The greatest issue with internal fraud boils down to risk - the potential for loss is huge because of the time period; the reputational risk and the continuing liability issues that can arise because of the trickle down identity theft that can occur as a result of that stolen data. Because of the capacity for associated civil liability and reputational risk, the potential impact of an internal fraud is colossal.
How do internal fraud and external fraud investigations differ? At ground level, investigation is investigation. But for internal investigation, the biggest difference is the number of parties that become involved in the investigation: You typically have the business unit where the fraud originated, management from the impacted areas, and human resources. Information technology or information security, need to be involved to look at any available data and analyze what kind of electronic fingerprints have been left by the perpetrator(s).
In our organization, we deploy a risk management team. This is not necessarily to assist in the investigation; instead, this group is a by-product of the investigation, whose function is to look at controls that need to be implemented in an effort to prevent issues from reoccurring.
It is increasingly important that you communicate with peer institutions and with law enforcement. Perpetrators are operating in multiple areas and are involving multiple institutions and players. If we want to prosecute fraudsters effectively, it's important to have dialogue with others to try and get the full picture. Information sharing is a tremendous benefit, but it can be a challenge in coordinating those parties. That is why we are such an advocate of external fraud information sharing groups and partnering with law enforcement.
You said you work closely with the CISO at The South Financial Group. Tell me about that relationship. The relationship between Information Security and other security disciplines is highly visible in our organization.
Controls addressing physical and information security have an impact on fraud prevention. A physical security break and a data security break can lead to removal of assets or data that can be used in a fraudulent scheme. Incident monitoring, incident analysis and incident response are a direct link between corporate security and fraud risk mitigation.
Services like video surveillance, access control, multi-factor authentication, logging practices, firewalls, log-on requirements, strong passwords and clean desk policies play an important role in fraud prevention and investigation efforts either through preventative measures or recovery of data that is recorded. Because of the partnership with information security, we find we can capitalize on resources that were typically used for data security management in the fraud prevention arena.