Data breaches are a menace, and manual reviews in fraud prevention are making your company more vulnerable. You can read this white paper to find out more – but first, let’s set some context.
Forrester’s recent report The State of Retail Payments 2016 found that “Security and fraud risks drive merchant payment decisions in 2016.” That’s not surprising: in the last two or three years, data breaches have become an uncomfortable fact of life as organization after organization has admitted to a breach. And breaches are hugely expensive, and terrible for a company’s brand and consumer trust.
Ironic though it may sound, the antifraud department is often a weak point in the InfoSec chain – and many companies aren’t even aware that that’s the case.
“There is no patch for careless, greedy or stupid”, said former FBI Computer Intrusion Unit head Don Codling. Almost more frightening than that, “Savvy, well-meaning employees can be fooled into doing something to allow attacks access to company networks.”
Internal employees account for 43% of data loss. That means almost half the risk of data loss comes from inside the organization itself. Moreover, the outside threats often get in by tricking employees into being unwitting accomplices. A hacker will call when he’s knows it’s busy, pretending to be IT, requiring codes or passwords. Or he’ll scope companies who are moving to a new medical provider and send emails purporting to be from them, which will prompt employees to enter their details. In all these cases, it’s the human factor that’s the weak point.
The key to dealing with this weakness is to limit employee access to data. In many cases, you can do this by making information on a ‘need to know’ basis. But that won’t help you when it comes to fraud prevention. That’s because the employees there, who represent the vulnerability, need to know a lot of information.
The job of your fraud team is to prevent loss to the company. They do that by stopping fraud and by removing friction from fraud prevention so that it’s not discouraging sales. But many fraud teams still rely on manually reviewing transactions. That means, ironically, that they’re potentially a huge source of loss.
Reviewing a transaction requires a close analysis of the data – as much data as possible. That includes PII. And teams are often primed to ask for even more information in cases of doubt – for example, a photo of a customer’s ID. If a machine belonging to a manual reviewer is hacked, it’s like giving the criminal the key to the vault. And that fact is that 83% of North American businesses conduct manual reviews of transactions for fraud. On an average they review 29% of orders manually. That’s a lot of vulnerable surface area.
However good everyone’s intentions are, the fact is that during the holidays online retail infosecurity is often overwhelmed by the myriad other priorities of the season. This is a time of year when most merchants are stretched to their limits. That includes the fraud department, who hire extra manual reviewers, or outsource reviews. They have no choice – the regular team can’t handle the flood of orders during the busy season. Manual reviews are, by nature, not scalable.
What does that mean from the InfoSec perspective? New employees, who don’t fully understand the system and how it works, and don’t know the company well – people who will, therefore, be more vulnerable to a hacker’s attempts to trick them – now have full access to customer data. And the Javelin Financial Impact of Fraud study found that more than half of merchants admit that it’s difficult to find qualified fraud fighting staff.
More than that, even your regular employees are working flat out to try and meet their targets for moving orders through as quickly as possible so that customers aren’t disappointed. Inevitably, they’re less careful than usual and more likely to make mistakes. That means they’re more of a security risk. It can’t be helped. It’s not their fault. It’s just human.
For many years, there has been no alternative. But recent technological developments in the field of Artificial Intelligence mean that full automation is now an option. Manual reviews, and the risks attached to manual reviewers, are no longer necessary.
An automated system, returning instant, automated fraud decisions, is not subject to these vulnerabilities. Full automation makes far more powerful the principle of least privilege. (This means that each user/service is granted only the privileges they need to do their job.) With no manual reviewers requiring deep access privileges to investigate transactions, the principle of least privilege can do far more to protect your business. Automation leads to increased security.