A shiver must have gone down the back of many a CIO when TK Maxx publicly admitted to a massive security breach of its computer system in January 2007. How fraudsters escaped with at least 45.7 million payment card details over a 16-month period, despite complying with the Payment Card Industry (PCI) Data Security Standards, could prove to be an interesting story.
More recently, a £30m fraud using cloned bankcards at fuel stations has been linked to the Tamil Tigers in Thailand.
“Anyone, anywhere in the world, can commit cyberfraud. The threat is real and it is increasing,” says Graham Johnson, Group CIO at Premier Farnell, a FTSE-250 company that markets and distributes a range of over 400,000 electronic, maintenance, repair and operations products and specialist services throughout Europe, North America and Asia Pacific.
“People don’t like talking about cyberfraud but they need to be aware of it,” says Johnson.
Johnson believes the trend for fraudsters will be to try and circumvent systems, in the same way as they are doing with credit card controls.
“It reflects the inter-connected world we live in,” he says. “Systems have to be sufficiently robust and protected in ways that, five or six years ago, we would never have had to worry about. Today’s CIO needs to be aware of denial of service attacks and web hackers when building a system.”
Andrew Clark, partner in charge of forensic technology solutions at international accounting and consulting firm, PricewaterhouseCoopers (PwC), takes a pragmatic view. The only sure way to have no fraud, he says, is to have no business. In the last two years the number of cases handled by his team has tripled. In 1999, forensic technology was part of one person’s job spec at PwC, now Clark heads a department of 30 people in the UK.
UK crime wave
PwC’s 2005 Economic Crime Survey – 3,634 interviews in 34 countries – revealed that UK companies reported some of the highest levels of economic crime in the world, 55 per cent compared to an average of 45 per cent of businesses worldwide. This is partly due to the UK’s stringent level of self-scrutiny.
More than half the UK companies surveyed had been victims over the previous two years – up four per cent since PwC’s 2003 survey. Though not all of Enron proportions, more than one third of companies experienced a large number of incidents of financial misrepresentation – 35 per cent, up from 12 per cent in 2003. The fraud most widely reported was asset misappropriation, at 76 per cent.
“We find businesses are not very aware of their intellectual property assets,” says Clark. “These are the sorts of things you can secure relatively easily.”
At the 2007 e-Crime Congress hosted in London by Websense, a survey of 105 international security professionals reported a 15 per cent increase from 2006 of internal threats such as data leakage, through malicious intent or by accident.
Internal threats topped the poll at 59 per cent. Nearly 80 per cent of delegates thought legislation should be in place to curb data leakage and to ensure greater transparency in the event of an information breach; 15 per cent said that most companies had experienced some form of data leak in the last 12 months.
Another 2007 poll by Websense, of 100 UK employees, highlights the problem of confidential data, indicating that 65 per cent of employees had sent potentially confidential information to insecure personal webmail accounts so they could work from home, while 46 per cent admitted to allowing friends and family to use their company laptops.
At one end of the scale, the team might investigate an anti-corruption review involving between 20 to 30 countries; at the other, it addresses issues of individual accounting abuse.
“All our surveys show that economic crime is on the rise,” says Clark. “Often the opportunity just presents itself and there is an individual who will take risks. We hear many companies say that they never thought it would happen to them.”
Economic crime has two main forms; asset misappropriation – the stealing of money, securities and information, including intellectual property; and financial misreporting – the dressing up of financial statements.
The broad external threat, Clark believes, is from a cadre of semi-organised criminals who deliberately target white-collar crime, which is seen as a high-reward, low-risk activity. “White-collar crime is not a top policing issue, not enough people are prosecuted and sentenced,” he says.
The enemy within
Second is the internal threat – economic fraud committed by people within the organisation. “These are the things that can bring an organisation to its knees,” says Clark. “WorldCom is a good example.”
One fraud scenario occurs when management presses for better results and pushes the local subsidiaries for fictitious information, says Clark. Another is driven by the need for getting results at the top of the organisation.
“If there’s a general feeling that the top people are controlling the organisation as their own personal fiefdom, running roughshod over rules and protocols, then people lower down say, ‘why can’t we do the same sort of thing?’” says Clark. “We see that as a regular feature. Many people engaged in criminal activity have the ability to rationalise what they are doing as acceptable.”
A key deterrent, thinks Clark, is strong governance. “An organisation should have a clear statement of how it views fraud – and communicate it,” he says. In these instances, the capture and analysis of emails is fundamental to forensic technology. It is not uncommon for Clark’s team to painstakingly sift through three million emails using keyword searches.
One factor that has increased the risk of economic crime is the flattening of organisational structures. “The layer of management that might have said, ‘hang on, that doesn’t look or sound right,’ probably does not exist anymore,” says Clark. “And because whole departments have been removed, the corporate memory of a previous fraud experience has often been lost, too. People remember the effects of fraud, not organisations. A new management team of an organisation that experienced fraud two years ago would not register it in their minds, as they’ve never had to deal with it. The delayered middle-management person would be able to spot situations that are similar but they don’t exist any more,” says Clark.
If you suspect a fraud
Clark’s advice to CIOs: “Successful fraud prosecutions are increasingly dependent on the effective capture and analysis of electronic evidence. If you believe you have a fraud problem, ensure the data is kept in an evidentially integral manner.
