From 2006-2008, Theresa Payton served as the White House CIO for the Bush administration. In 2008 she founded Fortalice, a security consulting firm focused on fraud issues related to consumer protection. She spoke today at IBM’s Counter Fraud Summit in New York. A Smarter Planet caught up with her to get her perspectives. Here’s a snapshot of that conversation.
Smarter Planet: What types of fraud do you believe businesses should brace themselves for in 2014 and beyond?
Theresa Payton: There are multiple types of fraud consistently reported by businesses around the globe. They include the back office type, such as asset misappropriation, accounting fraud and procurement fraud. There are also fraud and financial crimes related to money laundering, and false claims. And then there’s also cybercrime. With all the digital smokescreens now available, I believe you will see these types of fraud continue. But you will also see cybercrime as a percentage of overall fraud numbers climb as the entry point to fraudulent activity.
SP: Do you feel that if companies would just meet compliance guidelines they will win the war on fighting fraud and data breaches?
TP: Compliance does not equal security. Ask any CEO of a recently breached company and most will tell you they thought they were compliant. Any recently hacked company will tell you they followed PCI compliance but it did not help them beat the hackers. The SnapChat CEO famously said on television, “We thought we had done enough.” To compound the sober start to 2014, the 2013 Verizon data breach study should be a warning to all CEOs regarding cyberattacks to come. They predict cyberattacks will increase in complexity and sophistication. They also predict a reversal in the trend to spot breaches sooner and we may see those statistics take a negative turn.
SP: What does fraud do to a company’s brand with their customers?
TP: It can be devastating to the brand and long-term customer loyalty. Over the past few months, we’ve seen some of the most alarming and far reaching breaches in history. Personal information from hundreds of millions of customers has already been compromised this year with that figure sure to climb.
All the goodwill, brand value and trust these organizations work so hard to build with customers over years and years can vanish in an instant. The old mantra about the higher costs of attracting loyal new customers versus keeping existing ones remains true. So when you think about it from that perspective, the damage to the brand in many ways far outdistances any near-term financial losses.
With respect to fraud detection, the ability to recognize legitimate customers and process their transactions quickly without falsely flagging them as suspicious, while simultaneously stopping the fraudsters has a tremendous impact on customer retention and satisfaction.
SP: Do you see legislation being passed that will impact data breach notifications and cyber security requirements?
TP: I believe we will move to a Federal set of standards for data breach notifications but we should be careful what we ask for. The Federal government does not have a good idea of how much it costs to prevent fraud at all points, physical and digital, and the laws passed could be burdensome. Passing cybersecurity legislation is no easy feat in today’s political climate. The interdependencies of systems, information, and to the degree we use technology to improve our daily lives, means we are more at risk than ever.
I often tell businesses there are two kinds of organizations: 1. Those that were hacked and they are learning from it; and 2. Those that do not know they have been hacked. The stark reality is not “will we get attacked” but “when will we get attacked.” How soon will we even know and are we going to be resilient?
SP: Do you have a checklist that you recommend that companies use?
TP: Yes, this is the high level checklist I use with my clients and it helps get the conversation going.
1. First we need to change the conversation and elevate it to the C-suite. Do not accept the adage that fraud is a cost of doing business. Every dollar you charge off to fraud could be impacting your brand, revenue activities, and it could be funding criminal activities
2. Next, determine what you are fighting to protect and get focused on those most critical assets.
3. Test whether or not those assets can be taken and used fraudulently
4. This is a team effort. You cannot delegate this to the Fraud Loss Prevention team. Fighting fraud starts at the front end with the customer – your marketing and customer service departments. Get them in on the action.
5. Fight the tendency to leverage the silos to fight fraud. You have to bust the silos to effectively protect and deflect attempts at fraud. This requires a focus on people, process and a technology platform that allows each team to be the subject matter experts for their line of business while also sharing important knowledge and leads that could avert fraud or detect it sooner.
6. Perform regular checks to ensure that essential controls are met.
7. Collect, analyze and share incident data across all lines of business and merge the thinking on physical and digital protection. Financial crimes, insider threats, cybersecurity events or breaches of physical facilities can lead to fraud. The key is to create a rich information source that can drive fraud prevention and detection program effectiveness.
8. Without de-emphasizing prevention, focus on better and faster fraud detection through a blend of people, processes, and technology.
9. Don’t underestimate the tenacity of fraudsters and don’t rely solely on technology. Yes, technology is an enabler, but organizations need to have an internal culture where collaboration and sharing information across dispersed departments is critical to fighting fraud.
10. Always be learning. What can we learn from other organizations, previous breaches, other industries and law enforcement?
To join the conversation follow #counterfraud on twitter. For more information, visit ibm.com/smartercounterfraud