Securing information and providing appropriate data access can help limit your risk. The Association of Certified Fraud Examiners says the five most effective fraud prevention tactics are: implementing strong internal controls; background checks for new hires; anti-fraud policies; ethics training; and surveillance.
When I first began to implement the Best Practice approach over a year ago, I focused on the first tactic the ACFE recommends and evaluated our data access controls. Much of our data was accessible by many different roles inside our organization. The lack of access variance between an entry-level employee and an executive had been carried over from the days when our organization had fewer employees.
It is common in smaller companies for an employee to have multiple responsibilities that grant him access to more information systems. Many of you in this fast-paced industry can relate: The individual who edits your website also sends out your email newsletter and invoices at the end of the month. In this scenario, the smaller businesses make the decision to absorb the risk, but how do you appropriately limit access as your company grows?
In Memolink’s case, the data access audit was conducted by asking one question and compiling the results for review: Who had access to what type of information, and for what purpose? It also helped to evaluate the audit findings juxtaposed with the goals and motivations of each department and employee. By looking at the results in this manner, I was able to remove the context for internal staff abuse.
For example, when my company separated publisher vetting and the fraud identification and reporting processes from the publisher sales and account management team, it was natural to also secure the information related to these processes. Publishers who join the CPA Storm network are interviewed by a Best Practice compliance analyst and only those who meet our standards are accepted as a business partner. We do not share the finite details of our vetting process.
If you asked any one of our account managers, “As a publisher looking to join your network, what do I need to do or say to be accepted?” not one of them would be able to tell you. The only individuals who know the details of our acceptance policy are inside the Best Practice Division or in the top two positions in our company (CEO and EVP).
I limit the information so the fraudsters cannot reverse engineer or social engineer their way into our circle. An individual looking to do harm can attempt to reverse engineer the process by going through the vetting process countless times, each time learning a detail about the technology that we use. The technology we use is home grown, and like any technology, it is not perfect, which is why we have humans who make the final decisions.
A fraudulent individual could also weasel their way in through the use of social engineering, which essentially means that an individual manipulates another person in order to get information, like a password, or confidential information about your business. This is often done by becoming “buddies.”
Many of us use LinkedIn and other social websites like Facebook to stay connected and conduct business. The potential fraudsters know this. Using myself as an example, they see my profile on LinkedIn or on my Facebook page, and are able to deduct that I enjoy watching basketball, drink a lot of Pepsi, went to Drake University (go Bulldogs!), and I worked for Meredith Corporation for several years.
They use this information to gain my trust, “Do you think that the Drake men’s basketball team will make it to the Sweet Sixteen this year?” I am put at ease by this conversation and others that follow, and then they proceed to extract whatever information they need. If I were in the role of an account manager and knew the details for publisher acceptance, I may share this with my new buddy without even realizing the potential harm. Thus, by limiting access, we have removed the risk of our sales team being in a precarious situation like the one described here.
Editor’s note: This is a series from Dianna Koltz, director of best practices and email marketing at Memolink, Inc., on how to use business standards to combat online fraud. The links of past stories are to the left.
— Express your opinion, comment below.