The Fraud Squad

Whether it's done by customers, employees or organized criminals, fraud takes a bite out of business's bottom line. Here's what CSOs can do about it.

In order to fulfill their security responsibilities (which, like fraud, touch almost all aspects of the business), most CSOs have already started building strong relationships with the so-called "other Os"—the top executives of the various business functions that are generally represented in the fraud unit. These established relationships place the CSO in the unique position of being the only executive with the necessary technical and business perspectives to knit together this diverse group of corporate characters.

At MassMutual Financial Group, a special investigative unit (SIU) is responsible for policing both internal and external fraud. CISO Bruce Bonsall is a member of the 2-year-old SIU team. He coordinates the security function's active collaboration with the other members of the SIU, who are from internal audit and the legal department. The group meets quarterly to discuss new fraud trends and the investigative process.

"Don't try to go it alone," Bonsall advises security executives. "Good relationships with audit departments and legal people are critical because at some point something bad will happen, and [by then] it's too late to start thinking about how you'll handle those events as a group."

The CSO must draw on different players for different objectives. HR and legal representatives will help determine how background checks and employee monitoring should be conducted, facilitate fraud-related terminations, and develop policy and legal parameters for employee conduct and investigation procedures. The public relations and general counsel offices will help strategize over what recourse the company will pursue when fraud is discovered, whether to bring in law enforcement, and when and how instances of fraud are announced to customers and the public. The IT, security and audit team members will be the corporate detectives who undertake the technical and physical sleuthing necessary to detect, contain and build a body of evidence to prosecute fraud.

Virtually all accounting and financial control systemsthe candy stores of the fraud setare computerized. CSOs already have the necessary understanding of the overall security architecture and the controls it has in place; they can take the leadership role in determining where those controls may have broken down and allowed fraud to occur. Their experience with incident-response planning around security breaches suits them well to drive the development of similar plans for incidents of fraud. A fraud-response effort will have to formulate how incidents should be handled, the mechanism for communicating those decisions through the executive branches and procedures for documenting the plan so that when an incident occurs there can be a rapid, decisive response. The plan should identify the "go to" people who are tasked with responding to each aspect of an incident. It should also define the appropriate procedures for conducting a fraud investigation so that evidence that is pulled off corporate networks isn't tainted in the process.How Technology Can HelpTechnology is an important part of a company's fraud prevention and detection program, but the good guys aren't the only ones exploiting its capabilities. Crooks are often among the earliest adopters of new technology (remember the fondness of drug dealers for pagers back in the 1980s?). Frazzini notes that the drug cartels alone have invested $1 billion in technology. "Sleep with one eye open if you're relying on technology," he cautions. "[Criminals] will invest money, time and energy to beat you at the technology game." CSOs need to view technology as just part of their defense rather than a panacea.