Guest post written by Patrick Taylor
Patrick Taylor is CEO of Oversight Systems, a provider of big data analytics software.
TJX. RSA. Playstation Network. They represent just a few of the major companies that have found themselves the victims of costly hacking incidents — as well as lurid headlines that lingered for months after the attacks were over.
There are many equally serious incidents that either go unreported or happen to smaller, less newsworthy companies. To many observers, it seems like it’s become child’s play for online attackers to access even the most sensitive corporate assets.
Hackers Will Get In
These penetrations happen even though every major corporation and government agency spends tremendous sums of money on Internet security. These defenses are robust, sophisticated and layered. They are managed by talented, highly trained professionals. And, in truth, the vast number of network security systems work exactly as intended. And yet, the bad guys get through.
According to the Association of Certified Fraud Examiners, 5 percent of company revenue is lost to fraud — with 80 percent of the loss coming from accounting, operations, sales, executive management, customer service or purchasing.
Does that mean that we can’t trust our own staff, especially those closest to our most sensitive data? Of course not.
The reality is that technological solutions can only go so far in protecting corporate assets. At some level, there remains a human being in the loop with direct access to core ERP and other financial systems. And we human beings are notoriously easy to fool into giving away our secrets.
Corporate Money Will Leak Out
It’s this simple, deceptive process, called “social engineering,” that makes fraud so simple and widespread. The statistics back up the concern. A recent survey from Check Point found that 75 percent of companies worldwide have experienced 25 or more social engineering attacks in the last two years, risking up to $13 million in annual losses.
In the old days — meaning four or five years ago — social engineering meant calling up someone on the phone and tricking them into giving up passwords and other useful information. Now, social media vehicles such as LinkedIn, Twitter and Facebook have dramatically amplified online criminals’ reach.
People trust their online friends to actually be the same people they meet in the physical world. All it takes is for one social media account to be hacked so that an innocent-looking message is sent to everyone on that account’s contact list. A very large number of that message’s recipients will trustingly click through to a malicious link, compromising whatever system they’re using. At that point, it’s too late. The damage is done.
And so human nature easily overwhelms network security. According to Finextra, a social engineering experiment run by a major international manufacturing firm led to 17 out of 20 users with access to confidential electronic data to give a fake intruder their user names and passwords.
If it’s a work computer that’s compromised, the attacker can easily gain surreptitious and permanent access to that machine. Every keystroke gets recorded and transmitted back to the criminal. Eventually, critical internal access credentials will be available for later malicious misuse.
These outsider breaches almost doubled in 2010 from the previous year, according to the Verizon Data Breach Investigations Report — and 2011 doesn’t look any better. The social engineering problem is so severe that The Wall Street Journal recently ran a major article titled, “What’s a Company’s Biggest Security Risk? You.”
In short, there’s no guaranteed way to ensure that a user is who he or she is supposed to be. When it comes to protecting corporate assets from fraud, it’s increasingly clear that, in the immortal words of Walt Kelly’s Pogo, “We have met the enemy, and he is us.”
Continuous Transaction Monitoring — The Answer Lies Within
But there is help on the horizon. One potential answer comes from an intriguing source — financial transaction data that already exists within the enterprise. The process is called Continuous Transaction Monitoring (CTM), and it gives an organization the ability to recognize a fraudulent transaction as it is being executed, rather than having to wait for books to be reconciled or audited.
Once a corporation can spot improper transactions right away, it can stop fraud, misuse and error before cash leaves the corporation, rather than recognizing an issue weeks or months after the fact. More importantly, the detection process does not rely on network security infrastructure or access control. As such, CTM provides extremely fast, accurate protection for financial transactions, even when other measures are compromised.
CTM works by pulling data from ERP and other financial systems and placing transaction records into a separate data warehouse. This centralized storage automatically aligns data from different systems, so that direct, apples-to-apples comparisons can be made, regardless of where the data came from.
Next, CTM applies a variety of sophisticated forensic tests to identify suspicious transactions. This multivariable approach builds a body of evidence that details why a transaction is suspect. CTM’s targeted analysis alerts managers immediately when there’s a problem, while simultaneously giving them the knowledge they need to fix the problem and prevent its recurrence.
By uncovering the root causes of fraud, error and misuse in real time (or close to it), CTM ensures the transaction is corrected before cash leaves the corporate till. Mistakes made by authorized users, internal fraud, or external attackers stealing money by pretending to be legitimate staffers — CTM catches them all.
In effect, CTM protects the corporate financial transactions themselves, rather than the hardware, software or networks used to store transaction data. Since the data extraction and forensic analytics take place on separate systems from those running core financial applications, it is much more difficult for any criminal, internal or external, to access or alter the process.
One Solution, Multiple Benefits
Leading multinational corporations such as Occidental Petroleum, United Technologies and Celanese use CTM for a variety of business processes. Some put their emphasis on procure-to-pay, others on preventing duplicate payments or stopping travel card misuse. Others have successfully applied CTM to HR or general ledger operations.
In each case, CTM provides a number of side benefits. First, it creates a single, comprehensive framework for assessing transactions anywhere within the corporation. As such, it is an ideal tool for managing disparate systems.
Second, CTM can be linked across multiple business processes, making it a targeted analytics tool that better connects business planning and performance management trends with root causes hidden in the underlying data. Better yet, the bottom-up financial analysis compliments top-down management reporting.
Human nature will win out over even the best-designed and implemented front-door security solution — something that’s been proven time and time again. Rather than continue to build higher and higher fences, CTM gives risk managers and senior executives something more valuable than increasingly expensive defenses that still allow social engineering to run rampant — a flexible, cost-effective way to keep our own bad habits from working against us.
