Blockchain has had its fair share of headlines in the past year, specifically about how it can transform efficiencies within organisations. But one area that has not yet had as much attention is how blockchain – or at the least the principles of it – can help enhance cyber-fraud management.
In Leonardo DiCaprio's blockbuster Catch Me If You Can, his character Frank carried out cheque fraud by manipulating the banking system and cashing counterfeit cheques before the banks could verify their validity (a manual process which took days in the 1960s with little change until recently). By continually moving around the US, Frank was able to avoid detection because banks and law enforcement couldn't keep up with the scam.
This is a plot that's eerily similar to how fraudsters operate today, targeting weaknesses and downtime within existing systems and processes. Organisations that do not have full visibility of key records – including financial documents such as invoices – throughout their lifecycle, are most at risk of being manipulated by fraudsters. There are a range of tactics criminals can employ to target weaknesses, such as Trojan horses, altering supplier payment details, creating fake companies, or sending bogus invoices for goods and services that haven't been ordered.
Threats can come from both external criminals as well as rogue members of internal staff. It's tempting to focus only on protecting against external cyber-attacks, but if a cyber-attack is a hornet's sting, financial fraud from within is an organisational parasite.
Take, for example, an attack that happened earlier this year when Swiss-Swedish firm ABB reported that it had been the victim of a large internal fraud in a South Korean subsidiary, costing the firm US$ 100 million (£77 million). The unit's treasurer is suspected of forging documents and colluding with third parties in embezzlement and misappropriation of funds.
Sadly, ABB won't be the last victim. In fact, our own research found that 84 percent of mid to senior level finance staff admit to knowing exactly how to avoid their existing security and processes to commit internal fraud undetected.
Companies must adopt a balanced stance against both internal and external threats when making cyber-security plans.
Today's cyber-fraud and risk management solutions are generally designed around the detection of unusual behaviour. However, such behaviour is difficult to spot without being able to see the full picture of how documents move and change.
This is where I believe we can take a leaf from the blockchain book.
Blockchain is a sequential, continually growing, time-stamped ledger of records that are grouped into blocks and authenticated not by one entity but by a collective of participants. Each block is inter-depending, forming a chain that makes manipulating records uneconomical, if not impossible.
The key benefits of blockchain boil down to immutability, provenance, and security. Records are immutable since every edit is tracked and permanently recorded. This makes it easy to track the source of a new entry or a modification. Organisations that take advantage of the principles of the blockchain and can introduce its rigour of provenance and immutability to record keeping, making it far easier for cyber-fraud and risk management solutions to identify suspicious activity.
From a security standpoint, the principle of blockchain technology assumes you can trust the masses as opposed to one entity. Similarly, organisations deploying cyber-fraud and risk management systems must ensure enough eyes are monitoring for potential threats.
Cyber-fraud management plans are often the preserve of those in technology and operational roles. However, it is important that such plans are approached from different perspectives to increase the chance of preventing both external and internal attacks. Financial decision-makers should be made fully aware of vulnerability risks and ensure these are covered in incident response plans.
While blockchain may be over-hyped by the pioneers entering the payments industry, its rigour and principles in record keeping are worth noting. Headlines around cyber-attacks, internal fraud and blockchain are a wake-up call for organisations to review their record keeping processes with a lens on cyber-fraud and risk management.
Contributed by Ed Adshead-Grant, general manager, payments and cash management, Bottomline Technologies
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.