Forensics & Risk Advisory Services Partner, Kreston MCA, Chile and Kreston Global Audit Group Business Director
Ricardo is an expert in fraud, audit, and risk advisory services. He worked 21 years at Ernst & Young (EY), 10 of which as an Audit and Forensics Partner, in Canada, Chile and Argentina, leading some of the most important clients of the firm mainly in the utilities, retail, manufacturing and mining sectors such as Coca-Cola, McDonald’s, Siemens, Fluor Daniels, Ontario Power Generation, Danone, Xstrata, Peugeot, Sherwin Williams, Verizon, among others. He is a Certified Public Accountant (CPA) from the United States, Chile and Argentina, a Certified Fraud Examiner (CFE) and holds an MBA designation. He is also a university professor and researcher on occupational fraud and published a book on the subject.
Managing cybersecurity threats
July 20, 2022
Cyber security can affect any company. In 2011, Sony warned that the names, addresses and other personal data of about 77 million people with accounts on its PlayStation Network have been stolen, damaging its prestige and brand image.
And if this can happen to a giant like Sony, how can it impact a small or medium organization whose cyber defences are generally weaker than big-company security systems?
More recently, and to make matters worse, the COVID-19 pandemic has transformed the way many of us work, increasing cyber threats:
“COVID-19 impacted the daily operations of financial authorities and institutions in unprecedented ways. The rapid move to work-from-home (WFH) arrangements increased the scope for cyber threats and for dependencies on third-party service providers. The pandemic also accelerated the take-up of digital financial services as financial institutions, FMIs and end users reduced physical interactions. Both of these factors underscore the importance of effective operational and cyber security resilience arrangements.”
What is cyber fraud
A recent study by the Association of Certified Fraud Examiners confirmed that digital information security is a current concern for organizations, with directors and executives expecting the problem to be worse in the future:
“Cyber fraud (e.g., business email compromise, hacking, ransomware, and malware) continues to be the most heightened area of risk, with 85% of respondents already seeing an increase in these schemes, and 88% expecting a further increase over the next year.”
As it is evident from the above, cyber security is a global concern. In fact, in 2001 the Budapest Convention on Cyber crime was created, which is an international treaty promoted by the European Union, with the aim of increasing international cooperation and generating harmonious legal frameworks between nations with the aim of dealing with computer crimes and criminal activity on the internet.
What is cyber security?
It can be defined as the set of procedures and tools that are implemented to protect the information that is generated and processed through computers, servers, mobile devices, networks and electronic systems. Simply put, cyber security is the practice of protecting important systems and sensitive information from digital attacks.
Cyber security is generally associated with cyber threats and cybercrime. However, it also has to do with good practices to implement to protect information and prevent or detect cyber attacks to which any organization or person is exposed. It follows that one of the objectives of cyber security is to generate trust between customers, suppliers and the market in general.
What is a cyber security system?
The importance of having a robust cyber security system mainly lies in avoiding the multiple consequences that cyber attacks have on organizations:
• Economic losses. Pay a ransom, pay a specialist software company to repair the damage, replace the financial amount that has been defrauded, cost of the legal claim, and loss of income while the problem is resolved.
• Reputational damage. A cyber attack can cause the leaking of customer, employee or supplier information, which generates distrust of key stakeholders in the organization.
• Theft of data and equipment. In many cases, cybercriminals illegally intercept communications from organizations, steal personal data and use it without consent, and illegally access the computer systems in which it is stored.
• Legal effects. Organizations suffer legal consequences when they do not protect the information of third parties properly. Certain security incidents, such as those that affect personal data, may lead to legal consequences and sanctions by other organizations, private and governmental.
• Loss of information. Information is the most important asset of companies. Documents contain data of all kinds: from invoices to databases with personal customer information. The theft or loss of this information can be a serious blow to the survival of the company.
Cyber-security and occupational fraud
The considerable number of professional books and articles on cyber-security deal almost entirely with external threats to organizations. Phishing, spear-phishing, ransomware, keyloggers, viruses, trojans, spyware, adware, malware, the man in the middle, exploit, are all forms of external attacks which result in either system sabotage, theft of confidential information, or diversion of the organization’s financial assets or those of its customers.
However, in my experience as a forensic investigator, in recent years internal attacks carried out by people trusted by organizations have become more important and resulted in serious fraud threats. Today it is a problem that worries directors and executives the same, or more, than attacks from the outside.
