According to the experts, you can. Back in 2006, Pam Dixon, founder of the World Privacy Forum, referenced the challenges that medical identity theft can create and cited examples of misinformation appearing in patient files. She also stated that changes to patient records could remain in the files for many years.

Providers Protecting Privacy as Part of Their Healthcare Brand

Leading healthcare organizations are increasingly seeing ways to protect their brand while safeguarding patient privacy. Moving the privacy discussion beyond the HIPAA disclosure form that all of us sign when accessing care and making ePHI protection a differentiator demonstrates a commitment on the part of the provider. When given a choice, my healthcare dollars are spent with those institutions that care enough about me to protect my personal information. It just makes sense to require the same level of accountability from my doctor as I do from my bank—the risks are just as real and the opportunity for damage may even be greater.

It’s easy to point fingers when another organization has an insider fraud incident. But information from the new Survey on the Risk of Insider Fraud by Attachmate Corporation and Ponemon Instituteshows that more organizations need to turn a scrutinizing eye toward their own risk.

The survey encompassed more than 700 organizations and revealed some alarming data security trends:

• More than 75 percent of the respondents indicated that privileged users within their own institutions had or were likely to turn off or alter application controls to change sensitive information – and then reset the controls to cover their tracks.
• Eighty-one percent replied that individuals at their institutions either had used or were likely to use someone else’s credentials to gain elevated rights or bypass separation of duty controls.
• On average, respondents noted that their organizations experienced more than one incident of employee-related fraud per week – about 53 in a year’s time(infographic available). Twenty-four percent of respondents indicated that their organizations experienced more than 100 incidents in the past 12 months.
• Once an incident has occurred, it takes organizations an average of 89 days to discover it and an additional 96 days to uncover the root cause and determine the consequences to the organization.
• A majority of respondents – or 62 percent – were unable or unsure of their ability to assess the financial impact and true costs of fraud.
• Approximately two-thirds of internal fraud investigations do not result in actionable evidence against the perpetrators, meaning a majority of the incidents go unpunished and leave organizations vulnerable to additional incidents.

“This data demonstrates that employee actions across an enterprise are not visible,” said Larry Ponemon, chairman and founder of the Ponemon Institute. “While organizations may have policies in place that are meant to curtail insider fraud, what’s on paper doesn’t necessarily lead to compliance.”

In fact, 52 percent of respondents noted that they do not believe they have the appropriate technologies to prevent or quickly detect insider fraud, including employees’ misuse of IT resources. Traditionally, IT departments review log files to analyze employee activity. However, 78 percent of respondents believe the manual review of log files is an inadequate method for observing questionable or suspicious employee access and computing activities.

Enterprise fraud and misuse is on the rise.  A recent study by the Ponemon Institute found that of the organizations surveyed, on average respondents experienced more than one incident of employee-related fraud per week – about 53 in a year’s time. Twenty-four percent of respondents indicated that their organizations experienced more than 100 incidents in the past 12 months. I’ve been in this industry for a long time and even my jaded soul was shocked by the findings. But I guess I really shouldn’t have been surprised.

The reality is that our increasingly connected world provides boundless opportunities for employees to accidentally stumble into private realms of information—or to trespass with malicious intent.

Here are some typical problems we see out in the wild:

• An employee uses someone else’s credentials to access information he doesn’t have rights to.
• An employee changes the address in a customer record, and then reinstates the correct address after a check has been sent.
• A curious—or star-struck—employee casually accesses personal information about a neighbor or a celebrity.
• Organizations, caught be a breach or privacy mishap, find themselves scrambling to piece together incomplete data in a frustrating attempt to create a complete audit trail.

Financial loss, failed audits, regulatory fines, and brand damage—these are just a few of the devastating risks of being in the dark when it comes to fraud and misuse. We see it every day.

We also see that businesses are stuck trying to clearly distinguish between the legitimate work of their employees and suspicious activity because the evidence trail is often missing. Organizations seeking to be proactive about managing the risk of fraud within their enterprise should take pains to discover, capture, monitor and alert on the  following activities:

• After-hours access of information
• Employee change records in customer accounts—like changing an address and then changing it back
• Out of band transaction requests
• Multiple failed password attempts
• Account snooping—especially VIP accounts or dormant accounts

Watching out for fraud and misuse is a nuanced business. The activity is often hidden or obscured—and all too often the trail has gone
cold by the time you figure out the fraud occurred. When evaluating possible solutions to your enterprise fraud challenge, focus on the next generation of fraud technologies. They’ll get you farther faster and with the flexibility you need to really hone in on what’s right for your business.

Use the next generation of fraud management software to detect and prevent fraud.

Financial losses from the recent data hacks on banks and online services are being revealed bit by bit. For example, last month Citigroup disclosed that its credit card customers suffered losses of around $2.7 million from their account details being stolen.

 While  the loss is serious it actually only applied to 1% of the cards affected by the breach. This, and the fact that this represents 0.01% of all Citigroup credit cards puts the financial damage done by the external hackers into perspective, especially against the estimated scale of financial losses from insider fraud and theft.

 When it comes to internal fraud, the ACFE report on occupational fraud and abuse estimates a typical organization loses five% of annual revenue to fraud committed by people inside the organization. This translates to a potential total global fraud loss for all organizations of more than $2.9 trillion in 2009.

Protect Your Data Against Fraud

This difference has been pointed out before, but it is worth repeating: organizations urgently need to review their data protection strategies. Protection from internal threats is key, especially given the reputational damage that can be caused. Real financial losses do arise but the greater losses arise from how online services have had to be taken offline to protect customers. Losses from external frauds are harder to quantify and when revealed their scale can be relatively low.

 Protection from internal threats by monitoring for internal frauds stems serious losses that may be systemic and longstanding. Typically fraudulent acts can run for 18 months and add up to around $160,000 on average. What’s more the opportunity for recovering losses is potentially substantial because currently occupational frauds are more likely to be detected by a tip off, according to the ACFE.

Through applying comprehensive anti-fraud controls internally, alongside implementing stronger data protection controls against external threats, organizations can manage these risks holistically with greater assurance and less likelihood of suffering serious financial losses.

By Dan Dunford, Security Product Specialist, Attachmate