 |
Fraud impacts organizations in a wide range of ways, from financial and operational losses to damaged reputations and loss of customer goodwill. Fraud—as well as erroneous acts such as accidental double invoicing—can be perpetrated from within an organization or by an external constituent, such as a business partner. Given the negative and sometimes far-reaching consequences, all organizations should have in place an effective fraud-management program that includes transaction monitoring in order to combat fraud and protect the organization’s assets and reputation. In its most recent Report to the Nations publication, the Association of Certified Fraud Examiners found that a typical organization loses five percent of its revenues to fraud every year, which translates to an estimated $3.5 trillion on a worldwide basis. There are a number of factors that make detecting and combating fraud an increasing challenge. Criminals are using increasingly sophisticated methods to evade security controls, and there is an ever-wider range of threat vectors, from mobile devices to cloud-based applications, to be controlled. Networks are also growing in complexity through mergers and acquisitions, increased globalization, and an ever-increasing and diverse range of applications and devices connected to them. Transaction monitoring is a great aid in helping organizations protect themselves against fraud and meet the increasing regulatory pressures to closely monitor all transactions and activity traversing their entire extended networks. It involves continuous monitoring of all user activity and controls in order to detect and analyze those events that represent a risk of fraud. This demands that the system be as automated as possible, since the use of manual detection and analysis is a long, drawn-out process that can limit any ability an organization has available to redress a situation, which can exacerbate the negative outcomes of a fraud incident. Factors to Consider Monitoring systems look continuously in real time for patterns of behavior that deviate from the norm. They also correlate observed behavior with that activity’s assigned risk score. Should the risk score be exceeded or if it is determined that a policy has been violated, actions can be triggered, such as stopping the transaction or asking the user for additional authentication. Many transaction-monitoring technologies are based on advanced statistical algorithms and techniques that associate certain patterns of behavior with the risk that those patterns may indicate fraud. Given the challenges involved in monitoring complex networks, any monitoring system should be evaluated on a regular basis to ensure its accuracy and effectiveness. If many false positives are being generated or potential violations are being missed, these can be evaluated using the advanced analytics capabilities that are included in many systems or by performing forensic analysis on results. The results can then be fed back into the systems to fine-tune their alerting features and improve the overall effectiveness of the system. While the cost of implementing a continuous monitoring system may not be insignificant, especially for a large organization, auditors KPMG recommend that organizations consider the cost benefit of investing in such systems versus the risk of being sanctioned or fined, or of damaging the organization’s reputation and facing shareholder or public scorn. Given the growing complexity of networks, rapidly evolving and sophisticated tactics by criminals, and the number of data sources to be included, the chances of fraud occurrence are increasing fast. While some level of fraud is inevitable, those organizations that use fraud technology solutions that include transaction monitoring will be in a much better position to curtail fraud than those that do not. They will be able to limit losses, engender customer loyalty, and improve their overall security posture. The post Using Transaction Monitoring to Combat Fraud appeared first on Speaking of Security - The RSA Blog and Podcast. |
|
|
