A couple of years ago, we included a “Lock User” button feature into our security product. If you received a “very high” alert, you could log into the system, catch the fraud in action, press the “Lock User” button and prevent the thief from stealing. Bam…. you’re the hero.
Well, it was good in theory. In practice, it was more or less the first thing that customers asked us to remove.
“Remove? Don’t you want to stop the fraud in action?” I asked the Security Manager of a large New York bank who had requested this change. “How can you not want it?”
The CISO, who was a dignified, experienced professional in his 50’s, calmly replied, “Let me give you a scenario and you’ll understand the issue with your 'Lock User' button.”
He offered me a coffee and continued, “Imagine I get an alert on my Blackberry at 3:00 a.m. The ProfileTailor system tells me that someone’s using a sensitive activity, say, approval of very large purchase order from an unsupported device. As this is very suspicious, I quickly log in remotely to my computer at the office and catch User S0677325 red-handed, approving a purchase order. Without any hesitation, I click the coveted 'Lock User' button. Now, I feel better, we’re out of danger, and no one’s performing suspicious activities on my shift. I fall asleep feeling great."
"In the morning, the CIO comes into my office and says, 'The CEO wants a meeting. Why did you lock his User yesterday?'”
"You can imagine it’s not going to be a good meeting. Yesterday, the CEO was in France, which is six hours ahead, and he tried to approve a very important invoice via his smartphone. Suddenly, he was locked out with no way to reconnect." Oops.
A Bigger Risk Than Fraud
I discovered that the “Lock User” button can unintentionally create a very large risk – that of preventing business from running. Many CEOs and CIOs will say that they would prefer $20,000 of fraud to even the shortest business interruption which could potentially cost $100,000 or even $1,000,000.
CISOs and CIOs must always compare the benefit of security activities against the potential risk of preventing or slowing down business activities. I have witnessed that more experienced CISOs handle security activities more cautiously, carefully considering the impact on the business.
Fraud in ERP Systems Progresses Slowly
It is quite hard to perform significant fraud in a complex system, especially these days with all the strict regulations. From our vast experience, I can tell you that in most cases the fraud will begin slowly and insignificantly. The person performing the fraud will probably be an employee who starts by testing the security of the system. He’ll try looking at sensitive tables, like invoices and customers, maybe change a vendor’s bank account by one digit, and other small trivial activities. He’ll usually keep going until he commits real fraud.
Using a system that can identify irregular activity by detecting small changes is the best way to prevent large fraud at the initial stage – it can detect access to sensitive tables or changes to the vendor’s account – and alert about it. A phone call from the security team to the exact person will most likely cut any future plans for getting at the big money, without locking anyone out or putting business processes in danger.