Fighting the fraudsters: Why we must get better at data sharing
Face-to-face information-sharing with peers is a vital route to learn industry fraud-prevention lessons says Tim Lansdale.
Information security and fraud prevention are fundamentally intertwined. Fail to secure your IT systems and it could lead to a major data breach. Where does that data end up? Most likely, it ends up in the hands of online fraudsters ready to commit identity theft.
So in effect organisations need to address two areas of risk to properly protect themselves. Yet one of the most overlooked aspects of good fraud prevention is effective data sharing. There are many forms this can take, but the principle is an important one for IT and fraud managers to embrace if they are going to fortify their systems as comprehensively as possible against attack. The problem for many UK SMEs is that few mechanisms for this currently exist.
The sheer scale and frequency with which data breaches have happened in 2014 should tell us something about the level of fraud intelligence sharing among firms and the determination of the enemy. Already this year we've seen millions of customers affected as the likes of cosmetics firm Sally Beauty, hospitality business White Lodging, craft chain Michael's and retailer Neiman Marcus admitted to breaches after point of sale systems were targeted. Then in May, online giant eBay confessed it too had come a cropper, potentially compromising 150 million accounts.
These examples are, of course, from the US, where breach notification is mandatory. It's much harder to get data from UK firms, but you can be sure there have been some significant data leakages in 2014 – whether the victim organisations know about them yet or not.
This goes to the heart of the problem. Smaller organisations in particular need to surmount current barriers and become more active in sharing data on information security and fraud incidents.
Failure to do so also leads to a situation where fraud intelligence services become incomplete and barely fit for purpose. Retailers usually sign up to a third party provider whose job it is to share that data privately with other firms which have signed up to the service. But these data platforms can be let down by the fact that they haven't reached a critical mass of subscribers – rendering any intelligence gleaned patchy at best. When it comes to fraud prevention, these services often work by returning a score – where a higher number equals greater risk that a card transaction is fraudulent. But if the individual firm doesn't know how that score is calculated, or how much data has been crunched to provide that score, there will be inevitable questions about the system's efficacy.
Another failing of such systems is that they often don't take account of the positive trends. Fraud prevention is as much about identifying good behaviour as it is bad. A long-serving customer who has recently changed their card and address, for example, should be considered in the context of their history with a card provider and not immediately flagged as a potential fraudster.
From an information security perspective, it's understandable that some firms don't want to share sensitive information, which may betray the fact that they've been the subject of a data breach or serious cyber-attack. After all, that kind of information could seriously damage the share price and brand reputation. This is why some of the most useful information sharing happens in small, face-to-face ad hoc sessions under Chatham House rules. Here, the quantity of data shared may be small but for organisations with similar IT environments and business models it can be invaluable.
The government also launched last year as part of its cyber security strategy, a Cyber Security Information Sharing Partnership (CISP) designed to facilitate better public-private sector exchanges on breaking threats.
Yet for small businesses in particular there are worryingly few systems in place even for those prepared to engage in more information sharing. That's why I'd encourage more of these smaller firms to proactively seek out ways of coming together to share experiences and discuss ways of resolving problems – perhaps at a local level. Once again, even if the volume of data being shared is small, it can still help anti-fraud efforts going forward. Everyone will benefit in the long run, rather than ploughing on in isolation.
Speak with your counterparts in similar companies, either by knocking on the door or via local commerce groups. Ask them if they've had any fraud problems and how they've dealt with them. Have they considered the effect a data breach would have on them? Do they know the cost of breaches can start at £5,000 and rapidly escalate? Do they also know that just because a card machine processes a payment successfully it's not a guarantee that the transaction is genuine? As well as networking with similar companies, speak with your card processor and ask for advice and written material you can obtain, share and importantly keep to hand if something suspicious does come up.
What's more, with the forthcoming EU General Data Protection Regulation is looking likely to mandate breach notifications, there could soon be a very real need to share data and best practice advice with your peers. It might help prevent a damaging data breach in the future – a breach it may soon be illegal to keep hushed up.
Contributed by Tim Lansdale, Head of Payment Security, WorldPay.
Note: SC Magazine Roundtables aid peer-to-peer information sharing, but are not conducted under Chatham house rules (ie comments are unattributed), however attendees can choose to remain unidentified, unattributed, and not photographed if they wish to do so.