“Do not ask your IT department to copy it because the chances are that they will not do so in a manner that can be used subsequently in court. You need to know the right forensic procedures – and the correct process must be followed. This process captures a mirror image of the contents of the computer, so you capture forensically all the data on it, but leave the computer as it is. You then have a forensically sound image.”
Johnson believes flatter management structures should not mean a loss of control. “If you get to a point where people can commit fraud because there is a lack of supervision, that implies an overall lack of management and the delayering has gone too far,” he says.
On the lookout
CIOs, Johnson believes, should be proactive and think laterally. “Work out what people might do to the organisation, rather than expect the expected,” he says. “Stay open-minded and have the appropriate people around you to exercise your thinking, so that all the angles, external and internal, are covered.”
Clark concurs: “Processes are often built around what everybody expects to happen, rather than having a focus on what might happen if somebody tried to abuse a system from a fraud perspective,” he says.
Premier Farnell is not taking any chances – the company has strict authorisation levels and rigorous controls in place.
“We have a serious focus on economic crime and actively look for it,” says Johnson. “We make sure things are done effectively. We segregate responsibilities, encrypt financial data and control who has access to that information.” The best defence, he thinks, is to have system and business controls that protect the company and to adhere to PCI Compliance – created by MasterCard Worldwide in 2004 and agreed by the world’s major credit card companies.
At Premier Farnell, PCI Compliance functions at all levels of the business: internationally and within the group IT function, in the business units and specific projects – and its budget allocation is made at board committee level.
“PCI Compliance standards have become tougher and the quarterly external vulnerability scans more rigorous,” says Johnson. While this has increased the CIO’s workload, Johnson thinks it’s worth the effort. The internet is a significant part of Premier Farnell’s business, which reported sales of £823.1m in January 2007. Upgrades to its seven-year-old ATG Dynamo web system have been implemented recently in the US, Europe and Asia Pacific. In 2004, Premier Farnell invested in Endeca to provide parametric searching on its huge product database. The group’s new business in China shares a common global platform with the rest of the organisation.
The more diverse the system, Johnson believes, the more likely the business is to have holes in it. “A smaller system has fewer things to protect, although it might have a greater spread,” he says. “Fewer systems mean fewer things to worry about. For example, one system per country means it’s a bigger job to protect your data from external and internal threats, than if you have common systems.” To Clark, rapidly growing businesses are the ones most vulnerable to economic crime. “Usually, the lack of clarity around reporting lines means they have bigger problems than more established businesses,” he says. “Everything is done at a fast pace; there may not be the structures that would have been there previously. It doesn’t matter what size your company is, if it has doubled in size since last year, it has 50 per cent more people – who have probably not had enough training. The corporate culture may have become diluted. If your business is growing rapidly, I’d say take a close look.”
As a boy, Clark wanted to be a policeman and he sees similarities in his role today. He is driven by a desire to ‘do the right thing’. “I am a principled individual,” he says. “I enjoy pitting my wits against the bad guys. If we can prove the case and get the fraudsters dismissed, that’s good for society.”
Now aged 40, Clark has focused on the investigation and prevention of fraud since 1990 and thrives on the challenge. After gaining an engineering degree at Imperial College, London, he had a brief stint in the heavy-metals industry then joined PwC to gain an accounting qualification. His interest in forensic technology began when a friend, seconded to the Serious Fraud Office, needed an assistant. Clark enjoyed the work and found it suited his mindset.
“As a forensic technologist, you have to be able to demonstrate the end result will pass the criminal burden of proof,” he says. “You need to show where you have got the evidence from, what you have done with it, then demonstrate the end result. It’s a logical, step-by-step process.”
To some degree, he thinks technologists take the view, ‘if I can make it work, then it’s fine’. “Telling your client, ‘here’s your answer, we winged it a bit and we’re not quite sure how we got there’ is of no value,” says Clark. “Evidence that can be relied upon is core to everything we do in forensic technology.”
In the early 1990s, Clark worked on the Robert Maxwell case, when PwC was appointed as company administrator to Maxwell Communication Corporation. In 1995, he was seconded to the Bank of England special investigations unit, in the aftermath of the BCCI scandal and for two years, provided advice on the appropriate action to be taken on matters of fraud or dishonesty relating to authorised institutions.
He was made a partner when PwC merged in 1996 and in 1998 was offered responsibility for its forensic technology department. Clark has been appointed as an investigator by the DTI under S447 of the Companies Act 1985, has worked for a number of police fraud squads and is one of the global leaders of PwC’s anti-money laundering services.
He describes his team as ‘many and varied’. Some members are qualified by experience, ex-policemen for instance, though most are young graduates as befits an emerging discipline. Although forensic technology is painstaking work, it has some colourful moments. The best, says Clark, are when he has to take his team to a far-flung country to capture data. There have been some interesting encounters, he says and once customs officials queried the arrival of 20 PwC people each carrying several laptops then impounded their kit.
The job has other challenges. “The volume of data that people have is growing, the technology is changing and there is the constant challenge of keeping pace with the criminal mind,” he says. The work may be painstaking, but the pace of forensic technology is gathering speed.