Securing your systems Featured

8:00pm EDT September 25, 2009

Electronic fraud can pose a substantial risk to any company. It can result in the theft of proprietary data and customer information, trade secrets, R&D data and strategic plans. Unauthorized access to proprietary or sensitive information can have a significantly negative impact on a company’s reputation and could, in the worst scenario, result in the demise of the firm.

As a result, it is imperative that every company has proper fraud controls in place, as more and more criminals are setting up shop, looking to take whatever they can from you, your business, your customers and your employees.

“Don’t guess. If you’re not 100 percent sure that your company’s computer systems are safe, then you’re at risk,” says Jeff Rolph, security director for First Place Bank. “There are a lot of fraud prevention resources that companies can call upon for advice and assistance, so there is no excuse for not having the appropriate fraud prevention controls in place.”

Smart Business spoke with Rolph about fraud, how it happens and what you can do to prevent it.

How can a company fall victim to fraud?

Loss due to electronic fraud most commonly occurs when a company doesn’t have adequate controls over its computer systems. You need controls to monitor, detect and prevent unauthorized access to your system(s) and data from outside of the company, as well as from inside (employees). Malware, for example, can infect your system with a virus that can corrupt your system, steal data, disrupt operations, etc.

With the proliferation of PCs, both in the business and home, companies now have to protect themselves from electronic attack. These attacks can take many forms including phishing, vishing (voice phishing), pharming, Web site attacks or spam e-mails with attached viruses.

What should executives do if they discover fraud?

First, and most important, take a look at the type of loss or fraud that was perpetrated and attempt to determine what, if any, internal or external systems were compromised. Preserve any evidence that you discover during your investigation such as access logs, server logs, e-mails, electronic journals, etc. These documents or electronic data will be invaluable to any law enforcement agency that may investigate your incident. If you believe that some type of malware was utilized, do a complete sweep of your servers and computers. Conduct a full search-and-destroy mission to eliminate anything that shouldn’t be on your system.

If you do not have the capability to do this in-house, utilize the services of a professional computer forensics company. Do not be afraid to ask for assistance from a professional, as these types of attacks can be very fast and expensive and can reoccur if not handled appropriately.

Once you’ve determined how it happened and you have taken the appropriate steps to prevent further access or damage, inform your local, county, state or a federal law enforcement agency. You should also contact your insurance company. It is important that you review what if any insurance coverage you may or may not have before you have an incident to update and/or add coverage for computer-based fraud or damage.

What are the best practices for preventing fraud?

Steps for preventing computer-based fraud include having adequate firewall protection, multifactor authentication, credentialing, blocking access to USB ports or other drives, forced password formatting (e.g. use of upper/lower case alpha characters, symbols, minimum password length and numerics), data transmission encryption, and blocked access to certain Web sites. Employees should be informed about the damage that can be done by opening unsolicited e-mails/attachments or loading software programs brought in from the outside.

If your firm does not have a professional certified computer forensics expert on staff, consider hiring an outside firm to conduct penetration testing and to review access levels to your systems (internal/external), what protections you have in place and what you might want to consider implementing. To find a reputable company or expert, talk with peers, professional or trade associations, your insurance carrier, legal adviser or attorney, etc. for insight or recommendations.

Validate your selection of a professional firm or individual by checking references and verifying credentials. Are they respected in the industry? Be careful, because, in order to adequately review your system, they will need complete access. A confidentiality agreement should also be used to protect you and the firm or individual you are utilizing.

Even if you have your system tightly controlled, information can be compromised by your employees. Individuals can contact your employees, trying to draw information out of them. Human nature and customer service usually result in your employees wanting to help out a caller; this can result in sensitive information being inadvertently provided to the caller.

This type of scheme is called ‘social engineering’ and is used to steal information from companies. Educate your employees on what information should and shouldn’t be disclosed over the phone, e-mail or fax. Have them report any unusual activity to their manager or to an anonymous hot line.

How can a bank help with fraud protection?

If fraud involves the theft of financial assets from your accounts, contact your bank immediately. The bank has the ability to block or restrict access to your accounts and services quickly. The bank may also be able to help you assess how the fraud happened and supply detailed records concerning your account activity, account access, etc. The bank will also cooperate with any law enforcement agency that you may contact to investigate the fraud.

Jeff Rolph is security director for First Place Bank. Reach him at JRolph@fpfc.net.