Assessing Cyber security risks

Technology is permeating all aspects of business at an increasing rate. New ways of conducting business processes, BYOD (bring your own device) and now WFH (work from home) are bringing about an incredibly broad and diverse domain of cyber risks that are here to stay.

An Enterprise Risk Management (ERM) program has to include cyber security risks as one of its key strategic risk components to be assessed and managed regularly, just as how financial or other business process related risks are measured, monitored, mitigated and reported.

This approach is really the crux of bringing in what is called as a new approach – IRM (Integrated Risk Management). There are a lot of proponents who have backed this and other three-letter acronyms pointing out the benefits of each and opining how the others have gone out of existence. In my opinion, a truly integrated view (call it by whatever acronym – ERM, GRC, IRM) of Enterprise Risk Management must consider all risk factors and different risk domains.

This brings us to the next question on how to assess, measure, monitor and report on cyber security risks.

Traditionally, a financial, regulatory or operational risk is classified and defined based on its “causes and effects”.  Examples such as these are well known – what happens if the bank lending rate increases, what would be the impact on imported materials if the exchange rate fluctuates, where to source in the event of a critical supplier bankruptcy, why is our stockyard not insured for theft, what if there is a new regulation the imposes restrictions on trade, etc.

This leads to the next step of assessing, measuring and calculation of that risk. Normally risk managers with the help of business, measures the “impact” of that risk – either in monetary terms or qualitatively – and multiply this by the factor called “probability of occurrence”, “likelihood”, “odds of happening” – either in terms of percentage (0-100%) or in terms of risk scores.  Low-impact events with high probability are given lower ranking as compared to high-impact events with low probability and can be represented in what are called “heat maps” to draw attention to the red areas requiring immediate attention.

Cyber security risk assessment challenges:

  1. Security experts and the CISO’s office are mostly caught up with measuring technical exposures, discovering vulnerabilities and evaluating tools, that they hardly spend time to see the connect with the business impact. The security teams and business – do not align their risk definitions in order to have their understanding at the same level.
  2. “Threats”, “Vulnerabilities and “risks” are many a times used interchangeably.
    1. “Threats” represent something that might happen. Natural threats like floods, earthquakes or tornadoes can be acted upon in advance based on weather forecasts or previous learnings. However, cyber security threats (conducted by threat actors or hackers) that aim to steal or destroy data or disrupt business operations are real fears that organizations have to be concerned about. Examples of such threats are very many and keep growing in different forms – viruses, ransomware, malware, phishing, social engineering, denial of service attack, data breaches, complete shutdown of assets, etc.
    2. “Vulnerabilities” (in the context of systems) represent weaknesses in hardware, networks or software. In business and other applications these vulnerabilities are normally patched up periodically by the vendor/ manufacturer and applied by the security organization. Other examples like unsolicited emails or phishing attempts also can make the system vulnerable to attacks. Unauthorized access (whether intentional or unintentional, whether by insiders or outsiders) to applications and data centers violates and bypasses security policies and the person/s can take advantage of the vulnerability.
    3. “Risks” are considered as those that can potentially harm the IT systems and business. Risk is a function of both “threat” and “vulnerability”, meaning that the higher the likelihood of the threat against a known vulnerability is seen as a high risk factor, as against a low level threat for a less vulnerable asset can be classified with a lower risk rating.
  3. Quantifying the business impact of a cyber security threat event is a very difficult task bordering on the impossible. Estimating the probability of its occurrence is even harder because of the evolving technological advances and new ways in which breaches can occur. Cyber security has always been considered as a tactical response to threats – either a security breach occurred or it did not. Thinking about what is the business impact of the risk of a threat occurring requires putting on a different thinking cap. Currently the majority thinking is that if a cybersecurity breach does not occur then it is not a risk to be addressed on priority.
  4. A big challenge today is that the technically-oriented CISO’s office understands the need for preventing security attacks but not how to express the ramifications of those attacks in business terms. Security experts understand and articulate that if, for example, a vulnerability in the network or an application is not patched up, there could be a threat of theft of database or network downtime. However, they are not able to put up in front of the Board or the CFO, a business-focused description like “setting up preventive measures will reduce the risk of exposure to the customer database, which if exposed will cost an estimated “x” amount of money in lost business, expenses and litigation” or “critical enterprise wide applications hacked through social engineering techniques have to be monitored as close to real-time to identify the attacker and the employee/s involved to prevent the risk of loss of financial results that could swing the stock market adversely by x%”.
  5. The above subjective assessment is only a starting point and can have many holes pointed in it. It is not straight forward like financial transactions that have honed the metrics for calculations – every cybersecurity breach is different, unprecedented and unpredictable with ever-changing technology.
  6. Many vendors offer their scorecards and applications that promise nice and jazzy scorecards. But behind all that there are tons of work to be done for ensuring meaningful data – identifying risk factors, classifying and documenting all the assets and feed it into one of theses systems.

