In this second part of a two-part podcast series, Jay Leek, vice president of international security at Equifax Inc., talks about the flaws in data loss prevention (DLP) systems and the big data that a fraud prevention program might be overlooking. In the first podcast, Leek discussed two fraud prevention must-haves: billing system insight and whistleblowers.
Q: Is fraud becoming more of a problem because there's so much data pouring into organizations, and data is money and money is power?
A: I think you nailed it. If you think about Equifax and what we have, everything that we have as an organization is an information asset. It's a very valuable information asset. Everybody wants it. Everybody wants to steal it because with the data we have, you could easily assume somebody else's identity or you could create an entirely fake identity if you have the right level of access. This is the reason that fraud prevention is so important to us, because we are an information solutions organization.
And I think if you look at other companies today that might traditionally be more physical based … let's take as a good example a hotel company: Take a big hotel company that would be worldwide, and they are collecting a ton of data on their customers and how and where they spend money -- where they stay, what they like. [These are] all kinds of things that they are now turning around and selling. This is a very valuable asset that a lot of companies -- ones that we wouldn't necessarily think of as information solutions companies -- are sitting on that people want to steal. Often they want to steal it to commit fraud.
Q: How can you manage false positives so you don't get overwhelmed chasing them, versus identifying real fraud?
A: The best way that we've been able to get ahead of this as much as possible is to really know our business. A lot of the controls we have in place are very unique and very specific to how we do business. And if I think about it, in past organizations where I've worked, the same statement holds true: Unless you really understand the core business processes that your organization is dependent on to make money and to provide services, or whatever it may be to your customer, then you're going to have a very general type solution.
An off-the-shelf-type solution, that's most likely going to produce a lot of false positives. Not to pick on DLP -- I think we have a world-class DLP solution, and we get a lot of value out of our DLP solution that's implemented globally. But when we start looking at the type of fraud that we're discussing today, often that's not necessarily where we detect fraud originally. [DLP] might be a solution we use to investigate it and it proves to be a very valuable tool; but the technical controls that currently turn us on to fraud are typically things that are very custom-developed, very specific and tailored around our business processes. We own [the controls] end to end, where we're not having to fit in some vendor's box.
Play the full podcast
Listen to the full podcast to learn more about credentialing, billing systems and the anomalies Leek looks for that could indicate fraud.
Download for later:
- Internet Explorer: Right Click > Save Target As
- Firefox: Right Click > Save Link As
Listen to the full podcast to hear more about getting buy-in to a fraud prevention program. Let us know what you think about the interview; email Christina Torode, News Director.
This was first published in December 2011