CEO, ERP Maestro
Top 5 Strategies to Prevent Fraud, Data Breaches and Audit Fails
Every company is constantly searching for the best ways to protect their business systems from threats – both external and internal. Risks stemming from within organizations have risen to new levels and are a major cause for concern when it comes to fraud, data leakage, audit failures and compliance violations. This is of particular concern during this period of increased remote work in light of COVID-19.
Fraud, for instance, is a global problem for all companies regardless of size. According to a 2018 report from the Association of Certified Fraud Examiners (ACFE), the typical organization loses five percent of its annual revenue to fraud. Furthermore, total global costs of employee fraud may be as high as $4 trillion. Costs extend beyond that when you also calculate any loss of customers, new business or brand value. This is not a time any business can afford to lose money.
However, fraud isn’t the only concern. Company data and sensitive employee or customer information has a big market today. A Ponemon report revealed that 75 percent of employees say they have access to data they shouldn’t and 25 percent of employees are willing to sell data to a competitor for less than $8000. Additionally, the 2019 Data Risk Report showed that many companies continue to keep thousands of files accessible by anyone inside the company. Lax access controls can be detrimental to a company.
According to an IBM /Ponemon Institute Cost of Data Breach Report, it took on average eight months to discover a data breach, and the longer an insider attack goes unnoticed, the higher the cost. Based on a Verizon study last year, internal breaches, across all industries, were far harder to detect than external threats and took years, not months, to discover.
One of the greatest risks for fraud and internal threats is inappropriate access to systems and lax segregation of duties (SoD). These same factors, if not caught, are also a primary cause for audit and compliance failures. Strictly focusing on internal threats, then, what are five preventative measures you should be employing today to keep your company, assets, customers and reputation secure?
Leverage Automated Controls
Although there are other manual ways to attempt to manage the above, it’s far more cost-effective to use an internal security solution than it is to pay for a fraud or data breach incident. While a 2018 Cost of Insider Threats study indicates that the average cost of an insider-related incident is around $513,000, it can cost a company up to $8.76 million a year. For North America alone, that number increases up to $11.1 million a year.
Cost savings may be a significant consideration, but effectiveness is most important. A company can never attain the same degree of effectiveness and prevention without automated controls. Humans and manual processes are too slow and too prone to error. You also need visibility into the source of risks, by user, role and business process. That’s a tough job without automated tools.
There’s a substantial reason to put automated controls at the top of the list, most notably because they can enable you to monitor risk continuously throughout the year – no matter where your employees work. Using a cloud access control solution, such as our Access Analyzer, yields the best results and gives an added measure of security with increased remote workers during this period of COVID-19 outbreaks.
Conduct Access Reviews
While no one looks forward to performing a periodic access recertification, or review, performing these mandatory activities effectively can reduce internal risks. In advance of each review, take a hard look at the documentation accompanying the roles or privileges that will be reviewed by each appointed manager to ensure you’re prepared to perform an effective review.
It’s critical that whatever format is used for the review includes sufficient detail to describe the roles or permissions being reviewed using easy-to-understand language. Frequently, security roles are named using cryptic conventions that only seasoned IT security personnel can understand. Without plain-spoken descriptions of what each role or each privilege actually does, in terms a business user can comprehend, the review process generally suffers from rubber-stamped approvals and provides little actual benefit.
Here, too, is a sound reason to use an automated solution that can help increase review accuracy – and eliminate the manual processes that are not only tedious and time-consuming, but also prone to mistakes. If you can automate the process from start to end and have reliable audit-ready reports free of error, you can save your company both money and compliance headaches.
Define Tailored SoD Rules
A lack of sufficient segregation of accounting functions is a top contributor to fraud. It’s best to start with an industry-accepted ‘rulebook’ of SoD controls or rules as a baseline, but then take the time to review each and every rule and adjust, add or subtract as needed to make sure that your company’s processes are truly aligned with the rules you’ll test against. Pay particular attention to rules involving both transactional and reconciliation activities that impact your high-dollar ledger accounts. Having a tested and solid rule book to use in tandem with your access control solution will get you ahead of many SoD violations.
Performing security role remediation can be a daunting and costly task. Too often, however, companies decide to skip this step because they do not see the benefit or believe that compensating, or mitigating controls, are the better choice. This usually stems from a problem with one of our previous points – insufficiently tailored SoD rules. If your internal listing of SoD controls contains many superfluous rules that don’t correctly identify the risk specific to actual company processes, you get results that don’t really make sense and are not actually risks.
This leads to the requirement, for regulatory and compliance reasons, to address the users identified as having the risk and perform some type of remediation or mitigation. Since many of the risks are often not applicable to the environment, compensating controls are identified and mapped to the SoD risks. Often, this can lead to additional time and effort being spent on performing, documenting and testing compensating controls that could have been avoided by correctly defining SoD risks in the first place.
Additionally, this overload often detracts attention from the real risks that could be beneficial to remediate through process or business role changes. But when you have dozens or more of inapplicable risks it becomes difficult if not impossible to identify the risks that should be prioritized.
For best results, use an automated solution that provides remediation advice for the fastest track to remediating risks as they are found.
While employees can be one of the company’s weak points for control failures and fraud, a well-trained workforce can also be a primary line of defense. Over time, policies and procedures become foggy, so it’s important to continually remind employees of exactly what steps they should be taking – specific to their role or department wherever possible.
Company-wide training on preventing external threats, such as phishing, is also a good idea. Having IT compile actual examples received by company employees can increase effectiveness. Setting up an internal tip-line to report unethical or risky activities with annual training can also add an effective tool.
Employees are human. Sometimes they maliciously embezzle or pilfer company assets. Other times, careless mistakes happen. The reality is, however, that fraud and data breaches are far too frequent, costly and damaging to not take steps to prevent them, especially when there are easy solutions to put in place. Let us know how we can help and sign up for a risk assessment to get started on identifying access risks.