Industry Perspectives

There May Be Trouble Ahead

May 26, 2020 | by Neira Jones |

Now more than ever, as behaviours change and technology adoption increases, cybercriminals and fraudsters benefit from an ideal playground. Not only are criminals guzzling from a cornucopia of personal data resulting from endless data breaches, they now have an opportunity to target businesses scrambling to adapt to a “new normal.”

Organisations must continue to address the challenge of protecting customer data everywhere and anytime. They must apply the very same rigour to their employees and third-party ecosystems, all the while trying to navigate this unprecedented crisis.

Governments are faced with the same challenges. They’re trying to develop regulations to adapt for new technologies and monitoring for new crimes. They do this while dealing with an exceptional and multi-dimensional global disruption.

As Irving Berlin’s 1936 song, “Let’s Face the Music and Dance” indicates, there may be trouble ahead. In our current predicament, we can still “face the music” and address these challenges.

Soon, we'll be without the moon

As criminals jumped on opportunities created by today’s disruption, organizations’ focus on data protection hasn’t lessened; quite the opposite. Disparity of regulations among industries and jurisdictions, combined with the lack of interoperability between various standards, is a perfect storm for businesses already overwhelmed with a growing attack surface and a complex regulatory landscape. For an organization, it must feel like searching for a needle in a hay stack, in the dark, whilst travelling through a tunnel.

The complexity and lack of holistic visibility has created more need for automation. Without automation, valuable talent spends copious amounts of time on mindless and repetitive tasks, or interpreting vast amounts of data while trying to deliver seamless experiences for their customers, employees and suppliers.

As organizations innovate and create new processes, so do criminals. Automation can be used against itself, as evidenced by the emergence of methods such as “Adversarial Machine Learning” where malicious actors subvert defensive technologies in order to appear legitimate and create unexpected outputs.

When it comes to visibility, the process to manage customers’ data has traditionally been different and separate from those applied to employees. Given the shift to remote work, organizations must assess the risk with both communities in the same way: ubiquitous and omnichannel.

Corporate data strategies have long included the following (admittedly with varying degrees of success):

  • A single end-to-end view of the customer, regardless of service/product, channel or device to deliver a “seamless experience”
  • The ability to distinguish between genuine customers (who are increasingly ubiquitous) and fraudsters (who are increasingly able to mimic genuine customers)
  • The collection of more data to deliver the above, while preserving customer trust and privacy

In the new world order, I think corporate data strategies will soon include:

  • A single end-to-end view of the individual (customer and employee), regardless of interaction, channel or device to deliver a “seamless experience”
  • The ability to distinguish between genuine individuals (who are increasingly ubiquitous) and fraudsters (who are increasingly able to mimic genuine individuals)
  • The collection of more data to deliver the above, while preserving trust and privacy

Businesses have had to manage the digital identities of both genuine customers and employees by using increasingly sophisticated technologies. For example, in the enterprise, Identity Acess Management (IAM) reigns as the standard. However, we are now seeing convergence between Consumer IAM (CIAM) and IAM.

So, we’ve established that data, lots of it, is essential for business operations. But where do you get that data from? How can you be sure it’s good and how can you get much needed visibility?

Humming a different tune

With any kind of change initiative, culture is the most difficult aspect to overcome. Businesses generate data they can analyse to derive strategic and operational insights from, but this only achieves an inward-looking view of their ecosystem. In a hyper-connected world, no one can afford to be on an island. Cooperation has become crucial, not only within industries, but across governments, law enforcement agencies and technology companies.

Traditionally, some industries have been reluctant to share information for fear of competitive disadvantage. This has fortunately changed over the last few years as increased digitalisation has led to an increase in cybercrime. Sharing data to fight crime is not a competitive issue. Indeed, some threat intelligence sharing initiatives, such as the Cyber Security Information Sharing Partnership (CiSP) in the UK - a public and private partnership to exchange cyber threat information - have been quite successful. 

However, when it comes to sharing threat information, it’s mostly driven by vendors. For successful threat intelligence, we need to establish convergence between cybersecurity and fraud prevention as these are two sides of the same coin.

Before the fiddlers have fled

Artificial intelligence, machine learning and automation create many opportunities for businesses to become more efficient at fraud detection while delivering seamless customer experiences. By deploying a layered approach, where automation is combined with other processes, organizations can bolster productivity, maximize operational efficiency and even improve job satisfaction.

In this context, machine learning becomes essential for tracking and identifying fraudulent and criminal behaviour. Continuously learning from the data enables organisations to move fast and evolve from hindsight to insight. Using threat intelligence effectively means that organisations can collect and analyse information about current or future cyberattacks proactively.

Technology, as designed by humans, is not perfect, and humans are fallible. But, using technology to gain an in-depth understanding of an organisation’s greatest risks – known, unknown or targeted -- to derive insights without having to wade through endless amounts of data in multiple sources, is completely achievable. This strategy even offers hope that maybe a criminal can be stopped in the act.

Before they ask us to pay the bill

Of course, all of this requires investment. Before you jump onto the next shiny thing, assess any technology solution claiming to offer absolute protection and accuracy with caution. Common sense should prevail when developing a working cybersecurity and fraud prevention strategy. The basics must be covered first and the business risks must be mitigated. Legacy infrastructure will need to be enhanced to adapt to the digital age. Technologies will need to be deployed and processes will need to be enhanced (or created) to make those technologies effective. Finally, the human element will need to be factored in.

Simply put, a three-pronged approach could prove effective:

Detection:

  • Establish data sources and intelligence capabilities
  • Educate employees about identifying fraudulent behaviour such as unusual payments requests or phishing scams
  • Monitor new technologies, and automate where possible and appropriate

Prevention:

  • Provide staff, customers and the supply chain with effective warnings, including the appropriate actions for them to protect themselves
  • Pay attention to account openings and exercise due diligence during internal and external onboarding
  • Use available shared intelligence sources to screen individuals
  • Monitor new technologies and automate where possible and appropriate

Response:

  • Change business-as-usual processes when unusual activity is detected (e.g., delay making a suspicious payment or sending goods whilst an investigation is ongoing and notify the receiving firm)
  • Incorporate learnings into operations and share knowledge
  • Implement best practice communication standards for all stakeholders
  • Monitor new technologies and automate where possible and appropriate

Even the largest organisations struggle to manage continuous change. Deploying a layered approach, where automation is used, will free staff to concentrate on adding value. Developing future business capabilities will require vision, digital transformation, the right skills, a conducive culture and the right partnerships.

As Irving Berlin wrote, yes, there may be trouble ahead, but while we still have that chance, let’s face the music.

This post was sponsored by RSA, but the opinions do not necessarily represent RSA's positions or strategies.

Neira Jones is a global advisor and thought leader in the fraud, payments and cybersecurity industries. She is a partner for the international Global Cyber Alliance and an ambassador for the Emerging Payments Association. Follow her on Twitter at @neirajones.

Check out Neira Jones’ other work:

Recommended for you