Security Experts:

What the Titanic Can Teach Us About Fraud?

What questions should enterprise fraud teams ask when looking to better detect and mitigate fraud?

In early April, 1912, many people believed that the Titanic was unsinkable.  On April 15, 1912, the Titanic sank and by late April, 1912, as the news spread, people no longer believed that the Titanic was unsinkable.

I think that the story of the Titanic and the mistaken belief that it was unsinkable can teach us a valuable lesson when it comes to fraud. Most enterprises with mature fraud programs know that they can always improve.  Whether it be increasing their fraud detection rates, lowering their false positive rates, improving the confidence they have in identifying fraud, uncovering missed fraud before it is reported from an external source, improving workflow, increasing efficiency, or otherwise, the mature fraud team knows that it can always improve. Yet, every now and again, we hear of an enterprise that is confident it does not have a fraud problem.

Just as brazen overconfidence in the Titanic caused some safety protocols to be ignored (which resulted in significant loss of human life), brazen overconfidence in a fraud program can cause certain avenues for reliably detecting fraud to be ignored. In other words, wreckless certainty in the abilities of a fraud program can effectively hold back the fraud team and prevent them from growing and maturing as they need to. The results for the enterprise can be costly in terms of fraud loss, brand reputation damage, and the loss of customer confidence.

It is often the unknown - the missed or not yet visible - that haunts enterprises when there are one or more significant or major fraud events. A healthy dose of curiosity and humility can help enterprises ask the right questions, perform the right analysis, and focus on the right topics around improving their fraud programs. While certainly not an exhaustive list, let’s take a look at a few of the questions that enterprise fraud teams can ask when looking to understand what they can do to better detect and mitigate fraud:

Do I have a good handle on risk?

Not surprisingly, a good fraud program begins with a good handle on risk. Risks impact enterprises differently depending on core business area, industry vertical, sector, geography, company size, customer base, partnerships, the data they are custodians of, and many other factors.  Investing the time to ensure that the right risks have been assessed, enumerated, and prioritized by potential impact will go a long way towards helping the enterprise improve its fraud program.

Do I have the necessary visibility?

You can’t detect what you can’t see. Having visibility across the infrastructure, whether it be on-prem, cloud, hybrid, or otherwise is essential for proper fraud detection. Mapping out where there is no visibility, along with where there is insufficient visibility helps a fraud team understand where it lacks important data necessary for detecting, investigating, and mitigating fraud. Developing a plan to address these gaps is essential for maturing an organization’s fraud capability.

Do I have the necessary controls?

When people think of controls, they typically think of preventative controls. Those are extremely important, though so are detective controls. Just as it is important to ensure that proper measures are in place to prevent fraud, it is equally as important to ensure that proper measures are in place to monitor activity in order to detect fraud, either as it happens, or soon thereafter. The ability to collect telemetry data, analyze it, and reliably detect fraud is an important part of an enterprise’s overall fraud strategy.

Do I have the requisite analysis and response capability?

Preventing and detecting fraud are only part of the puzzle. Fraud teams need the ability to analyze events and respond appropriately. This requires people (trained team members), process (that instructs and guides response), and technology (that allows for rapid analysis and response). It is important for organizations not to forget these important pieces.

Am I drowning in noise?

Even the best fraud teams are no match for false positives. Important events that require review, analysis, and (potentially) response can quickly get buried under piles of non-actionable, irrelevant noise. Tuning eventing and selecting technology partners that keep noise to a minimum is essential to ensuring that the fraud team spends its precious cycles wisely.

Where can I improve my processes?

Processes can always be tweaked and improved. Each process should be analyzed to see where it gets bogged down, is inefficient, requires too much human intervention, breaks down, or is ineffective. Those are the primary targets for process improvement. The results will be well worth the time investment.

How can I improve my team’s training?

The best fraud teams not only have talent - they train that talent well. Ensuring that team members are educated on the latest risks and threats, well trained on various fraud technologies, and involved in peer and professional organizations pays huge dividends. Training is a huge enabler of talent and makes for a far more mature fraud program.

A little humility and being open to the possibility that there is unseen, unknown fraud does a fraud program good. By asking the right questions and looking to make improvements, enterprises can improve and mature their fraud programs. The result is better fraud detection and mitigation, which in turn saves the business real money by avoiding or reducin fraud losses.

view counter
Joshua Goldfarb (Twitter: @ananalytical) is currently a Fraud Solutions Architect - EMEA and APCJ at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.