 Make a start in addressing the challenges

  1. Ensure that you present the importance of cyber security to the Board level executives -not by scary stories that happened recently at a different organization – by articulating clearly the specific business objective that would be impacted if a particular threat is not addressed to mitigate or lower the risk, how this would be done and what would be the cost of mitigation. This would bring about clarity to both IT and business on why the budget needs sanction.
  2. Bring your IT team resources on the same page on understanding the context in which risk management has to be aligned at the enterprise level.
  3. Make sure everyone understands the various terms like threats, vulnerabilities and how risks can be rated or calculated – whether subjectively at first and then gradually move up the ladder to more complex metrics to quantify the same.
  4. Invest time in making and checking an inventory of all system and IT resources and document them for risk and control assessment plans. Make sure that acquired or merged organizations are included in the overall landscape assessment.
  5. Do not just focus on the “perimeter” risks (such as firewalls, sniffers, etc.) – there are already a host of tools that address these well at the technical level.
  6. Make sure to look at vulnerabilities in internal home-grown applications, legacy systems, ERP applications, user access controls, physical access controls to server rooms, etc. Addressing potential insider threats is equally important as identifying and preventing external attacks.
  7. Various logs streaming in from applications and audit logs carry a lot of information on activities and their patterns. Look out for tools and solutions that can help you collate and analyse them as close to real-time in a meaningful human readable form, so that actions can be taken.
  8. Performing what-if scenarios for possible breaches, use of artificial intelligence and machine learning algorithms applied on various log databases can help a lot in reporting and prevention, but it still requires human interpretation to make decisions.
  9. Conduct periodic penetration testing by third parties and ethical hackers to assess and measure the areas and level of vulnerability present in the system landscape.
  10. Be realistic in assessing how long it would take to mitigate newly discovered threats, rank them in the order of risk priority before committing to bring the risk down to an acceptable level.

To sum up, assessing cyber security risks, identifying threats and vulnerabilities is a continually evolving subject and is not an exact science. It is a new discipline that requires a strategic thinking and cooperation between top management, finance experts and the IT / CISO’s office.

Assessing Business Resilience

Business resilience determines to a great extent whether a business can continue or not. The risk of failure to forecast and build business resilience to weather out a disaster is the most significant risk that could affect the continued existence of an organization.

What is Business Continuity?

Business continuity (BC) is defined as the capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident. (Source: ISO 22301:2012)

A “Crisis” is an abnormal situation which threatens the operations, staff, customers or reputation of the organisation and many business crisis situations can be foreseen (example a supply disruption or logistics crisis or a financial crunch). One can handle a crisis situation through emergency response or recovery plans for a particular incident.

On the other hand, a “Disaster” can be defined as an unplanned interruption of normal business process and cannot always be foreseen. Disasters can be natural disasters or man-made ones. They can interrupt business processes to threaten the continuance and viability of an organization.

Over the years, man-made and natural disasters have unveiled the vulnerability of businesses on a global scale. Many well laid out, documented and executed Business Continuity Plans during normal times do not hold good during times of disasters.

Disasters, by their very definition, do not happen at a convenient time and is always unpredictable, making it difficult to forecast its impact. There is no way of knowing the time it would strike, the form it will take and the damage that it can cause.

Take for example the current COVID19 pandemic – is it a natural disaster or man-made? Many differing opinions exist on this subject.

COVID 19 pandemic and its severity across the world has thrown into disarray all business, trade, commerce and logistics operations. Even the best laid crisis management / disaster recovery / business continuity planning could not have forecast the severity of this threat and impact.

However, that does not mean that one should not attempt to understand the impact of various disaster scenarios and plan for effective response as this is key to business continuity and resilience building.

Business Resilience (BR in short) is dependent on many factors:

  1. Financial resilience: This is a no-brainer, as any organization that is strapped for cash and liquidity during the crisis is likely to succumb faster than companies with reserves to see through the difficult times.
    1. Receivable management and avoidance of bad debts should be the focus of primary concern to strengthen cash and liquidity positions.
    2. During a crisis of the nature of a world-wide pandemic, suppliers, their stability and supply availability would directly impact working capital, raw materials and ideal stock levels to be maintained.
    3. Bank loans, interest moratoriums and other debt facilities will have to be re-looked and restructured.
    4. Inability to adhere to existing agreements like lease, rentals, customer commitments on agreed due dates, operational restrictions brought in by regulatory authorities for the common good, etc.
    5. Top management will face challenges in estimating reasonably possible future cash flows in uncertain conditions.
    6. Unlike traditional budgeting methods, relying on historical data to project future business is not going to be of use.
    7. There is a big question mark on what is the “new normal” and how it would be for each industry and within organizations.
    8. As estimations becomes complex, it would be difficult to show adherence to the existing audit and accounting standards and convince Audit Committee on the underlying assumptions behind such estimations.
    9. Last but not the least, is the criteria of “going concern” met? Assumptions underlying the certification may be complex and difficult and will have to pass the test of the auditors before reporting and disclosures to the key stakeholders.
  2. Physical resilience: How deeply affected are an organizations’ locations / premises / access to facilities and how long can it take to restore normalcy? This is an important factor to assess how quickly the business can spring back to normalcy. Is there an adequate insurance cover for such contingencies?
  3. Data Protection Plan: Is there a plan in place that ensures your existing data is retained and protected? The company’s computing resources such as server, networks, firewalls, access authorizations, hardware and software, etc. need to be protected and safe guarded. This is a must for the continued availability of the Information Systems to function at basic levels during the crisis and without losing critical business information.
  4. Customer retention: Brand loyalty and assured customer retention makes it easier to estimate potential earnings when normalcy is expected to return to the economy. This factor is more pronounced in retail and FMCG industries where customers can easily switch between brands. However existing revenue contracts may need to be revisited, reviewed and revised in the light of the shutdown.
  5. Employee retention: An organization that lays off employees during a pandemic or crisis is going to take a longer time finding replacements or skilled people when it wants to get back to business. Migrant workers who have attained skills in many industries may not desire to shift locations but find better alternatives in their own home locations. The shortage of adequate and appropriate human resources may impact resilience of the organization in the long run.
  6. Workplace transformation: During a pandemic (such as the COVID 19), all essential operations cannot come to a sudden standstill. It is important to ensure that basic activities go on without endangering the employees to infectious diseases. Organizations that can quickly bring in, enable and encourage “Work from Home” alternatives can adapt to the situation and show more resilience than those that are not ready with the infrastructure to adopt such measures.
  7. Digital transformation and adoption: Resilient organizations will always be at the forefront in being flexible and adaptable to new technology and embrace digital transformation. However, this adoption and transformation would be dependent on the financial readiness and budget allocation during times of crisis.
  8. Emotional / psychological resilience: It is finally the human psyche that matters – whether the key stake holders are mentally resilient and steadfast – in the continuance of business, the form in which it can be carried out in future. Small and medium businesses may fold up in current locations, larger organizations may look at mergers and amalgamations, start-ups may see a bleak future in the near-run.

