It is always difficult to secure information security investments and we all know that having real business metrics always helps. One useful method is to link infosec to fraud and in this post I’d like to examine this connection further. Lucky for me, the UK National Fraud Authority released their 2012 Annual Fraud Indicator in April 2012 (readers beware, it’s 58 pages…), so with my infosec lens, I’ll take you through the report and hopefully give you some KPIs to think about…
The report estimates the fraud loss to the UK economy at £73 billion in 2011, compared to £38 billion in 2010. However, whilst the increase is significant, it doesn’t represent an increase in the level of fraud: this year’s report benefited from improvements in the quality and quantity of data available, the inclusion of previously undetected fraud losses in the private sector and new estimates against individuals.
Fraud by industry sector…
The report gives extensive details on the fraud attribution to each sector/sub-sector and (page 31 onwards) details fraud types by victim sector. This is summarised below:
|FRAUD LOSSES||DETAILS & FRAUD TYPES|
|£45.5bn for the private sector.£26.7bn is attributed to large businesses and £18.9bn to SMEs.Participants estimated that fraud losses could be in the region of 1.4% of turnover.Details by sub-sector:
Wholesale & Retail: £16.1bn
Financial Services: £3.5bn
Professional Services: £2.8bn
Utilities, Mining, etc.: £2.7bn
Information & Comms: £2.4bn
Arts, Entertainment & Recreation: £1.1bn
Accommodation & Food: £1bn
|The most common fraud types were payment fraud (71%) followed by employees / volunteers fraud (49.5%) and cyber enabled fraud (41.9%).22.6% participants suffered at least one insider-enabled fraud.Fraud types:Procurement fraud(estimate £20bn)Insurance fraud (£2.1bn)
Mortgage fraud (£1bn)
Payroll fraud (estimate of £1bn)
Telecommunications fraud (£972M)
Plastic card fraud (£341M, see my earlier post for details)
Transport fare evasion (£210M)
Online banking fraud (£35M)
Cheque fraud (£34M)
Motor finance fraud (£15.3M)
|£20.3 billion for the public sectorThis is a decrease from previous year primarily due to a reduction in fraud against the tax system.||Tax: £14bn (£15bn in 2010)Tax fraud (£14bn), vehicle excise duty evasion (£40).Central government: £2.5bnProcurement fraud (£1.4bn), grant fraud (£488M), television license fee evasion (£202M), payroll fraud (£181M), patient charges fraud (£158M), student finance fraud (£31M), pension fraud (£11M), National Savings & Investments fraud (£0.46M).Local government: £2.2bn
Housing tenancy fraud (£900M), Procurement fraud (£890M), payroll fraud (£153M), council tax fraud (£131M), blue badge scheme abuse (£46M), grant fraud (£41M), pension fraud (£5.9M).
Benefits & tax credits: £1.6bn
Benefit fraud (£1.2bn), tax credits fraud (£380M).
|£6.1 billion for individuals1 million (2%) UK adults sent money in reply to unsolicited communications in the last 12 months and 50% of those were defrauded as a result.9.4% (4.6 million adults) suffered identify fraud, 55.3% did not recover their losses and the average loss is £481.2.1 million people fall victim to online ticketing fraud each year with an average loss of £406 per victim.||[Telephone banking fraud: 16.7M]*Mass marketing fraud: £3.5bnElectricity scam: £2.7MIdentity fraud: £1.2bnOnline ticket fraud: £864M
Rental property fraud: £488M
*Note: telephone banking fraud appears under “private sector” in the report, but since the method used essentially tricks individual into disclosing personal details, I felt it was better placed here.
|£1.1 billion for the not-for-profit sectorThis was estimated to cost registered charities 1.7% of their income.The most common fraud types are payment fraud; employee / volunteer fraud (27%) and cyber enabled fraud.||Just fewer than 4% of respondents reported that they had detected fraud in the last financial year.|
The British Retail Consortium (BRC) Retail Crime Survey reported that fraud increased significantly in 2011 for Wholesale and Retail, 78% of retailers recording a rise. Fraud accounted for 12.3% of retail crime volume and 28.2% of value, a notable increase on the previous year. Retailers identified fraud arising from their growing online and multichannel operations as the most significant emerging issue they faced. Overall, retailers estimated that 50.5% of fraud could be attributed to organised groups, while a further 42.7% was the result of opportunists. In addition, retailers only reported circa 50% of offences to the police, suggesting the true extent of fraud is likely to be higher.
It is also interesting (and scary) to note that mass marketing fraud represents more than half (£3.5 billion) of all fraud against individuals. I explore this further in a later post.
Just get a little closer…
So, to all of you information security professionals out there: if you need one way to show you can add value, get closer to your fraud colleagues and try to understand what their big ticket items are. Depending on your industry sector, you can even ask them the right questions as the big ticket items are more than likely those detailed in Table 1.
Similarly, to all of you fraud professionals: please reach out to your infosec colleagues. Admittedly, they will not be able to solve/help with all your problems (e.g. tax or benefit fraud), but every time a fraud type could be reduced by better integrity or confidentiality, they will have lots of good ideas, and the payback is potentially massive compared to the investment that might be required.
Don’t you find it uncanny that the above analysis shows some very obvious parallels with the Verizon DBIR 2012 analysis?…
My next post will finish the analysis of the Annual Fraud Indicator by looking at the various fraud enablers to all the fraud types discussed in this post.
Until next time…
About Neira Jones
With more than 20 years Financial Services experience, Neira is currently Head of Payment Security at Barclaycard where she is responsible for security compliance of circa 100,000 customers & 3rd parties. She has received the Information Security Person of the Year Award in April 2012 from SC Magazine at the same time as her team scooped up the prestigious SC Magazine Award for Information Security Team of the Year for the 2nd year in a row.
Not content with this, February 2012 saw Barclaycard winning two awards at the Merchant Payments Ecosystem conference for “Data Security” & “Merchants” for successfully steering Barclaycard and its customers through the changes in payment security, and in particular with the PCI DSS (Payment Card Industry Data Security Standard). She is a member of the Infosecurity Europe Hall of Fame and has been on the PCI Security Standards Council Board of Advisors since 2009.
Follow Neira on Twitter:@NeiraJones