Examples of cyber fraud
K. Brancik in his book about computer fraud cites a paper written in 1982 by Thurman Stanley Dunn which describes the modus operandi that an occupational fraudster could use to commit a crime. According to this author, there are three forms of computer fraud manipulation:
• Input transaction manipulation schemes. These include:
– Extraneous transactions: Making up extra transactions and getting them processed by the system.
– Failure to enter transactions: Perpetrators can obtain substantial benefits simply by failing to enter properly authorized transactions.
– Modification of transactions: Fraudulent gains can be realized by altering the amount of a properly authorized monetary transaction.
– Misuse of adjustment transactions: Here the term “adjustment” refers to monetary corrections of past errors or inaccuracies. Often, adjustment transactions are processed without adequate control. The result can be occupational fraud of massive proportions.
– Misuse of error-correction procedures: Millions of dollars have been embezzled by perpetrators under the guise of error corrections.
• Unauthorized program modification schemes, such as:
– Breakage: Larcenous strategies for modifying programs exist, such as the siphoning off of small sums from numerous sources.
– Undocumented transaction codes: By programming the computer to accept undocumented types of transactions, perpetrators can arrange to receive substantial profits in a very short time.
– Balance manipulation: A dishonest programmer can modify appropriate programs so that all totals and balances appear to be correct for any given day.
– Deliberate misreporting with lapping: A program that was manipulated to cause misreporting either fails to apply a charge to a perpetrator’s account (the charge gets applied to another account) or credits a perpetrator’s account with a payment (the account that should have been credited is not posted).
– File modification: Altering programs to effect secret changes in account status.
• File alteration and substitution schemes. These include:
– Access to a live master file: Use of a program to make changes that may include modification of monetary amounts or changes to other data.
– Substitution of a dummied-up version for real life: the perpetrator obtains access to the master file, makes a copy and introduces only a few modifications. The newly created file is then substituted for the live file and returned to the data library.
– Access and modification of transaction files prior to processing: Possible fraudulent actions that may be involved in this type of scheme include addition, modification, and deletion of input transactions.
How can you reduce the risk of cyber fraud?
The problem we face is of a complex nature, the threats change over time and the tools used to commit the fraud schemes adapt to the new technologies and software developed to combat them. Therefore, cyber fraud is difficult to detect, and it is possible that the attacks remain undetected for a long period of time, which results in large fraud losses for organisations.
For these reasons, I recommend investing in prevention. Some of the recommended controls to combat cyber fraud include the following:
• Training: In addition to training on information confidentiality and data protection, the first step to prevent and detect fraud is to know the threats (i.e., fraud schemes) that could affect the organization.
• SSL Certificates: SSL (Secure Sockets Layer) certificates are used to authenticate the identity of a server using encrypted communication protocols. Protect confidential data exchanged in sessions and avoid being intercepted by unauthorized persons.
• Firewalls: The implementation of firewalls and antivirus is necessary to guarantee the cyber-security of organizations. Firewalls are computer programs capable of controlling access from a computer to the network and from the network to the computer.
• Antimalware: Antiviruses, meanwhile, prevent or fight infections caused by viruses. They offer protection against malware, ransomware, and other types of viruses that often circulate on the Internet. Antimalware and antivirus programs are critical to protecting all company computers.
• Two-factor authentication (2FA): It is a security process that consists of a user confirming his or her identity in at least two different ways.
• Backup: Information backup is one of the most important tasks that must be carried out periodically in any organization and offers high added value.
• Identity and password management system: Control user access to local and/or cloud applications, based on profiles, roles and business rules.
• Secure deletion: Deleting files and even formatting storage devices is not enough to guarantee the irreversible deletion of stored information.
• Fraud risk assessment: Carry out a survey of fraud risks, including cyber-fraud, that may affect the organization.
• Assessment of existing controls: The second step in a fraud risk assessment is to determine whether current controls mitigate the identified threats.
• Design and improvement of controls: If the existing controls, whether preventive or detective, do not partially or totally mitigate the risks identified in the fraud risk assessment, it is necessary to improve and/or design new controls.
Clearly, a good system of preventive and detective internal controls, combined with an adequate tone at the top, will decrease both the amount of the loss and the time that a fraud scheme goes undiscovered.
How can Kreston Global help?
If you would like to know more about our cyber security services, our team are here to help – simply get in touch with your queries or challenges. You can even go one step further and join us as a member. Doing so gives you access to our unique global network that spans more than 110 countries, 160 independent accounting firms, and 23,500 skilled advisory specialists.