What is Business Continuity Management (BCM)?

Organizations lay down Business Continuity Plans at various business processes and with emphasis on Information Systems and execute and audit them at regular intervals to ensure preparedness of the organization to handle any event, incident or crisis.

Business continuity management (BCM) enables organisations to restore their businesses to normal operations following an unanticipated disaster or business interruption.  To date, however, the corporate BCM capabilities necessary to establish that resiliency generally have ranged from absent to insufficient. 

Can a disaster (except probably the weather forecast for a cyclone or typhoon) be predicted to near accuracy? Can one predict if the business will be resilient after the effects of the disaster – say economic downturn, depression, catastrophic effects on humans, country-wide regulations and lockdowns?

Assessing the operational / financial resilience on the Business Continuity Plans is not just limited to Information Technology risks (or protecting information assets and financial information). There is a lot of difference between executing BCM audits in normal times and during unexpected natural or man-made disasters like the pandemic we are currently facing.

Is your information really secure?

Cyber security risk management is no longer confined to solid firewalls and state of the art Virtual Private Networks. A video that recently caught my attention may make you re-think cyber security programs that you have (or intend to have). Have a look …. Video credit: CNA Insider.

Here are factors that one should focus on and strategize before embarking on building/strengthening cyber security risk assessments. Break them down into segments based on users, data, location and devices. Security risk assessments must have a holistic approach to include human vulnerabilities as well – not just focus on machines and devices.

  1. What is the kind of data you want to protect – your business assets (physical, financial and information), employees’ data, client/customer information?
  2. Where is your data located? In the cloud or on premise? Think and evaluate your cloud security concerns, whether you are in a shared tenancy or private cloud. Even if your cloud service provides the basic risk management techniques, you are still responsible if your data in the cloud gets leaked.
  3. Do the applications your run (or intend to run) have basic security in-built? Do they provide a context-based sign-in before granting access? Do the applications provide the flexibility to set up multi-factor authentication on different devices like mobiles, tablets and laptops?
  4. Have you categorized your users? (like how many are temporary / contractual / permanent etc.) Who needs to have privileged access to critical data and transactions?
  5. What kind of devices do users use for performing their tasks – whether within the perimeter or firewall of the company or from the outside?
  6. Should you use a “zero-trust” security policy? When employees are allowed to “bring-your-own-device (BYOD)” (as some companies do), can you take the risk of an infected device that may share information with a hacker or subject your organization to a malicious attack?

When evaluating security solutions keep in mind

  • Solutions that offer to protect the “perimeter” of the company (like firewalls, anti-virus / malware software, anti-phishing devices, network sniffers, etc.) – which is mainly the border around its physical locations and intranets – are not sufficient. Most of such security solutions are not capable of understanding application security breaches and proactively inform the CISO’s office of the risks in order to plug the breach immediately.
  • Large companies having a geographical spread have a different set of requirements to deal with as compared to small or mid-size companies.
  • Companies that still rely on old / legacy systems that are not amenable to the latest technology upgrades, that are proprietary in nature make the security scenario complex.
  • Look for solutions that helps you centralize the various types of log information in real-time (or close to real-time) from multiple systems. They must be capable of tracking inventory of multiple devices (like networks, servers, terminals, mobile devices, laptops, access and audit logs, wireless access from extranets, etc.)
  • They should be able to track users, their roles and the usage of the various actions / tasks within the system. They should ensure that context-based risk assessment is done periodically. Ensure you have up-to-date information about everyone (including employees, customers and suppliers) who has access to your systems and about the devices they use.
  • Placing your single sign-on outside of your perimeter (on the internet) may require a lot of thought, not only due to the complexity of scenarios, but also due to legal compliance requirements (like data privacy laws).
  • Migrating to the cloud environment requires you to evaluate and assess security risks carefully and whether your cloud service provider is experienced enough to look at the larger security aspects – not just employee access but also B2B or B2C scenarios used by your organization.
  • Do not make security risk assessments a quarterly or annual affair, it should be an on-going exercise. It is best implemented as part of a daily operation, so that you are proactively alerted to react to breaches before severe damage is done.

