Due to the low number of experts and lenient laws, there is a growing realization of digital fraud, occurring in this context fully or partially (pure or mixed virtual crime). Regarding digital crimes:
“There is no crime without a previous law to define it. No punishment without prior legal sanction” (Federal Constitution of Brazil, 1988, art. 5, XXXIX).
Because of that, it is increasingly necessary the presence and action of a group of professionals that reduces chances of injury to one of the greatest assets of modern corporations: the information.
According to a study conducted by the ACFE in 2012, it is estimated that organizations lose 5% of their revenue to fraud.
In addition to the damage caused by the loss of information itself is even bigger companies concern about image and reputation, because, in a globalized and highly competitive world, a player that does not incorporate strength and reliability to its brand hardly attract customers and investors.
There are several concerns that a information security professional must take in consideration for their work to be effective, so we can highlight some of them:
Internal fraud: according to a report by KPMG in 2009, 61% of corporate fraud was caused from the employees of companies surveyed, with 53% of these positioned hierarchically in staff;
Industrial Espionage: seeking to be updated on the innovative technologies and competitive advantages, many companies resort to spying on their competitors. Professionals are hired and use techniques like social engineering in order to get privileged information.
Known cases include Formula 1 teams, where spies even uses clothes from members of target team to discover mechanical secrets and other solutions. Teams should be aware of this risk;
Non-authorized payments and financial fraud.
It is up to the information security expert to establish comprehensive policies, standards and procedures to the organizational structure and culture of its clients. During this survey, the weaknesses of the processes that should be put into discussion for the suggestion of improvements and fixes will inevitably be identified.
It is imperative that senior management communicate to all employees the importance of following all the guidelines set so that the objectives are achieved, as is known that if a link is weak, the whole chain will be broken.
A fact that supports this need is that 25% of frauds were discovered by internal controls (also according to KPMG in 2009) and this, therefore, one of the main measures to minimize damage. Another important function of the Infosec team concerns to recovery after the detection of fraud, in other words, what actions will be taken to ensure that any damage is repaired.
We must also remember that every business has risks inherent its operation and these should be mapped and managed. With the improvement and cheapening of processing power and the development of artificial intelligence, it has been possible to implement the concept of continuous auditing through software and automated procedures. However, even if it allows trigger alerts and providing information in real time, monitoring by auditors is required, so “false positives” are treated.
Often the Infosec team works closely with the forensic experts to verify the facts of the occurrence of fraud, investigating the affected instruments in order to identify which vulnerabilities were exploited and assess the damage.
To sum up, Infosec and forensic professionals are increasingly necessary in the current scenario, given the high and increasing number of scams and attacks that use electronic media. The lack of specialists and lack of priority which companies deal with this issue, however, may be complicating factors for the optimal protection of the corporate environment. Furthermore, the security-related problems has been reaching domestic users who are unaware of the main measures to avoid compromising your information and devices.
Challenges are great and also the opportunities.