The Fraud Squad

Whether it's done by customers, employees or organized criminals, fraud takes a bite out of business's bottom line. Here's what CSOs can do about it.

Technology can also help make you more proactive. Systems that provide better real-time visibility of fraud and fraud losses can allow the business to get the jump on fraud before problems escalate. At Citizens Financial Group, Mercuri depends on his fraud-management system for an actionable view of the fraud landscape. With big-picture information, he says, "you can do the trend analysis, see the root causes and act on them."

Having clearly communicated processes and procedures is an essential accompaniment to technology. CSOs should spearhead a fully developed fraud plan that gets input and buy-in from all the business units and top executives. "You would be shocked to find out how many companies don't have protocols for reporting illegal or improper activity," says Ed Rial, a former federal prosecutor who led the Brooklyn U.S. Attorney's fraud unit and is now a principal with the Forensic & Investigative Services Group at Deloitte & Touche in New York. "You've got to get the information to the right people as quickly as possible. I've been on investigations where we've been given the name of a fraud point-person and they'll say, 'Oh, I don't do that!'"

CSOs may want to strategize with the general counsel and other executives over what the company's electronic records retention policy should be, paying particular attention to the system log files that track all network activity. The resulting policy should be worked into the fraud plan. Additionally, whatever plans the company develops must be tested. "You need to war-game and test against the system," says World Bank's Kellerman. "You can't presume that you are invulnerable."

Assembling the right staff for a fraud investigation unit is critical; having a keen understanding of finance or the forensic skills to track down a security breach are not enough on their own. "All the technology in the world is only as good as the people who use it," says MassMutual's Bonsall. "Most of the work is done by people thinking outside the box, following hunches and carefully following procedures." Mark Rasch, former head of the U.S. Justice Department's computer crimes unit and currently senior vice president and chief security counsel with managed security service provider Solutionary, recommends that CSOs look for people who have experience conducting internal investigations, are knowledgeable about the various guises that fraud can assume and are discreetideally with some law enforcement experience. Individuals with that background are good at interviewing people and making assessments based on body language and other subtle cues. Just because somebody specializes in pulling information off a computer network doesn't mean that they are qualified to pull that same evidence and information out of a suspect.