My take on IRM and GRC

The next buzzword after GRC (Governance, Risk and Compliance) is now IRM (Integrated Risk Management). (Not to be confused with another acronym “IRM” which denotes “Information Rights Management” which is a form of IT security technology for protecting access to sensitive documents and emails.)

Why are we emphasizing so much on new acronyms and confuse practitioners of risk, control and compliance? Why debate on whether GRC is dead and IRM is the new norm? Would it not be better to get down to basics and understanding the importance of and concepts that each of those words denote? (People generally like to put old wine in new bottle to keep the interest going.)

Technology -when properly deployed – has and is always capable of giving an integrated view of things in an organization.

But jumping into a technology approach without proper understanding by all stakeholders concerned leads to quick disillusionment and project failure.

It is a fact that silos exist is several organizations. This is mainly because different departments (such as finance, internal audit, risk committee, operational heads) cocoon themselves into their own departmental priorities and have a short-sighted approach. Their reasons and defences are many – inertia to collaborate with other stakeholders, ego issues on whose approach is better, having a “get-it-done-with” approach, citing shortage of staff, insufficient budget that makes them adopt sub-optimal solutions, etc. The top reason could also be that the C-level is not apprised of the benefits or they do not consider these initiatives adding to their top line revenues!

Quoting Gartner’s definition – Integrated risk management (IRM) is a set of practices and processes supported by a risk-aware culture and enabling technologies, that improves decision making and performance through an integrated view of how well an organization manages its unique set of risks.

Since the summer of 2018, Gartner has been moving away from GRC (Governance, Risk and Compliance) towards IRM (Integrated Risk Management).

In my perspective, if one forgets the acronyms – GRC and IRM – and look at what are the concepts that are being espoused, one can very well see that the fundamentals have not changed, but the emphasis is on a holistic approach towards a better management of risks arising out of poor governance, failed business controls, non-compliance, weak IT security leading to data breaches, external threats, etc.

To elaborate further, what all of us (or most of us) understand / agree at a high level are the following points

  • There is no “business” or “for-profit” organizations without taking calculated risks. Managing those risks intelligently and on time ensures business continuity and success. That is why “Risk Management” is ideal in all decision-making processes.
  • In the long run, only integrity pays and ethical practices in business help its brand value and survival – others simply vanish. This is what we understand as the “Governance” standards set by the entrepreneurs, promoters and expected to be followed and communicated by the top management to the operational teams.
  • The “Governance” has two aspects to it – one set of internal practices and policies set up by the management and the other set of operational, tax and statutory compliances set up with respect to any or specific industries, countries and communities. This broadly comes under the “Compliance” umbrella.

On a deeper level, one can see that all the above points are intertwined and one cannot exist without the other –

  • Governance cannot be enforced without proper policy formulation and communication of the internal policies (corporate specific procedures and ethical practices) that the management envisions and laying emphasis on external compliances to ensure business continuity. It is a failure of governance if business risks are not identified, assessed and mitigated on time. Governance also implies that proper internal controls are in place and working effectively.
  • Compliance does not stand alone – failure to comply – whether with internal policies (such as purchase or pricing policies) or with external statutes (such as taxation, etc.) – is a reflection of poor business controls.
  • Risk awareness is the overarching umbrella that recognises threats to the business continuity – whether arising from poor governance, improper compliance, inadequate IT security measures to protect data and ineffective business controls in its processes that could lead to frauds.

The bottom line for all organizations wishing to set up a framework for Governance, Risk Management and Compliance may need to consider the following:

  • have a holistic understanding and approach of the proposed integrated framework, include all functions and processes – not just finance or internal audit or SOX compliance. External threats such as legal risks, brand risks, cyber security, IT risks, conflict of interest that results in abuse and fraud, environment, health and safety risks deserve equal importance when we talk about a sustainable business in the long run.
  • bring all stakeholders on one page – workshops, discussions, whitepapers, surveys, opinions, etc.,
  • don’t jump into a technology solution without assessing preparedness and maturity of all functions,
  • as far as possible avoid siloed programs (that are focussed only on a particular function or department),
  • even if you have to start small (if there are budget or resource constraints), never compromise on the big picture of where you want to be at the end of the program,
  • keep in mind an integrated approach that ties together all types of internal or external risks to the enterprise.

A Primer on AI/ML/DL/NN etc.

Today, many of us non-technical people feel quite left out of conversations that are buzzing around in companies, social media, webinars, presentations, etc.

Yes – I am talking about the most talked about acronyms – Artificial Intelligence (AI), Machine Learning (ML), Deep Learning (DL), Neural Networks (NN) and so on that also includes Big Data, Statistical methods, Data Science, Predictive Analytics and so forth.

My attempt to facilitate understanding of the basics.

WHAT IS ARTIFICIAL INTELLIGENCE (AI)?

  1. Artificial intelligence (AI) is the simulation of human intelligence processes by machines, especially computer systems. If a system or a device can do “smart” things like humans do, then it is said to be artificially intelligent.
  2. It is an umbrella concept that includes image processing, natural language processing, robotic process automation, machine learning, neural networks and many more.
  3. There is a wrong impression that AI is a system, but it is implemented in a system. Particular applications of AI include expert systemsspeech recognition (Natural Language Processing (NLP) and machine vision.
  4. These processes include learning (the acquisition of information and rules for using the information), reasoning (using rules to reach approximate or definite conclusions) and self-correction.

WHAT IS MACHINE LEARNING (ML)?

