The battle to contain fraud is as old as

Transcription

1 22 SPONSORED FEATURE COMBATTING DIGITAL FRAUD Combatting digital fraud Combatting digital fraud has become a strategic business issue for today s CIOs. The battle to contain fraud is as old as business itself but in the decade since digital commerce established itself anxiety over its effects on business has gradually become more acute. Much of this has to do with visibility. In the traditional offline world of buying, selling or transacting, it is possible to meet and assess customers and so should fraud occur it does so in real time as human beings interact with one another. This kind of risk can be quantified and calculated using well-understood rules and factored in as a cost of business. In the digital world, the rules of the game have changed. Transactions happen remotely at speeds beyond human perception, and on a potentially vast and automated scale. Human oversight is expensive, fallible and slow, leaving visibility on any one event or customer reduced to a degree that would have seemed incredible to businesses from the pre-internet age. Clearly, for 21st century digital commerce, trust has become an incredibly precious commodity re-negotiated with every new transaction; is this customer known and trustworthy? Do they have a record of past good transactions? Can their credentials be remotely authenticated? The same process also works in reverse, with buyers assessing the reliability, security and ability to transact of sellers or providers to offer services without hindrance. Digital commerce is the fuel for the next stage of economic development but it is one in which every event, positive and negative, can suddenly have major commercial consequences. Businesses, citizens and governments have become incredibly demanding consumers that make harsh judgments of organisations falling below accepted commercial standards. The challenge, then, is for organisations is to find a way to invest in digital commerce In association with while fighting a growing and increasingly sophisticated wave of digital fraud driven by organised criminals that have demonstrated an ability to identify, understand and prise open small weaknesses in legitimate businesses systems and the organisations that use them. The traditional IT-centric approach has been to see digital fraud as another technical problem that can be solved with added layers of security and fraud detection but there is a risk that this sort of short-term approach misses the point. In the age where digital commerce underpins the future of many firms, digital fraud is now something that has escalated to the CIO and board level. Digital fraud is no longer a mere inconvenience or a cost of doing business, it represents a strategic threat.

2 COMBATTING DIGITAL FRAUD SPONSORED FEATURE 23 fr ******* What is required is a fundamental shift in the approach organisations take to digital fraud based around improving intelligence and knowledge of real-world threats, and structuring the organisation so that every layer of the business has visibility on their impact. The secure organisation will be one that can react rapidly to events at every level from IT teams to the boardroom and back. Knowledge, expertise and ownership of security should never be stranded in islands of responsibility. Getting to such a world will not be easy and could represent a major cultural shift for some businesses. CIO s digital fraud research set out to get some data on the scale of the digital fraud 60% of senior IT decision makers agree that fraud was now a significant or moderate risk. problem and how organisations are dealing with it. Are businesses experiencing more fraud than before? How are they reacting to incidents or the threat of attack? What if any barriers are there to investment in digital fraud security? The results suggest that awareness of the issue among senior IT decision makers was, as one might expect, fairly high, with six in ten agreeing that fraud was now a significant or moderate risk. About the same number agreed that the risk of fraud had increased since 2011 with only 1 percent believing it had decreased. Interestingly, when asked whether this growth in threats had affected their organisation s ability or desire to deliver new

3 24 SPONSORED FEATURE COMBATTING DIGITAL FRAUD 69% saw investment in digital fraud technology as a significant or moderate priority Security teams know the threat is real even if they can t quantify its effects in advance of an attack. services, 73 percent said that digital fraud risks had at least some effect on their desire and ability to deliver new services. Methods for risk assessments vary across different types of businesses, but these comments suggest the desire to invest in digital commerce remains a very high priority. It was revealing that six out of ten said their organisation had yet to experience a loss as a result of a digital fraud attack, which raises the apparent paradox that digital fraud is seen as a significant threat despite most respondents not having direct experience of it. One explanation for this is the psychology of defence; security teams know the threat is real even if they can t quantify its effects in advance of an attack. Of those that said they d suffered an attack, the CIO survey charted a variety of forms including the targeting of customers, data breaches, the targeting of staff and partners, with the biggest category a cocktail of these threats. What is clear is that defences are being put under pressure by the expansion of digital commerce to become the core of many operations, not only online but through new channels such as mobile. At the same time, there are now multiple security gaps to plug within constrained budgets. The rate of increase in transactions has been incredible with a large increase in mobile financial services alone. And yet CIOs don t know how to quantify risk or how to go to their boards to get investment. comments RSA s Director of Global Pre-Sales for Fraud & Risk Intelligence, Mark Crichton. Crichton s point is an important one. CIO s research found that although 69 percent saw investment in digital fraud technology as a significant or moderate priority, actually getting this investment approved could be a challenge. Predictably, the biggest barrier was cost, with 24 percent mentioning high capital expenditure, and an identical number citing the unclear return on investment (ROI). Other noteworthy issues included the 11 percent that were confused about the available technologies, and the 12 percent who worried about organisational challenges. Charting a course through these complex issues poses an obvious challenge. There are so many technology solutions available that it is easy to get lost in the details, agrees Deloitte UK s ecrime & Digital Fraud Prevention lead, Stephen Nicholls. For many organisations, investment in security is seen as a sunk cost where the benefits in preventing potential future fraud impacts are incredibly difficult

