The typical enterprise loses five percent of revenues to fraud each year, according to the ACFE 2014 Report to the Nations .
“The gap between criminals’ capabilities and businesses’ detection capabilities gets wider every day,” says Walt Manning, founder of Investigations MD. Digital forensics and fraud investigations are being fundamentally changed by technology, especially cloud computing and Bring Your Own Device (BYOD) policies, he says.
“We might have new problems, but the old doesn’t go away either,” says Jim Ratley, President and CEO of the Association of Certified Fraud Examiners (ACFE). “Now, detection is key. Every fraud that can be committed has been committed already. The methods are what may change.”
According to the 2014 Report to the Nations , the median duration of fraud cases reported (the time from when the fraud commenced until it was detected) was 18 months. The median loss was $145,000, but 22 percent of cases involved losses of at least $1 million. Cases involving a person in a higher level of authority, such as an owner or executive, caused a median loss of $500,000 before the fraud was detected.
“There are no small frauds, just frauds that have not reached maturity,” Ratley says.
However, many investigations are stymied by enterprise resources. According to Manning, who is also a faculty member with the Association of Certified Fraud Examiners (ACFE), “There are restrictions on the time and money that can be spent on an investigation, and your success depends on your resources.”
Buy-in from upper management is key to fraud detection and prevention, adds Ratley. “You should always start with a solid, well-tested fraud prevention program. Most fraud perpetrators don’t think they’ll be caught, so begin with creating a perception of prevention – make people aware of the program. Make employees aware of your detection programs early, and enlist their help.” The problem, he says, is that enterprise security leaders have to spend money to implement these programs, finding room in the budget for outreach and education, tip hotlines and reporting procedures.
Organizations with hotlines are much more likely to catch fraud by a tip, which is the most effective way to detect fraud. According to the ACFE study, more than 40 percent of all cases were detected by a tip, and employees accounted for nearly half of all tips that led to the discovery of fraud. Enterprises with tip lines experienced frauds that were 41 percent less costly, and fraud schemes were detected 50 percent more quickly.
Immediately after a fraud, funding suddenly opens up, but the memory fades, he says, and old habits return. “You must get upper management involved in the fraud prevention process, and then other employees with take their lead. The sooner you bring employees into this program and culture, the less likely it is that they’ll be involved with fraud,” Ratley says.
The ACFE study also notes that enterprises that had implemented any of several common anti-fraud controls experienced frauds that were significantly less costly and detected much more quickly than frauds at organizations lacking these controls.
When it comes to digital frauds, data theft and investigations, however, the rules and best practices are still vague. According to Manning, current legislation for Internet-based crime would have been applicable 20 years ago, but little change has been made to ensure legislation and regulations keep up with the rapidly changing pace of technology, which serves to further widen the gap between detection capabilities and criminals’ potential actions. Court rulings are not much help as well, as judges and officials often don’t understand the technology well enough to make a well-informed decision. He suggests that enterprise security leaders take proactive steps within the business to educate employees and mitigate technology risks and loopholes instead of waiting for compliance requirements.
CSOs should work with IT, Compliance, HR and Legal departments to develop guidelines for employee data access, privacy rights, confidentiality agreements and BYOD policies. (If there is an investigation, for example, can the company confiscate an employee’s personal device for forensics? Ensure the employee knows before giving them remote access.)
For the time being, Ratley suggests looking to the past to secure the future. Review where your enterprise has had fraud incidents in the past. Seventy-seven percent of the frauds in the ACFE study were committed by individuals working in one of seven departments: accounting, operations, sales, upper/executive management, customer service, purchasing and finance. If there is cash-handling in-house, those employees should be in sharp focus.
The biggest hindrance to fraud detection is getting buy-in, and metrics – and often in-house experience – are a CSO’s best tool to get the C-Suite’s attention.
“You must realize that people will steal, but the thief doesn’t wear a mask,” Ratley says. “The thief is someone you went to lunch with yesterday, and that’s a hard reality to face. But every company with assets has the probability of fraud, and ignoring it is not going to do anybody any good.”