Fraud is inherent in all kinds of companies, whatever industry they operate in. Whenever there are gains to be made, there is a likelihood of some type of fraud being committed. Unfortunately, organizations do not deal with fraud as they should; either because it does not occur very frequently or because the organizations themselves do not succeed in managing it properly.
Nonetheless, there is no question that fraud is a reality and has become increasingly important in organizations' strategic discussions.
In tandem, the development of new technologies has become a variable that not only impacts security but also produces the type of fraud we are enduring today.
Advances in technology enable companies, public and private, to defend their assets, their data and their processes.
But it is this same technology that provides a mechanism for anyone prepared to steal or reap instant payoffs.
Over the past year (2017), we have witnessed a large number of attacks that have taken place for the sole purpose of committing computer fraud and profiting from stolen information. The Wanna Cry, Petya and Bad Rabbit cases reflect just to what extent we are exposed to fraud and cybercriminals.
In spite of the fact that many companies were unscathed by these incidents, the truth is that they were real and compromised systems as well as their data.
The Kroll investigation, The Global Fraud & Risk Report 2016-2017, which is available online, evidenced a considerable increase in the exposure of the interviewee companies.
In fraud-related matters, 82% of the executives interviewed brought to light at least one fraud incident in their organizations, resulting in a significant growth of 75% with respect to the previous survey.
Another noteworthy figure is the rise in cyber attacks, as 85% of the interviewees said they had suffered an attack of this kind.
In spite of the difficulty in specifying the amount of the impact, what we can conclude is that it is significant with respect to company revenues.
Turning to the subject of technology, companies acknowledge that technology-driven fraud is on the rise and they make strides to implement solutions that serve to mitigate or stem this crime.
Nevertheless, these solutions, whether off-the-shelf or in-house developed, may not suffice against the risks organizations are exposed to given that they are deployed solely to solve something specific or to plug a security breach that has already been exploited.
Many of the solutions available on the market are not predictive and do not produce new or unknown information and, even though the industry is working with Deep Learning and Machine Learning more and more, these attacks are growing exponentially.
Prior to choosing a specific solution, organizations have to conduct a fraud risk analysis that is not only deeper but which also offers a broader vision.
Fraud risk management has to be regarded as a function meant to mitigate or eliminate exposure to such a risk. It cannot, therefore, be viewed as an independent, non-strategic activity, where the issues pinpointed and analyzed are only addressed from the perspective of the impact of possible fraud.
In order to combat fraud, organizations first have to understand their limitations and identify the risk they may be exposed to, which cannot be achieved without a structured, comprehensive analysis of their current position.
It is essential for organizations to construct an appropriate framework for managing corporate fraud risk, which is aligned with the organization's strategic goals and backed by well-planned, targeted actions.
They cannot expect to contain fraud risk without developing a framework that takes governance, business processes, technological advancements and organization maturity into consideration in relation to risk and fraud issues.
A diverse array of frameworks are available that can help organizations to manage their fraud risks successfully. It is important to be familiar with them and reference them so that organizations can work in accordance with their true needs.
Fraud risk management is a process that has to be developed at all levels of the organization. It is essential for policies, rules and procedures to be established and implemented and to ensure that the processes and technology that are going to be used correspond to the realities of the business.
In order to combat fraud effectively, these components must be applied in an integrated manner.
A company's principles, culture and ethics provide a practical guide to the organizational behavior sought for everyday governance and management. It includes activities that not only help to determine the way forward but also to establish a code of conduct and oversight that drives the development of an anti-fraud culture.
A culture of this kind makes fraud more difficult to commit; thus, when it is detected, it is identified and treated efficiently and effectively.
It is at this point that technology must play a decisive role. Organizations need to manage and maintain a balance between oversight and incident analysis speed in order to recognize threats and have the capability to work on them deftly.
Risk management must focus on preserving IT assets so that the integrity, reliability and availability of information is not compromised and it is at the disposal of the organization.
In the current scenario, Advanced Predictive Analytics software can be used to identify suspicious patterns that will enable fraud to be detected and prevented before it occurs. Installing this type of software is a must for organizations owing to the continuous evolution of cybercriminals, who adapt swiftly and upgrade their attack vectors into something increasingly complex.
Organizations must be prepared to foresee these attacks by using emerging trends and software equipped with smart mechanisms that allow detection, blocking and countermeasure deployment when impacted by an attack.
As already mentioned in this article, what we are currently seeing is that the organizations that combat fraud more successfully are those that adopt an integrated approach to managing risk and fraud matters. They use a guiding framework and create an organization that is apt for the integration of governance, process, technology and maturity issues.
In their cultures, these organizations have already realized that fraud risk matters belong to an ecosystem that is comprised of integrated systems and processes, all fed by a technology strategy that meets the requirements defined by the organization.
It is obvious that these organizations implement cutting-edge technologies that support several data sources, regardless of structure, volume or speed, and properly integrate them into systems and processes at the corporate level.
These systems are based on smart, predictive analytics, which take into consideration a broad set of attributes (e.g. identity, relations, behaviors, patterns, anomalies, visualization) and display smart trends (e.g. predicting, detecting and managing). These functions are of vital importance for containing fraudulent actions and providing users with the necessary security.
Fraud risk management must, therefore, be an ongoing process that forms part of an organization's strategy in a systematic manner in order to ultimately ensure that their capabilities never cease to evolve.
Carlos Guerra is an IT manager. He has an MBA in Administration and Finance from INSPER Business School, São Paulo, Brazil, and a Mathematical and Computational Science degree from Mackenzie University, Brazil.
He has focused his professional career on software development, specializing in management and risk systems. He has run development teams and worked as the CIO of a business unit at the Accor group. He is a process mapping and project management specialist.
He also specializes in Financial Management, with an emphasis on Board oversight and counseling. As a COBIT-certified assessor, he has taught several courses on this subject. He has been linked to services for companies such as Eco Vias, Dieboldi, GR S / A, Colinas Carreteras, Hospital Albert Einstein and Pro-business.
Guerra is a GCN project specialist and has led projects for companies such as UNICRED and Capgemini, to name but a few. He currently works for his own company as a consultant and combines his professional career with the management of the Brazilian chapter of the Information Systems Audit and Control Association (ISACA).