4 COMBATTING DIGITAL FRAUD SPONSORED FEATURE 25 to articulate. Fundamentally, organisations need to translate digital fraud from a technical problem to a business issue, says Nicholls. Given the risks to customer perception, brand and reputation, the challenge of digital fraud must be on the agenda of business and customer owners. If customers are impacted by fraud, then the business suffers too. Understanding this context, and gaining visibility of the customer and business impact of fraud, is essential for articulating the benefits of investment in appropriate security controls, not just to protect current services but to enable future business development. The idea that security acts as a block or hindrance is a hangover from the days when that is precisely what it was designed to be. Security was a check, something designed to slow down an event so that it could be scrutinised or authenticated more comprehensively. This model is still an influence in areas of traditional security (for instance network and application security) but starts to warp when applied wholesale to business models that are dependent on digital and mobile commerce. Similarly, adding layers of badly-designed security to digital transactions slows them down and reduces throughput just as surely as it inconveniences the customer. The business simply conducts less business and satisfies fewer customers. Effective digital fraud risk management is not about adding multiple layers of controls that impact the customer journey and the business. These types of controls are typically implemented as some sort of knee-jerk reaction by organisations struggling to cope with the risks they face. But increasingly, mature organisations are looking to back-end controls 11% confused about the available technologies Organisations in the UK need to be looking at themselves very closely as the threats targeting digital commerce continue to evolve,. STEPHEN NICHOLLS, E CRIME & DIGITAL FRAUD PREVENTION LEAD, DELOITTE UK that can detect suspicious activity and disrupt fraudulent activity without impacting every customer. Ensuring that security is built-in from the earliest design stages for a new digital product or service is the most effective way of delivering this type of risk-based, customerfriendly approach to fraud prevention. The approach recommended by Deloitte and RSA is to see digital fraud indeed security threats of all kinds as a business rather than a purely technical issue. This sounds like an obvious point but it can be incredibly challenging to achieve because it demands that organisations take a far-reaching look of their current systems, processes and controls. Reform has to happen on several levels at once, starting with resolving to gain visibility and understanding of threats in real time. Systems such as RSA s Web Threat Detection offer anti-fraud analytics, peering into both web and mobile traffic to spot suspicious sessions as they are happening, not reactively after the fact. In the case of Web Threat Detection, this also importantly covers the whole chain of digital commerce, including when customers and transactions are passed on to third parties. This can be complemented with specific security intelligence. Investing in real-time digital fraud security implies that organisations also have adequate processes in place to deal with incidents. This can be complex but involves ensuring that lines of reporting are clear, that business managers have visibility on the digital systems they manage and can ask for help up to board level if need be. If necessary the structure of a business must be adjusted to iron out the possibility that data on critical security threats might not reach the appropriate individuals in a timely way. A final and important reform is to resolve to stress test these structures and controls to spot weaknesses or oversights. As these structures and processes evolve, so the testing must be revisited on a regular basis in order to banish dangerous assumptions. Organisations in the UK need to be looking at themselves very closely as the threats targeting digital commerce continue to evolve, agrees Deloitte s Nicholls. If fraudsters targeted us is there anything that would stop them? Would we know if it had happened? Do we have the expertise and experience to respond effectively?

5 26 SPONSORED FEATURE COMBATTING DIGITAL FRAUD Digital fraud needs to be understood as a business challenge, not merely an IT or technical problem. STEPHEN NICHOLLS, E CRIME & DIGITAL FRAUD PREVENTION LEAD, DELOITTE UK Deloitte and RSA In helping organisations address these issues, Deloitte s Nicholls and RSA s Crichton see their roles as complimentary; combining the former s analytical skills and practical experience of working with a diverse range of organisations, with the latter s technical solutions and threat intelligence. What Deloitte brings is experience of having worked with firms that have suffered fraud. We seek to understand their processes and controls and plug RSA s Web Threat Detection in, to provide additional visibility. We take identified challenges to senior management and help them to understand the importance of this issue, says Deloitte s Nicholls. For RSA s Crichton, Web Threat Detection backs this up with visibility into real-time session threats, analysing and detecting anomalies at all layers, including insider threats, and logic abuse and general malicious activity from the customer side. Digital fraud presents huge challenges, the first of which is to accept that it is a threat that has embedded itself as an information security risk on an indefinite basis. As digital commerce has grown, so the fraud that preys on it has grown too, something that will continue apace. There is no turning away from this truth. Enterprises must defend themselves using every tool at their disposal or face rising costs and a ballooning of business risk. Digital fraud needs to be understood as a business challenge, not merely an IT or technical problem. Organisations need to connect laterally across the business, joining fraud, security and risk teams to the digital channel and customer owners, concludes Deloitte s Nicholls. In particular, they need to focus on improving their visibility of the digital fraud risks they face, the effectiveness of their existing controls, their vulnerabilities and their exposure to these risks, and attacks they may already be experiencing. Organisations cannot respond effectively if they cannot see the issue. What is Digital Fraud? Digital fraud can cover both fraud carried out by customers as well as against them. Examples include Credit card fraud that generates chargebacks, online bank attacks, attacks on point-of-sale (POS) systems, man-in-the-middle attacks on web and mobile payments, and complex frauds against e-commerce systems. Beating Digital Fraud Digital fraud can be countered using realtime analytics and security systems, threat awareness and intelligence, as well as by integrating a risk-based approach to security as a concern of the whole business up to CIO and board level. Organisations must be prepared to examine their structure, processes, controls and security policies. RSA Web Threat Detection RSA Web Threat Detection leverages Big Data to enable both security and fraud teams to visualize and analyze millions of user web sessions to identify security threats, business logic abuse, and fraudulent activities all in real time. Specifically, this newest version of RSA Web Threat Detection delivers: Increased insight into the online threat environment by providing visibility into third party functionality embedded in our customer s websites Enhanced threat detection through additional scores and event types Refined rule writing capabilities for a more strategic and efficient response to online threats New architecture for flexible and advanced transaction searches Customer Benefits: 1. Visibility into a previous blind spot third party embedded traffic 2. Better threat detection, with lower false positives 3. Lower cost of ownership and better user experience Quick Links: Website - rsa-web-threat-detection.htm