  1. To put it very simply, machine learning is defined as “the ability (for computers) to learn without being explicitly programmed.” Machine Learning deals with making your computers (or machines) learn from external environment data being provided – like connections to sensors, electronic components in devices, storage devices, etc. It also crunches huge input data sets that are provided to it to come up with patterns and predictions – like Amazon suggesting what your buying preferences are or Netflix offering options based on your previous viewing history, etc.
  2. Machine Learning is simply a way of achieving Artificial Intelligence. The main objective of ML is to allow the computers to learn automatically without human intervention, assistance or programming and adjust actions accordingly.
  3. ML builds models and inbuilt algorithms that it keeps constantly updating and fine- tuning based on what inputs you provide on an on-going basis.
  4. Machine learning enables analysis of massive quantities of data.

WHAT IS DEEP LEARNING (DL)?

  1. Deep learning is a specialized form of machine learning – for example – a machine learning starts with relevant features being manually extracted from images. The features are then used to create a model that categorizes the objects in the image.
  2. Whereas with a deep learning approach, relevant features are automatically extracted from images. In addition, deep learning performs “end-to-end learning” – where a network is given raw data and a task to perform, such as classification, and it learns how to do this automatically.
  3. Deep Learning is also sometimes referred to as “Artificial Neural Network”. Another key difference is deep learning algorithms scale with data, they often continue to improve as the size of your data increases.
  4. Deep learning is applied in many areas of artificial intelligence such as speech recognition, image recognition, natural language processing, robot navigation systems, self-driving cars etc. Some examples that we see in our daily lives are virtual assistants like Alexa, Siri, Cortana, driverless trucks, drones and automated cars, automatic machine translation, Character text generation, facial recognition, behavioural analysis, etc.
  5. Big Data is required for Deep Learning. Massive data is to be fed into models – however the bottleneck remains in cleansing and processing the data into the required format for powering the DL models.

WHAT ARE NEURAL NETWORKS?

  1. A neural network is a type of machine learning which models itself after the human brain. Neural networks with their deep learning cannot be programmed directly for the task. Rather, they have the requirement, just like a child’s developing brain, that they need to learn the information.
  2. They have become important and standard tools for data mining. Neural network is an adaptive system that changes its structure on external or internal information that flows through the network during the learning phase.
  3. A neural network usually involves a large number of processors operating in parallel and arranged in tiers. The first tier receives the raw input information — analogous to optic nerves in human visual processing. Each successive tier receives the output from the tier preceding it, rather than from the raw input — in the same way neurons further from the optic nerve receive signals from those closer to it. The last tier produces the output of the system.
  1. Handwriting recognition is an example of a real-world problem that can be approached via an artificial neural network. The challenge is that humans can recognize handwriting with simple intuition, but the challenge for computers is each person’s handwriting is unique, with different styles, and even different spacing between letters, making it difficult to recognize consistently. Handwriting recognition has various applications, as varied as automated address reading on letters at the postal service, authorization signatures on documents, reducing bank fraud on checks, etc.
  1. Technology uses have expanded to many more areas such as chatbots, stock market prediction, delivery route planning and optimization, drug discovery and development and many more.

WHAT IS DESCRIPTIVE, PREDICTIVE AND PRESCRIPTIVE ANALYTICS?

  1. Descriptive – based on insights into historical data – What has happened?
  2. Predictive – based on statistical tools and forecasting techniques to answer – What could happen?
  3. Prescriptive – use simulation and optimization algorithms to advise on possible outcomes and answer – what should be done?

WHAT IS DATA SCIENCE AND WHAT CAN YOU DO WITH IT?

  1. Data Science is a study which deals with identification, representation and extraction of meaningful information from data sources.
  2. Some of the tasks you can do with Data Science include: Coming up with conclusive research and open-ended questions, extracting large volumes of data from external and internal sources, deploying statistical, machine learning and analytical methods, clean, prune and get data ready for processing and analysis, looking at data from various angles to determine hidden patterns, relations and trends, etc.
  3. If you are wondering what is the difference between Data Analyst and a Data Scientist, there are quite apart from the goal or objective with which they work. A Data Analyst starts by aggregating, querying and mining data for reporting on various functions. A Data Scientist starts by asking the right questions and therefore the Data Scientist needs substantive expertise and non-technical skills.

Analytics for fraud investigations

Many have wondered why one would perform analytics for fraud detection (or prevention) in good times (business as usual) and why would you when there is no whistle blown about a fraud suspicion?

Is this not a grey area where people sensitivities are involved and news about investigations can affect the organization’s brand image? Being trolled over social media that becomes painful to counter? But the CFO’s office is the hardest hit when it comes to answering the Board on the financial losses incurred due to fraudulent activities that leaves a gaping hole in finances.

Traditional anomaly detection is conducted routinely by internal or external auditors. But they are insufficient, not backed by powerful tools and the objective and terms of reference for these audits limit the investigation to a certain level and no more.

Often referred to as “Forensic Audit”, fraud detection methods assume great significance because it requires digging deeper than normal audit to examine and investigate internal control failures, conflict of interest, social networks, multiple factors such as behavioural analysis and ability to crunch big data that can extend / expand beyond the time period under the lens.

A prudent and practical approach would be to set up a mechanism that can proactively provide analytics and flag off high risk areas that need immediate attention.

