Mitigating the Next “Super Spreader”: Fraud Prevention and Risk Management in the Remote Work Environment
By Nicholas Ciabattone, Corporate Advisory Vice President
While social distancing and shifting to a virtual work environment are believed by many to help curb the spread of COVID-19, it is actually being labeled by some as a “super spreader” event. While certainly a minority viewpoint around the world, this view is prominent amongst professionals in the fraud and financial crimes industry who feel COVID-19 has led to a wildfire-like spread of fraud as more and more of the economy moves online and an influx of employees/individuals interact virtually.
For all the negative impacts associated with the coronavirus (of which there are many), COVID-19 is among the most accomplished “lobbyist” for digital transformation in decades, helping to accelerate change in regulations and business processes in a matter of months in a battle that has been plaguing stakeholders for many years. Select items that have historically required a physical presence are now permitted to be done virtually. For example, ARM businesses are now permitted to operate virtually (varies by state). For a consumer, opening an account at a bank doesn’t necessarily require you to physically go to a branch. Even court hearings are now being conducted via Zoom.
In a survey published by Gartner, a market research firm, over 74% of CFOs expect at least some of their employees will continue to WFH (work from home) after the pandemic ends. The economic advantages are clear and very well published (decreased commute time, improved employee morale, etc.), but a deeper look into a potential downside of the growing trend is startling. Rushing to virtually connect remote workers to the workplace, employers and personnel may have overlooked the importance of security as they work to balance flexibility and cost – and cybercriminals have already begun to take advantage. Securing remote work models now will likely save organizations much time and money and give them a long-term competitive advantage, particularly in identity and access management, in the cloud and in modernizing their network architectures. Remote work vulnerabilities are top of mind for any CTO, and organizations may need to reassess their approach and controls related to addressing workforce management, people culture and performance management skills.
Risks associated with internal fraud have heightened due to an abrupt change in work practices. Enterprise-wide controls to prevent and detect fraud and network breaches may not be designed to operate in near-100% virtual environments. Anti-fraud, compliance and cybersecurity concerns may have also been deprioritized in favor of maintaining business-as-usual services. While management’s attention may be diverted to focus on business operational metrics or client focus, employees are now under less scrutiny and oversight than ever before, stressing the importance for compliant solutions to prevent fraudulent or risky behavior.
According to Verizon’s 2020 Data Breach Investigations Report, 30% of recorded data breaches involved internal actors. Credential theft, social attacks (i.e. phishing and business email compromise) and errors caused a majority of the data breaches. Employees working from home could be particularly vulnerable to these types of attacks, and as such, prevention efforts by organizations should be focused here. Having a concise internal policy response on suspicious links or email content, continuous vulnerability management, secure configurations, email/web browser protections, account monitoring, implementation of security awareness/education/training and data governance will help mitigate risk.
An additional risk factor to consider for organizations navigating the work from home environment is time theft. Time theft occurs when employees take advantage of reduced oversight and inaccurately log work hours (although technology tools can counteract this form of fraud) or work inefficiently or not work at all while logged in. If time theft runs rampant in your organization, it can ultimately impact productivity metrics and profitability. This risk can be mitigated by enforcing a productivity assurance agreement across your employees, scheduling regular check-ins by managers, or by using of time-tracking or key stroke monitoring software. While most business owners don’t consider this a huge problem and trust their staff, time theft could lead to bigger issues down the road if left unchecked.
Consumers/debtors are dealing with similar issues of identity theft, fraudulent transactions and rising security concerns. In February 2021, the Federal Trade Commission (FTC) reported that cases of identity theft doubled in the U.S. last year. Disputes around fraudulent payments are increasing as more and more payments are made via credit card and via online and virtual channels.
The uptick in fraud and financial crimes is not going unnoticed. Investors are flocking to the space given the growing market opportunity created in part by the pandemic. In September 2020, BioCatch, an industry leader in behavioral biometrics, raised $20M in additional Series C funding from Barclays, Citi HSBC and National Australian Bank (bringing total funding above $200M). In January 2021, Equifax entered into a definitive agreement to acquire Kount, an artificial intelligence fraud prevention and digital identity solution business for $640M. In February 2021, there was even a $300M SPAC (Special Purpose Acquisition Company) announced by Dave DeWalt (ex-CEO of FireEye and McAfee) with the goal of merging with a cybersecurity business to take them public.
The statistics and data outlined above paint a dim outlook, but not to fret, there are a few ways to help “curb the spread” of fraud and financial crimes. Understanding the severity is the first step. Reassess your approach and controls related to address the concern is the next order of business.
Oft overlooked is maintaining an updated data security policy for your organization to adhere to. If you haven’t already updated this to reflect the impact of COVID, it should be a priority. A good reference guide is the RMAI ‘Data Security Policy’ certification standard for certified businesses/vendors. This certification mandates that certified businesses should be meeting, at a minimum, annually to perform a risk assessment on internal/external factors (i.e. storage of consumer data, antivirus software, PII protection, encryption, disposal, etc.). There are major financial and legal implications if your business is responsible for a data breach.
Transitioning to a remote work environment in an expedited manner (as many businesses were forced to do) creates risk. This risk can be mitigated by various factors such as; requiring the use of secure networks, implementing firewalls or virus scanners on all authorized devices being used by employees, issuing company-owned devices to control components as opposed to use of personal devices by employees, ensuring that only IT administrators have credentialed access to monitor software updates, developing protocol for acceptable use policies for electronic devices and company data, providing annual security training to all employees, incentivize the use of multi-factor authentication for email or other critical systems, frequently evaluating virtual private network (VPN), virtual desktop infrastructure (VDI), firewalls, anti-malware and intrusion prevention software(s). While these may seem like exorbitant costs or measures to go through, but the cost of a data breach may far exceed the initial spend. In a 2020 report published by IBM regarding data breach, they estimated the average total cost incurred by an organization to be $3.86M. This varies across industries, with healthcare or financial services often being even more costly (i.e. in 2019, a medical debt collector filed for bankruptcy protection in the aftermath of a data breach).
Given the rapidly evolving nature of the industry, your IT team should be engaging in regular dialogue with technology vendors that specialize in protecting your systems from data breaches and fraud. Homegrown (or proprietary) systems are good but need to be regularly updated to stay abreast of changes. Lucky for you, the RMAI Annual Conference takes place April 12-15 (in-person and virtual) and will feature numerous vendors/sponsors that specialize in this market. Getting intelligent on your current vendors, capabilities, policies and procedures will lead to more meaningful conversations.
The digital and virtual environment is here to stay… or as some may say the “new normal” – do your part to help “curb the spread” (of fraud) and stay diligent of the impacts of fraud, especially in the remote work environment. It is not an easy feat and as such, it will require prioritization amongst your management team. Consider updating policies/procedures and leveraging technology vendors to limit you (and your client’s) exposure. Don’t become a “super spreader”!
Nicholas can be reached at [email protected] .
Learn more about the CAS team here.