The lengths to which fraudsters go to successfully scam businesses and individuals is most evident in email phishing, which has become increasingly sophisticated as the scammers collectively gather intelligence, collaborate and co-ordinate com-promises and evolve the scam. The FBI’s Internet Crime Complaint Center (IC3) estimates the total cost of such attacks exceeded $5.5 billion in the past five years. Unfortunately, this is just one of the many types of cyberattacks that cause business interruption, reputational damage and financial loss.
Preparation may seem intuitive, but it is often glossed over and not properly utilized by many businesses. Fraud, with or without a cyberattack element, relies on weaknesses in a system which can be exploited. Best practices associated with preparation help an organization identify these weaknesses and act to mitigate risk ahead of any fraud or compromise.
Identifying a business’s critical data and risk areas is often associated with information governance. When utilized properly, IG balances the use of security of information, assists with compliance and legal issues, and reduces overall cost and risk of an organization’s data. It helps identify a business’s critical and at-risk data. This is only a part of the overall process.
Best practice steps to preventing fraud
1. Identify your business’s critical data and risk areas
2. Develop an incident response plan
3. Assign key stakeholders to a response team
4. Test the IR plan for effectiveness
Businesses should also identify risk areas within processes where technology may be limited. In email phishing scams, for example, the fraudster, in part, relies on the weakness in controls of an accounts payable group within an organization to send money outside the organization. While a business’s email system may have been compromised, the fraudster is relying on someone inside the organization sending money without ever verifying if the transfer was a legitimate request. Best practice is to determine a holistic approach to identify all locations of critical data and risk areas.
Many organizations fail to create or effectively manage incidents because they have ineffective incident management, or none. Incident management involves the monitoring and detection of security events on a business’s computer network as well as the execution of proper responses to those events. Proper response execution requires an incident response plan and a response team that follows this plan. A successful IR plan limits the amount of damage and interruption to a business while improving recovery time and costs associated with the incident. It is best practice to create and continually update the IR plan to address a company’s changing risk areas.
A response team should be designated to enact the IR plan during an incident. While the incident and much of the response may be technical in nature, the team needs to include key stakeholders that can address business needs, not just technical needs. Every organization is different, but as a best practice, the response team should include personnel from IT services, information security, compliance, legal, human resources and public relations. Other departments may need to be considered depending on the size and complexity of the business.
Having an IR plan and response team are necessary, but they become ineffective if there is inadequate planning to stress-test the IR plan. A best practice is to perform testing on regular intervals, such as annually or bi-annually. This testing can be less technical, such as a table-top exercise, or more involved, such as penetration testing or other white hat hacking activities that stress-test the computer network.
All hands on deck
The responsibility for managing and preventing fraud and cyber risk in an organization includes and affects everyone within it. There are many facets to properly addressing an incident, but it is critical for a business to prepare through identification, response management and testing by instituting these best practices.