Fraud Analytics is the use of analytical technology with intelligent business rules and techniques, which will help detect improper transactions like bribery, favouritism, working capital leakage, asset misappropriation, etc. either before or after the transaction is done, so that appropriate steps can be taken to prevent further damage.

Fraud Analytics also helps in performance measurement, evaluate internal control failures and deficiencies, standardize and help in constant improvement that would benefit the overall organization and governance.

Fraud perpetrators use a lot of different and unique techniques which are randomized to prevent discovery and therefore, the techniques used for detection has to be one or many of the following:

  1. Capable of running automated business rules that throw up anomalies that can be further investigated for false / true positives.
  2. Calculation of various statistical parameters like averages (for example average number of calls made, emails exchanged, delays in bill payments, etc.), quantities (for example comparison of total quantities ordered / received / invoiced / returned), performance metrics (e.g. attrition rate pattern amongst certain departments, sales returns peaking immediately after monthly close, etc.), user profiles (e.g., interested party contracts, sudden lifestyle changes by the user, behavioural patterns noticed) etc.
  3. Trend analysis using time series distribution.
  4. Clustering and classification that can help find patterns and associations within data sets.
  5. Algorithms, models and probability distributions of various business activities.
  6. Machine learning and neural networks to automatically identify characteristics of fraud and used later with increasing Big data inputs.

Having a Fraud Prevention program for controlling fraud risks is an important part of Enterprise Risk Management and provides your investors, partners and auditors with more confidence on your demonstrated ability to tackle the same in a sustained manner and not on an ad-hoc basis.

Blockchain – Basics

Blockchain is a much-used word and a hot topic for the last few years. (On the lighter side, many of you ladies out there who are not technically inclined – do not for a moment think it is another piece of jewellery you may have missed out :-)))

BLOCKCHAIN is simply a technology platform that contains BLOCKS of data / information that is chained together and the chain increases with the addition of more BLOCKS (whole lot of technical stuff to ensure integrity behind this).

I thought it best to pen down a few fundamentals of what exactly is Blockchain technology, in the first place – before going into what are the benefits and risks associated with it as of today.

  1. The term blockchain and bitcoin are not synonymous or interchangeable. Bitcoin is a cryptocurrency token (like there are many other digital currencies available and emerging in the world).
  2. You may wonder what is cryptocurrency – it is a medium of exchange like traditional currency, it is designed to exchange the digital information through a process made possible by cryptography. Cryptocurrency is a bearer instrument, meaning that the holder of the currency has ownership and no other record is kept of the identity of the owner.
  3. Blockchain, on the other hand, is the ledger (or technology) that keeps track of who owns the digital tokens at any given point in time. Therefore, you need blockchain technology in order to transact in Bitcoins.
  4. Blockchain can be defined as an interlinked chain of “BLOCKS”. These “BLOCKS” contain data or information on transactions between persons, businesses, Governments or other users and it has a technique that digitally timestamps documents that is not possible to backdate or erase or tamper with them in anyway. This provides integrity, security and a risk-free transaction recording.
  5. This is possible since all information transferred via Blockchain is encrypted and a digital distributed ledger keeps every occurrence recorded and immutable making it almost risk-free as compared to traditional methods of transacting.
  6. Blockchain enables peer-to-peer transactions between parties that are even unknown to each other. Unlike in traditional methods where there needs to be a central authority or trusted middlemen to complete transactions, Blockchain guarantees correct transactions through an automatic program.
  7. Typically, when you want to do a bank transfer from one country / Bank to another person, you have to necessarily go through a chain of transactions like your Banks’ correspondent bank remitting it to the receivers’ correspondent bank and then it finally reaches the receivers’ own Bank account. In a blockchain scenario, observe the diagram below (released for public understanding by ICICI Bank in India).
  8. Blockchain can be used for the secure transfer of funds, property, contracts, etc. without the intervention of a third-party intermediary like a bank or Government. The data recorded inside a Blockchain is immutable and irreversible.
  9. Blockchain is decentralized, so there is no need for any central, certifying authority, eliminating the single point of failure in a centralized setup.
  10. The data that is stored in a BLOCK depends upon the type of Blockchain – it can be a Bitcoin Blockchain or a healthcare blockchain or a Government record management type. It can be a public blockchain which is transparent and anyone can use the same, or a private blockchain or consortium which restricts it to authorized or a community of users.
  11. Blockchains cannot be run without Internet and is a software protocol that uses database, software applications and some connected computers.
  12. Blockchain technology first evolved from a distributed ledger concept that was used in payments in cryptocurrencies like Bitcoin. Then came Smart Contracts that are executable programs that check and verify conditions. Now there are what is called Dapps (or decentralized applications) running on peer-to-peer networks and are just like any other app, with front end and backend codes.
  13. There is a myth that Blockchain solves every problem, and smart contract is always legal. The reality is that this technology is so fast emerging that there are still grey areas that need to be addressed.

While India’s position is positive towards Blockchain technology it is cautious in it approach to digital currencies like Bitcoin. However, a lot of pioneering work in various industries and sectors are already in progress and both public and private sectors in India are actively contemplating the use of Blockchain for various use cases like land registration and property management, e-KYC for SEBI (in the wake of large scams), supply chain finance, international trade finance and foreign currency remittances by banks, e-Governance by linking databases built around the citizen identity project Aadhaar and so on.

Information Security

What is the best practice approach that can help create a solid framework for establishing Information Security policies, procedures and practices?

