Recently, I received a letter from my son’s alma mater informing me that my personal information – and that of 51,000 businesses and individuals – may have been compromised when the university sold an office scanner as scrap six years ago. The scanner was recently returned to the university, and my personal information was retrieved from the scanner. I was advised of measures that I should take to protect myself from fraud or identity theft, and advised that the university has updated its procedures regarding the removal or destruction of sensitive and confidential information prior to the sale of surplus equipment.
I take governance of my personal data seriously, and feel that I do a fairly decent job, probably better than most, of ensuring my private data remains private. I’m diligent about creating secure passwords and updating them frequently; release very little information on social network sites; do not conduct mobile banking using a smartphone or tablet; and download apps only from reputable sites.
I must be honest in saying that before receiving the notification from the university, I would not have thought much about the fixed assets disposal policies for the individuals and organizations that have my personal data. I have thought about it with regard to my own assets, but not those of others. In light of this incident, I realize now more than ever that I have multiple points of vulnerability as a consumer, sometimes with little to no control over what happens with my personal data. I am not alone.
The results of the Javelin Strategy & Research 2012 study “Identity Fraud Report: Consumers Taking Control to Reduce their Risk of Fraud” reveal that the number of people affected by data breaches has grown 67% since 2010. In 2011, more than 11.6 million adults in the United States were victims of identity fraud. This was a 13% increase over 2010. Although the number of people impacted increased, the dollar amount stolen held steady at an estimated $37 billion.
Not knowing what we don’t know …
Just as I have multiple points of vulnerability as a consumer, the same holds true for corporate and government entities. According to The Homeland Security Research group, this has led to a convergence of security and fraud, with a $188 billion price tag to improve security and prevent fraud globally. This includes fraud, compliance, public safety and national security.
“Security and fraud risk exposure is increasing as organizations are threatened at multiple points of vulnerability,” said analyst Avivah Litan, Vice President and distinguished analyst at Gartner. “Companies are reevaluating how they tackle security since a fragmented approach is consistently leaving organizations at greater risks of attack. A more holistic approach to security ensures all layers of protection function together.”
I work with two customer advisory boards at SAS, one each for banking and insurance. The biggest concern of the board members is “not knowing what they don’t know.” The continued rise of global cross-channel, organized crime and cyber-crime keeps them awake at night wondering what next big threat their organization will face?
There are three possible ways firms can tackle these threats:
- Do nothing – Also known as “the ostrich syndrome,” this is really not a good option as it means the organization most certainly will face losses related to fraud and improper payments or fines for regulatory non-compliance, and worse yet, will risk irreparable damage to its reputation.
- React – While better than nothing, the “catch me if you can” approach is fragmented and leaves the organization at a greater risk of attack as firms are always chasing the perpetrator of the last scam, and trying to recover stolen or improperly released property or funds. With this option, organizations never get ahead of the fraudsters, and are always one step behind.
- Be proactive – Using the trifecta of continuous monitoring, cross-channel predictive analytics, and entity link analysis, an organization can take a comprehensive approach to establishing and predicting patterns of behavior, as well as uncovering previously unknown relationships, and stopping fraud before it happens.
Real world, real-time results
The advisory board members all have chosen to be proactive. Taking a comprehensive approach, they have implemented systems for real-time decision-making that expedite time to detection of emerging threats and provide a centralized governance and investigations framework. For example:
The State of North Carolina CJLEADS – The Criminal Justice Law Enforcement Automated Data Services program – integrates data from the state’s criminal justice applications to provide a comprehensive view of an offender’s statewide criminal information history. The system also includes a watch list that allows officials to monitor the change of any offender’s status, such as arrests, future court appearances or a release from custody.
“Until now, information about offenders was stored in all types of separate systems that took our law enforcement officers days and sometimes weeks to sort through. CJLEADS is changing all of that,” said State Controller David McCoy, whose office is implementing the system. “With funding as tight as it is, it is imperative that we use current technology to help our law enforcement officers and the courts deliver effective services in as cost effective a manner as possible.”
CJLEADS is an on-demand, Web-based application used by more than 33,000 courts, corrections, and law enforcement professionals statewide. In 2011, the system was awarded a southern regional Innovations Award by the Council of State Governments.
HSBC Holdings plc - With assets of approximately US$2.6 trillion, is one of the world’s largest banking and financial services organizations, serving more than 95 million customers through 7,500 offices in 87 countries and territories. HSBC has deployed a holistic analytics framework for real-time fraud detection and ongoing fraud management across its global network.
“Like most institutions, we’ve implemented policies to segregate duties, create dual controls and establish strong audit trails to spot anomalies. But what sets our anti-fraud strategies apart is our commitment to technology to monitor and score the millions of transactions we process every day.” Derek Wylde, Head of Group Fraud Risk, Global Security and Fraud Risk with HSBC
HSBC protects 100 percent of credit card transactions in real time across its US, Europe and Asia locations, and will expand to encompass fraud across multiple lines of business and multiple sales channels.
HSBC and The State of North Carolina are excellent examples of how a solution-driven, integrated approach helps organizations detect threats while there is still time to react. Their proactive, comprehensive approach allows for real-time decision-making and multiple deployment options that speed time to detection and prevention while minimizing losses and risk.
In my experience working with executives in banking, insurance, health care, and government, I have noticed three common themes for the organizations that are leading the way with ground-breaking solutions to thwart fraud.
- They have taken an enterprise approach. Having a common infrastructure, allows the organization to extend monitoring beyond a specific channel such as user or account. This extended monitoring provides the benefit of looking across channels. The result is a more comprehensive view of an individual’s relationship with the organization.
- Monitoring is continuous. No longer are investigators chasing unauthorized payments. Instead, they have real-time authorization systems that provide the ability to score 100 percent of transaction on demand using predictive analytics. This scoring provides a measure of the propensity of fraud for any given transaction. This real-time analysis enables quicker identification of fraud with no detrimental effect on the customer experience, thereby protecting brand reputation.
- They are using entity link analysis, which shows the relationships among entities such as customers, accounts, or services. Having this visual representation of social networks, allows the organization to detect organized or collusive criminal activities that would otherwise have gone unnoticed. The results have been astonishing.
If you would like to join other leading organizations in changing the game and getting ahead of the fraudsters – learn more about how to consolidate your fraud and security programs, read this brochure: SAS Security Intelligence: The next generation of fraud, compliance and security solutions.