Big data creating need for tighter fraud prevention controls

A security expert talks about fraud prevention tools that work and those that don't, and why it's so important to customize a fraud detection system.

This Content Component encountered an error

In this second part of a two-part podcast series, Jay Leek, vice president of international security at Equifax talks about the flaws in data loss prevention (DLP) systems and the big data that a fraud prevention program might be overlooking. In the first podcast, Leek discussed two fraud prevention must-haves: billing system insight and whistleblowers.

Jay Leek
Jay Leek

Q: Is fraud becoming more of a problem because there's so much data pouring into organizations, and data is money and money is power?

A: I think you nailed it. If you think about Equifax and what we have, everything that we have as an organization is an information asset. It's a very valuable information asset. Everybody wants it. Everybody wants to steal it because with the data we have, you could easily assume somebody else's identity or you could create an entirely fake identity if you have the right level of access. This is the reason that fraud prevention is so important to us, because we are an information solutions organization.

And I think if you look at other companies today that might traditionally be more physical based … let's take as a good example a hotel company: Take a big hotel company that would be worldwide, and they are collecting a ton of data on their customers and how and where they spend money -- where they stay, what they like. [These are] all kinds of things that they are now turning around and selling. This is a very valuable asset that a lot of companies -- ones that we wouldn't necessarily think of as information solutions companies -- are sitting on that people want to steal. Often they want to steal it to commit fraud.

Q: How can you manage false positives so you don't get overwhelmed chasing them, versus identifying real fraud?

A: The best way that we've been able to get ahead of this as much as possible is to really know our business. A lot of the controls we have in place are very unique and very specific to how we do business. And if I think about it, in past organizations where I've worked, the same statement holds true: Unless you really understand the core business processes that your organization is dependent on to make money and to provide services, or whatever it may be to your customer, then you're going to have a very general type solution.

An off-the-shelf-type solution, that's most likely going to produce a lot of false positives. Not to pick on DLP -- I think we have a world-class DLP solution, and we get a lot of value out of our DLP solution that's implemented globally. But when we start looking at the type of fraud that we're discussing today, often that's not necessarily where we detect fraud originally. [DLP] might be a solution we use to investigate it and it proves to be a very valuable tool; but the technical controls that currently turn us on to fraud are typically things that are very custom-developed, very specific and tailored around our business processes. We own [the controls] end to end, where we're not having to fit in some vendor's box.

Play the full podcast

Listen to the full podcast to learn more about credentialing, billing systems and the anomalies Leek looks for that could indicate fraud. Hear more about getting buy-in to a fraud prevention program. Let us know what you think about the interview; email Christina Torode, News Director.


Read the full transcript from this podcast below: 

Christina Torode: Hi, this is Christina Torode, news director for SearchCIO. I'm here with Jay Leek, a vice president of international security for Equifax. Equifax is a data solutions provider to financial service companies and a consumer credit card reporting agency. Jay has worked as a director of fraud, security, and compliance in the telco and financial services industries for more than ten years. In this second podcast on fraud prevention, Jay talks about the types of fraud that are often overlooked, and managing false-positives among other subjects. Hi, Jay.

Jay Leek: Hello. How are you doing, Christina?

Christina Torode: Good. Thanks for joining us again. I'm wondering, what triggers most of your incident responses or fraud investigations?

Jay Leek: The vast majority of fraud investigations are triggered by all the technical controls we have in place, and a lot of them are. We have various types of monitoring, whether it be through your more traditional technology such as DLP to various types of custom development that we've done for monitoring, and a lot of those cases that we detect through these types of technology are, I'd say, a bit more minor cases. But almost without exception, the vast majority, I'd say anywhere from a half to three-quarters, are major cases that we end up investigating and turns out to be something that we actually need to know about. They get discovered through whistleblowers. They're people that don't even know that they're whistleblowers initially, but they identify some kind of behavior that's not normal.

For instance, it's the night operator who works the shift from midnight until 8:00 AM., he notices the salesperson come in at 2:00 AM. for three days in a row. There might be a reason behind that, but it also might be that that individual's doing something that he shouldn't be as well. Having a culture where that person can go to his manager, or go to his security officer, or whoever it may be, and, say they see something unusual happening and investigated is very important, because that is the way that we and other organizations that I've worked for discover fraud more often than not.

Christina Torode: Is it becoming more of a problem because there's just so much data pouring into organizations, and data is money, and money is power?

Jay Leek: I think you nailed it. If you think about Equifax and what we have, everything that we have as an organization is an information asset. It's a very valuable information asset. Everybody wants it, everybody wants to steal it, because with the data that we have, you could easily assume somebody else's identity, or you could create an entire fake identity if you had the right level of access. This is the reason fraud prevention is so important to us, because we are information solutions organization. I think if you look at other companies today that traditionally might be more physically-based, let's take a good example of a hotel company.

Let's just say a big hotel chain that would be worldwide or US-wide, or whatever, and they are collecting a ton of data on their customers and how they spend money, where they stay, what they like, all kinds of different things that they are now turning around and selling, in many cases. This is a very valuable asset that a lot of companies that you wouldn't necessarily think are information solutions companies are sitting on that people want to steal, and often they want to steal it to commit fraud.

Christina Torode: How dedicated does a company have to be in terms of time and money to create a comprehensive fraud prevention program?

Jay Leek: Wish I could tell you something that was inexpensive or cheap, but unfortunately it's something that requires a reasonable amount of time, money, and knowledgeable staff in order to be able to create a fraud prevention program. If you don't have a commitment to integrity and to ethics of your company, and assuring that you don't want to compromise those, starting from the top, you're going to have a difficult time implementing any kind of real, what I would consider to be a comprehensive fraud prevention program. If you have that crossed off, and you've articulated the risks appropriately to your senior management, while you're doing that, you can also make the case to get the right type of staff and money allocated to this initiative.

Christina Torode: How can you manage false-positives so you don't get overwhelmed chasing them versus identifying real fraud?

Jay Leek: You very easily can get overwhelmed with false-positives, and I think that the best way that we've been able to get ahead of this as much as possible is to really know our business. The controls we have in place are very unique and very specific to how we do business, and if I think about it, the past organizations where I've worked, the same statement holds true.

Unless you really understand core business processes that your organization is dependent on to make money to provide services or whatever it may be to your customer, then you're going to have a very general type solution, an off-the-shelf solution, that's most likely going to generate a lot of false-positives. Not to pick on DLP, I think we have a world-class DLP solution, and we get a lot of value out of our DLP solution that we have implemented globally, but when we start looking at the type of fraud that we're discussing today, often that's not necessarily where we detect fraud originally. It might be a solution that we're able to use to investigate it, but the technical solutions that typically turn us on to fraud are things that are very custom-developed, very specific and tailored around our business process. We own it and can control the ends where we're not having to sit in some vendor's box.

Christina Torode: Thank you again for your time. You've been great going over your fraud prevention program.

Jay Leek: Great. Thank you.

Christina Torode: This has been Christina Torode, news director of SearchCIO, speaking with Jay Leek, vice president of international security for Equifax.

This was first published in December 2011

Dig deeper on Enterprise risk management

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCompliance

SearchHealthIT

SearchCloudComputing

SearchMobileComputing

SearchDataCenter

Close