One needs to recognize the various aspects of information security as enunciated in COBIT and other world-wide standards and understand the impact of data privacy laws on information security.

Information security is

  • the practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information.
  • the balanced protection of the confidentiality, integrity and availability of data without hampering organization productivity.
  • a multi-step risk management process that identifies assets, threat sources, vulnerabilities, potential impacts, and possible controls, followed by assessment of the effectiveness of the risk management plan.

Data protection and privacy is an integral part of Information security measures.

  • Wherever personal identifiable information or sensitive data is collected, stored, used and finally deleted or destroyed, privacy issues arise if there are improper controls or insufficient disclosures on how the processes are handled.
  • Information from sources such as financial records, credit card information, healthcare, payroll information, social security numbers, Aadhar card information, biological traits, geographic locations and residence, voting preferences, religious background information, web-surfing behaviour, etc. all fall within the purview of personal data that is subject to privacy laws in various degrees.
  • Several laws prevail in different countries on ensuring data privacy and protection – the latest and most comprehensive one being the GDPR for EU nations.

The COBIT framework for Information Security by ISACA states 5 important points to be followed.

  1. Meeting stakeholder needs.
  2. Covering the enterprise end-to-end.
  3. Applying a single integrated framework.
  4. Enabling a holistic approach.
  5. Separating governance from management.

MEETING STAKEHOLDER NEEDS

Stakeholders at different levels expect different fulfillment of requirements. These business objectives must be translated into IT related goals that would enable achievement of the business goals. Top level stakeholders start with the Board of Directors, CEO, CFO, followed by the CIO, CTO, CISO. Next level could be security managers and system administrators – followed by end-users.

A top-down approach is the most sustainable and successful approach because it ensures

  • Clearly laid out policies, procedures and timelines
  • Dedicated funding and clear planning
  • Determine who is accountable for each of the processes
  • Enforcing change management throughout the organization for smooth adoption.

 COVERING THE ENTERPRISE END-TO-END

  • One has to start understanding elements of the Information system – this comprises hardware, networks, software, databases, people and procedures connected therewith.
  • Next comes the evaluation of vulnerability and checking the adequacy of controls established for network security, WiFi networks, firewalls, the perimeters of your system landscape.
  • Recognize the impact of laws related to data protection and privacy in the locations where your business operates or intends to operate.
  • The IT department in the organization should aim to cover all functions and processes of the business – include internal and external access to processes.
  • All information and the related technologies to be treated as “assets” just like any other asset in the business. Information is the “crown jewel” of your organization and must be protected at all times.
  • Threat evaluation is not just limited to the periphery of your system landscape – but more importantly
    • continuous, real-time monitoring of business application activities done by people, remote calls between two systems, external threats and attacks, identify social engineering tactics, etc.
    • Providing end users adequate authorization, ensuring no or minimal segregation of duties risks, masking of sensitive information for unauthorized users in compliance with privacy laws.
    • recognizing patterns of logs in the normal course and finding out anomalies, identify attacks done by external or internal users (pseudonymize users during investigation).
    • Cyber security professional watching over a consolidated cockpit that integrates all events and logs for meaningful interpretation and action.

APPLYING A SINGLE INTEGRATED FRAMEWORK

COBIT 5 for Information Security provides an overarching governance and management framework that provides best standards and practices to be adopted. COBIT encompasses many models such as ITIL, ISO/IEC 27000 series, the ISF Standard of Good Practice for Information Security and US National Institute of Standards and Technology (NIST) SP800-53A.

While evaluating a single integrated framework, one should keep in mind a holistic approach that can be broken down into achievable programs that suit the organization in the short, medium and long term. A non-technical discussion on the requirements must precede before looking at technical solutions that would address the pain points faced by different stakeholders.

ENABLING A HOLISTIC APPROACH

COBIT recommends a holistic approach that takes into account the following:

  • Considers Principles, policies and frameworks
  • Looks at processes, organizational structures, culture, ethics and behaviour.
  • Deals with all information produced and used by the enterprise.
  • Includes all the infrastructure, services and applications that provide the enterprise with IT processing.
  • Ensures people, skills and competencies are available for successful completion of all activities and taking corrective decisions.

SEPARATING GOVERNANCE FROM MANAGEMENT

These two disciplines involve different activities that may serve different purposes applicable for different departments or organizations.

  • Governance is the responsibility of the Board and top management.
  • Management is the responsibility of the executive management under the leadership of the CEO or CFO, etc.

While governance sets the tone at the top for agreed objectives, prioritization and decision making, management has to plan, build, run and monitor the activities in alignment with the governing body.

Know the difference ………..

Many people have asked me whether internal controls monitoring is sufficient to unearth suspicious transactions, abuse of processes or frauds. Do you really need another fraud investigation exercise?

Both exercises have different objectives and perspectives and answers different needs (e.g. do we need to prevent or detect, examine historical or current data, use predictive or presumptive approach, bring in concurrent or forensic audit, etc.)

To answer this question, my take on this is as follows:

Continuous monitoring of internal controls of an organization focuses on

  1. Determining sufficiency and deficiency of internal controls on structured business data such as financial accounting, human resources, payroll, treasury operations, etc.
  2. Following a systematic, repetitive approach for testing the effectiveness and efficiency of controls.
  3. Getting periodic self-assessments and certifications for organizational level assertions.
  4. Scanning data after business transactions are performed or committed, thus mostly providing a detective mechanism
  5. Notifying failures of internal controls to responsible persons on an exceptional basis generally based on materiality concept.

