Defending Against Insider FraudShroff of Godrej Infotech on Information Sharing and Changing Mindsets
Insider fraud is one of the biggest challenges faced by Indian security practitioners, sometimes ranking above concerns such as APT, DDoS and ransomware. With technology proliferation, insiders with malicious intent now have more opportunities and better tools to perpetrate fraud within their organizations (see: Insider Threat Remains a Top Concern).
Difficulty in procuring detection technologies, coupled with a lack of knowledge among security professionals about processes, leads to further hurdles in addressing insider fraud, says Berjes Shroff, CISO of Godrej Infotech, and a speaker at the ISMG Data Breach & Fraud Prevention Summit Asia in Mumbai.
"In the era of emerging threats, infosec professionals should proactively address insider fraud, rather than waiting to react when an incident happens," he says. "This requires a change in the overall mindset wherein an infosec professional should be 'business-oriented' to understand the processes and make appropriate recommendations."
Shroff shed more light on this topic as a speaker in a panel discussion on "Minimizing Insider Fraud Management." The panel looked at various aspects of managing insider fraud and discussed the technological possibilities to detect the source and origin of insider breaches and detect anomalous behavior.
In this interview (see edited transcript below), Shroff shares his insights on:
- Why organizations should take insider fraud more seriously;
- Challenges faced by infosec professionals in detecting and curbing the issue;
- Importance of knowledge sharing.
Shroff has more than two decades of experience in diversified fields and has been the founder and CEO of an information security startup, prior to which he was heading pan-India operations for telecom infrastructure security and information security audit at Vodafone. Shroff has also been the CIO for TATA Services Ltd. and Bombay House - the HQ of the TATA Group - and also CISO for Tata Services, Tata Sons, Tata Industries and HQ of the Tata Group.
Rise of Insider Fraud
RADHIKA NALLAYAM: Why is insider fraud becoming a substantial danger that companies must overcome?
BERJES SHROFF: Employees have access to the "jewels" of the organization - its data. At the same time, these employees may also be in the know of how to circumvent certain controls of a system. A disgruntled employee who may have been overlooked for a promotion or a pay rise may well be tempted to commit a fraud for financial gains. Even those employees who may be in some financial difficulty, or those with just plain malicious intent, are the ones an organization should be able to identify. Of course, this is not easy, and this is where technology and effective controls come into play.
Employees, having access to important corporate data or access to "sensitive" systems, must be monitored, else the ramifications can be disastrous. t could lead to serious financial losses and sometimes more importantly, loss of reputation.
NALLAYAM: What are the challenges infosec professionals face when it comes to tackling insider fraud management?
SHROFF: In my view, the challenges of an infosec professional are multi-fold. For example, security professionals face a hurdle for getting approvals for procuring technology to detect insider fraud. Besides, there is an inherent hesitation among infosec professionals in bringing such incidents to the notice of the top brass. It could be because of the fear of losing their own job and whether they will be held responsible for the fraud. Another challenge is on the process front. In fact, process in many companies is the reason why some frauds happen. The simple maker-checker concept is missing. I think it's time that the iInfosec professional become "business-oriented" and understand the processes and make appropriate recommendations to the business.
NALLAYM:Apart from having the right controls in place, what else do security professionals focus on to effectively manage inside fraud?
SHROFF: Knowledge and information sharing are the best ways to learn about how untoward incidents can be handled. No single Infosec professional is going to experience all the instances. So sharing information on how an incident happened (modus operandi), would help other corporates from taking preventive action, by learning from others' mistakes. Information sharing is definitely not happening, simply because people are hesitant to share such information and are concerned about reputation damage. This is where events like ISMG's Data Breach & Fraud Prevention summit can provide a platform that facilitates meaningful discussions and knowledge sharing.