Technological advances provide more powerful tools in strengthening companies’ defences against fraud, as well as a means for the fraudster to find areas of vulnerability to penetrate, writes Kajen Subramoney: KPMG’s associate director in forensics.
As much as technology helps the company combatting fraud, the fraudster also capitalises on technology as a powerful tool in his arsenal. As such, technology, as we know it, can be a significant enabler and a double-edged sword. A quarter of fraudsters rely on technology.
However, the recent KPMG Profile of a Fraudster survey suggests that companies, by contrast, could do a great deal more to use the same technology as a tool to prevent, detect and respond to wrongdoing.
The KPMG report suggests that technology is more frequently used in perpetrating fraud than in detecting it. Companies should consider greater use of the key anti-fraud technology – the mechanism of Data Analytics that can be used to sift through millions of transactions and other data, looking for suspicious items.
Additionally, cyber-fraud, an important form of technology-based fraud, is emerging as a growing threat and many companies are aware of the issue but seem to be doing little about it. Moreover, it is quite evident that advances in technology such as the introduction of high speed Wi-Fi, high definition cell cameras, cloud storage, remote access technologies and web applications are examples of technologies that, in the last few years, have increased the fraudster’s ammunition of schemes and attack points.
The question that organisations often wrestle with is, “Are we at risk of a cyber-attack”? The reality is that the questions an organisation should be asking are – “When are we going to be the victim of a cyber-attack?”; “When a cyber-attack happens, what do I have in place to tell me that it is happening?” and “What is my crisis response plan for when a cyber-attack happens?” The latter needs to be the subject of rigorous “war-room” scenario training so that the response teams can practice and fine-tune their actions for when a real cyber-attack takes place.
The truth is, every business is susceptible to cyber fraud, but small businesses may have the benefit of being more secure against the threat of cyber-attacks as a result of the small attack surface they present to the potential attackers. However, small businesses may also be more susceptible as a result of inadequate budget and structure to drive cyber security within the organisation. It is important that small businesses realise the duality of this position and consider a balanced position as part of an intelligence-driven risk-based approach to cyber security.
Essentially, fraudsters don’t need a gun to rob a bank anymore – they don’t even need to be in the same country as the bank! Armed with an internet connection, intelligence gathered through social engineering and possibly a remote access trojan maliciously hidden in a stream of corporate emails, a cyber-attacker can sit in the comfort of his lounge and conduct a bank robbery without the traditional tools of a gun, balaclava and a getaway car.
Thus, the modern criminal is unseen, often hidden behind the veil of an anonymous internet, physically located in any country in the world while carrying out an attack on an organisation in any other country. Awareness and a strategy are key in hardening our defences against such attacks. Using technology to harness and analyse the vast data population that sits within our organisations provides one of the most effective preventative, detective and reactive controls in any organisation’s arsenal in the fight against fraud threats – both internal and external.