Fraud investigation, on the other hand, is more than just monitoring business controls in an organization.

  1. Investigations on suspicious transactions can be far-reaching in terms of timeframes. While internal controls monitoring is usually for current quarter / half year or year, a forensic investigation may necessitate going back into several years to assess patterns adopted by the fraudster and quantify damage caused.
  2. In order to crunch high data volume, one may need to adopt some technology or computer-aided tool for enabling data mining, analysis, simulation, predictive analytics, complex business rules, etc. for determining trends and patterns.
  3. Performing a fraud detection or screening of transactions as a preventative measure before the business transaction is completed is a must in some scenarios – examples – screening high volume payments, credit card approvals / blocking, Bank ATM network validations, etc.
  4. External sources of information and unstructured data like emails, phone calls, whistle blower tips or data when conjoined with internal business transactions may point to failure of multiple controls leading to abuse of power, processes, bribery, corruption, misappropriation of cash or assets.
  5. Individual controls may be very effective, but a combination of controls may point to a different story – for example
    1. controls in the purchase process may be effective, but the purchase officer may have a collusion with a preferred vendor or with another employee.
    2. Multiple approval workflows may be working fine, but splitting invoices or contracts to bypass approval levels may be happening to push through business transactions that may be violative of company policies and favour outside parties.
    3. Administrators authorized for maintaining master data may do a flip flop change in payee’s name to direct payment to themselves once in a while that goes unnoticed.
    4. Working on holidays or late shifts and suspicious write offs – say inventory or consumables – to cover up thefts from warehouses, plants, etc.
    5. Leakage of financial / competitive information either overtly or covertly, sharing of passwords, succumbing to social engineering attacks, conflict of interests not declared, etc.
  6. Fraud investigation also needs to be flexible enough to add more factors to the analysis or change the thresholds and parameters in the logic for determining exceptions.
  7. Fraud investigation usually starts off with examining existing internal controls and can throw up new insights into the deficiency of internal controls to be strengthened. There is a two-way benefit for groups involved in testing controls and fraud investigation.
  8. In the event of a fraudster being involved, the human behaviour / psychology and the observation and interpretation thereof, plays a large part in concluding the investigations. The user identity needs to be pseudonymized and business operations must go on unaffected until the case is closed.
  9. Upon conclusion, the case may lead to criminal proceedings that requires gathering and submission of evidence in a Court of law. Fraud examiners need to have a basic understanding on the various laws and legal provisions that are attracted for the specific case under investigation.

In summary, internal controls monitoring and fraud investigations are like two arms – inputs from both being useful to each other.

I would rate fraud investigation or forensic audit as a wider and broader platform (as compared to internal controls monitoring), going by the objectives of the exercise and the challenges presented by the sheer volume of data (external and internal) to be analyzed.

Risks caused by frauds

I have wondered many a times what makes this topic interesting at once but dealt with in hush-hush tones when there is an anonymous whistle blown.

Why do organizations and those in the higher echelons postpone / neglect or trivialize the need to look at this risk a little closer (even before an incident happens)?

True (and rightfully so) all organizations give the utmost importance to improving their top line / bottom line revenues and profits, but one fraudster can create a devastating setback to what was built up over the years – reputation, goodwill, customer faith, vendor relationships and so on.

Behavioural analysis can reveal a lot about why such risks can happen and tell-tale signs of perpetrators. According to a study conducted by Association of Certified Fraud Examiners (ACFE) in 2016 for Southern Asian countries, (Courtesy: Report to the Nations on Occupational Fraud and Abuse), fraud perpetrators often show red flag behavioural characteristics associated with their crimes – living beyond their means, unusually close association with vendors, financial difficulties, etc.

In recent times there are many interpretations of what ultimately leads to a fraud. Here are examples of some of them.

  1. Failure of business integrity.
  2. Lack of ethics.
  3. Suspicious business transactions.
  4. Lack of business partner screening and approval.
  5. Unaware of company’s business between parties related to the organizations’ management and employees.
  6. Suspicious movement / physical entry of persons whether during or after business hours.
  7. Excessive authorizations / Breach of passwords / networks / servers / applications caused by either internal staff or external hackers.
  8. ………………………and the list can go on.

When broken down into several root causes like the ones cited above, it becomes easier to tackle the overarching subject of “risk of frauds”. You would realize that several arms of the business functions are responsible for proactively tackling these risks.

A closer analysis of the root causes for these risks related to frauds will point to the underlying factors:

  1. Insufficient or lack of business controls (aka internal controls).
  2. Lack of awareness of ethical standards and integrity in business dealings (lack of Governance principles).

Risks, Controls and Governance are intertwined and cannot be dealt with as isolated topics. In my opinion, there cannot be a debate on which one is more important than the other. One needs to have a holistic view of all three aspects – even if you are not able to tackle all of them at the same time due to either resource or cost constraints in the organization, at least be aware about the inter-relationships.

Even large multinationals keep these topics at arm’s length between internal audit, Board and Audit committee and operational departments, which I think confuses the whole issue at hand. Probably one of the reasons why topics like risk management programs, SOX compliance, technology implementations appear so daunting.

Clearly one has to structure these at a high level and follow a vision statement for effectively bringing in good governance, business controls and risk management programs in a phased manner, but never losing sight of the benefits of an integrated view.