Insider fraud exposed
Mega study on real insider fraud and mega wake-up for IT governance.
Published in May by the Association of Certified Fraud Examiners (ACFE), the 2012 Report to the Nations on Occupational Fraud and Abuse is a major study of insider fraud. Since 1996, the ACFE has produced seven of these reports, the previous one being in 2010.
Based on investigations into almost 1 400 cases of occupational fraud that occurred in 94 countries between January 2010 and December 2011, the 2012 report provides an insight into the nature of insider fraud and the scale of the losses it is causing.
In all but nine of the 1 388 cases investigated, the total loss from each fraud was recorded by the investigating certified fraud examiner. The median loss was $140 000 or about R1.15 million, but in over 20% of the cases the losses exceeded $1 million - over R8 million.
As if these real-world figures aren't worrying enough, what makes matters even worse is that in half of all the cases investigated, none of the losses had been recovered.
Catastrophic failure of IT governance?
A combined 37% of the investigated fraud cases were spread across just three sectors: banking and financial services, government and public administration, and manufacturing. A further 25% of cases came from healthcare, education, insurance and retail. And almost half were from organisations with over 1 000 employees.
In other words, the study is certainly dealing with insider fraud at sizeable organisations in major sectors that are known to have a strong reliance on IT.
This dependence on IT extends into almost all areas of many organisations, creating a treasure trove of fraudulent opportunities for the crooked insider. The damage caused by criminally-motivated IT access and activity comes in many shapes and sizes. Altering invoices, delivery notes and credit notes are some fairly obvious types of IT-based scams, as are fiddling stock-control records and then moving goods through the proverbial back door.
Another example of straightforward IT-based fraud is using a colleague's access card, PIN or password to make fraudulent EFT payments. And one doesn't have to look very far to see the damage this can cause. At the beginning of 2012, Postbank announced the theft of R42 million through fraudulent transfers made by insiders who appear to have used the IT access credentials of fellow employees. That was followed, in February, by the conviction of an FNB insider who used a keylogger to steal the access passwords and PINs of colleagues in order to fraudulently transfer R27.3 million from the account of Amalgamated Beverage Industries.
In half of all the cases investigated, none of the losses had been recovered.Mark Eardley, Channel manager, SuperVision Biometric Systems
The fact that IT controls only detected 1.1% of the 1 388 real-life insider frauds investigated for the ACFE's report surely has to be a major cause for concern for IT governance. That's only 15 cases out of almost 1 400...
To make matters worse, in one-fifth of all cases, the insider had overridden whatever controls there may have been in order to carry out their crime and conceal their deception.
Tip-offs and whistle-blowing are by far the most common way in which frauds are discovered, accounting for detection in over 40% of the cases on which the report is based. What's surprising about this is that more structured and obviously far more costly mechanisms to detect insider fraud don't seem to be working.
For example, the report finds that a combination of formal fraud-prevention processes such as account reconciliation, monitoring and surveillance, external audits, and document examination only resulted in discovering 14% of these frauds. That's pretty alarming, given that 7% of the cases were detected completely by accident - presumably for free...
Biggest vulnerability = insider's biggest ally
What's equally alarming is that the exploitation of traditional access credentials such as cards, PINs and passwords - or CPPs - is known to lie at the heart of most IT-based corporate crime. Although it may be an inconvenient truth, the reason for this is numbingly simple: anyone can use your card, PIN and password. And you can use theirs.
The abuse of CPPs is not only simple, it also provides insiders with all the authority they need to get into systems and change whatever data they need to carry out their crime and then cover their tracks. They can even use their own credentials and simply claim that someone else must have used their card, PIN or password.
Although a corporate reliance on IT systems is hardly likely to change, what can certainly be changed is how these systems are accessed and how companies control who can do what within them.
Thousands of local organisations have recognised the risks created by CPPs in their physical security and payroll management systems. Consequently, they have replaced these outmoded credentials with fingerprint-based identification - making SA one of the world's largest markets for this technology.
Given the damage caused by IT-savvy insiders, I'd suggest it's high time that CPPs were also banished from the world of corporate IT.
The 2012 Report to the Nations on Occupational Fraud and Abuse can be downloaded here or from the ACFE Web site: www.acfe.com. Of the 112 fraud cases investigated from 18 African countries, 34 occurred in SA.
Mark Eardley has worked in the South African biometrics industry since 2006. He has directed the marketing for a local biometric brand and is currently responsible for business development at SuperVision Biometric Systems, South Africaâs oldest biometric specialist.