Industry Perspectives

It Takes Two to Tango

Apr 01, 2020 | by Neira Jones |

Innovation is a double-edge sword. Technology, while enabling new business opportunities, also enables criminals and fraudsters to become more innovative and efficient.

As our lives become more digital, so too do our behaviours: remote working has increased by 140% since 2005, and given the current global climate, this will only grow. Expectedly, mobile usage has now overtaken desktop usage, driven by younger generations that are more willing and able to use technology in every aspect of their lives. But, even those previously reluctant to use mobile devices for banking or payment activity are now much more willing to do so.

Consequently, businesses are gathering more data about us to deliver more personalised, fast, safe and seamless experiences. Unfortunately, as data becomes increasingly more attractive to fraudsters and cyber criminals, businesses not only face the challenge of trying to keep their operations afloat, but also balance customer privacy and fraud prevention with a seamless, fast and convenient experience. This in turn is driving an increased demand for cloud storage, which has given way to a growing number of data breaches. Unfortunately, it seems cloud misconfigurations are the new black. Given the continued increase in cloud usage, this type of problem will not go away anytime soon.

Because stolen personal information and credentials are so readily available to criminals and fraudsters, data breaches will continue, with criminals becoming ever more creative (they read research papers too), and will also take advantage of our mistakes (because, cloud misconfiguration is the new black). Consequently, the volume of credential stuffing attacks grows, finds RSA research.

Predictably, the volume of online payment fraud losses is on the rise worldwide, and projected to more than double by 2023, compared to 2018. Whilst identity theft leading to fraudulent account creations or takeovers is relatively familiar, we have also seen a significant rise in synthetic identity fraud. Organizational security failings continue to lead to identity theft and fraud: business email compromise and authorised push payment fraud are rapidly becoming the scourge of the financial services world, whilst criminals capitalise on open banking and real-time payments initiatives worldwide and their associated regulatory push towards APIs.

Why can't we get organized?

As we face ever increasing amounts of data flow across blurring geographical boundaries, the business challenge is to protect consumers' personal data everywhere, and tackle fraud wherever it happens, as it happens. Governments are faced with the same challenge as they try to develop regulations that are not only able to cope with new technologies, but also cater for new crimes, whilst fostering innovation and competition.

No longer the realm of script kiddies, the global cybercrime industry generates revenues that rival some of the largest economies of the world, with knowledge sharing, services, cooperation initiatives and tools that facilitate global networks of fraud. That's why we call it "organized crime."

If cyber criminals can set competition aside to focus on goals and outcomes, why can't we?

I have long been an advocate of cooperation in all its guises, and one thing that has always puzzled me with most businesses (I exclude the more mature organisations), is where information/cybersecurity departments fail to interact with their fraud prevention/risk counterparts. This can partly be attributed to the fact that they usually belong to different reporting lines. Fraud Prevention departments would generally sit within the Chief Risk Officer's remit, whereas Information/Cybersecurity departments belong to the IT, or sometimes Finance, organisation. These two realms have different, albeit compatible goals:

  • The fraud department manages the risks an organisation faces to the levels acceptable to the Board according to a prioritised risk register;
  • The information/cybersecurity department manages the risks to the organisation's infrastructure, within a wider technology budget.

Cyber risk has not traditionally been included in an overall company risk register. Fortunately, due to current and increasing regulatory pressure, combined with the fear of substantial fines, attitudes seem to be changing and cyber risk has now made it to the top of the corporate agenda, as shown in this recent WEF report.

Jones Blog WEF Top Risks

We still have a lot to do. Even in the WEF report, "data fraud or theft" is listed separately to "cyberattacks." In my book, if data fraud has been committed, or if data has been stolen, how was it done if it wasn't through some form of cyber attack? To compound the situation, in most cases, fraud prevention functions and anti-money-laundering functions are separate.

No wonder the fraud and cyber functions – that should be operating hand in hand – still think they're solving different problems.

As in everyday life, communication and consistency of messaging are key.

You say potato...

I would wage a lot that you have come across this miscommunication and misalignment issue in your day-today life. The fraud and risk departments would be, for example, concerned with fighting money laundering and terrorism financing. In order to do this, and to comply with anti-money laundering regulations, they would be obligated to deploy Know-Your-Customer (KYC) capabilities and to perform Customer Due Diligence (CDD) to ascertain that those creating or using financial facilities are not committing or facilitating financial crime. At the same time, the IT security department would be looking to protect the infrastructure by controlling those that have access to it. Consequently, they would deploy facilities for Identity & Access Management (IAM), Privileged Access Management (PAM), authentication, etc. to fulfil that purpose. Increasingly now, because the organisation wants to get closer to customers and provide seamless experiences, many want to deploy Customer Identity & Access Management (CIAM) solutions. The impetus generally being the privacy compliance and/or marketing organisation (heavens forbid we must talk to them too!). Are these solutions different in goals and outcomes?

In order to fight fraud and cybercrime effectively, businesses must take information security and fraud prevention seriously and look at them holistically, not only because they present an increased regulatory risk, but to enable innovation to thrive. Managing the extended supply chain – especially with the proliferation of cloud services – is now crucial, as well as understanding how new technologies can streamline operations. After all, criminals do this very well.

Let's take the common-sense approach and develop working cybersecurity and fraud prevention strategies where the basics are covered first, and the risks specific to the organisation are managed within an overall corporate framework. As always, cooperation is key, not only within or across industries, but also within organisations, particularly between fraud and risk departments and information security departments. After all, these are two sides of the same coin: the failure to address cyber risk invariably leads to fraud.

So yes, it takes two to tango. Let's dance.

This post was sponsored by RSA, but the opinions do not necessarily represent RSA's positions or strategies.

Neira Jones is a global advisor and thought leader in the fraud, payments and cybersecurity industries. She is a partner for the international Global Cyber Alliance and an ambassador for the Emerging Payments Association. Follow her on Twitter at @neirajones.