fap_logo
    

Fraud Advisory Panel
Registered Charity: 1108863
Registered Company: 04327390
 
Disclaimer Site Map
Copyright 2005- 2008
Fraud Advisory Panel.

 

Businesses

Top Tips for Business

The Basic “Dos” and “Don’ts” of Laptop Security
Recruitment and Fraudsters: Some ‘Top Tips’ in Fraud Prevention
Datamining: Top Ten Tips

The Basic “Dos” and “Don’ts” of Laptop Security
(Based on an article titled “Laptop Theft – Don’t Become Another Statistic” by Martin Allen, Managing Director of Pointsec)

Laptops are now a common business tool but give criminals an easy-to-steal, high value target.

The physical theft of a valuable laptop is bad enough, but significant damage can also occur to your or your clients’ businesses with the loss of sensitive, commercial data either in the form of personal information, technological developments or industry “know-how”. Crucially, these losses are not generally insured under normal business insurance terms.

Here are some simple but effective “Dos” and “Don’ts” for the physical and data security of your laptop.  These should form the backbone of your company’s IT policies and be instilled into employees at every opportunity.

Physical security

DO

  1. Use a “Kensington” lock wherever possible (i.e. tying your laptop to a desk or other secure item of furniture).
  2. Put the shoulder strap of your laptop bag under the chair leg while in restaurants or bars to stop it being easily snatched.
  3. Try to conceal the laptop in a non-obvious bag (traditional laptop bags are easy targets).
  4. Use the hotel or room safe whenever you are not in your hotel room.

DON’T

  1. Leave your laptop unattended in a public place.
  2. Leave your laptop on a desktop at lunch, while in a meeting or overnight.
  3. Put your laptop in “checked-in” baggage on aircraft.
  4. Leave your laptop or laptop bag on show in the car, even if you are in the car with it – window snatching is increasingly common.
  5. Leave your laptop in the car boot overnight or for extended periods of time.

Data Security

DO

  1. Maintain a data protection policy which all employees are aware of and comply with.  This should clearly set out their responsibilities on safeguarding data.
  2. Integrate these policies into formal contracts of employment. This shows you’re serious about data security.
  3. Educate employees at every opportunity about the impact of data security.
  4. Confirm “what-to-do” procedures with your Data Protection Officer if relevant.
  5. Run regular backups of data to the network.
  6. Set up easy-to-use backup mechanisms for employees who work whilst travelling.
  7. Ensure all (sensitive) files are additionally passworded.
  8. Use passwords which are unusual/unique with a combination of letters and numbers.
  9. Encrypt data wherever possible (ensure encryption is seamless, quick and centrally managed so that employees cannot circumvent it).
  10. Review terms with your insurer to ensure all risks are covered.
  11. Run regular, up-to-date virus-scanning software.
  12. Ask for clients’ and suppliers’ policies on data protection.  A security breach could occur there too.

 DON’T

  1. Presume employees are following the IT policies to the letter. Have a 6-monthly ‘clean up’ regime where old data is backed up and then deleted.
  2. Let fellow commuters read your screen by looking over your shoulder.  This work should be saved for a more secure environment.
  3. Allow employees to download files (this can be done by restricted access rights), to ensure no viruses or corrupt files are downloaded.

About the author
Martin Allen is the managing director of Pointsec, a supplier of information encryption and access control solutions for computing devices from desktop PCs to PDAs and smart phones. For more information, visit www.pointsec.com.
 

Recruitment and Fraudsters: Some ‘Top Tips’ in Fraud Prevention

The Fraud Advisory Panel has estimated that up to £15 billion is being lost annually to the UK economy as a result of corporate fraud of varying kinds.

How can you help prevent fraud in your business or organisation?

Awareness is the key to a robust anti-fraud business culture. Make yourself and your colleagues aware of the following:

DartRight A disturbingly high percentage (over 85% in fact) of fraud is committed by employees or former employees
DartRight The fastest growing fraud in the UK is Identity Fraud i.e. the theft of an individual’s or company’s identity
DartRight The theft of intellectual property (such as the information contained on Laptop computers) is just as damaging as the theft of physical property (e.g. the actual Laptop itself)

Instigate the following practical steps to help prevent fraud:

DartRight Put in place a corporate fraud awareness programme
DartRight Write and implement an anti-fraud policy and strategy document
DartRight Allocate sufficient resources such as a ‘fighting fund’ to help combat fraud
DartRight Help educate your corporate personnel and any third parties and contractors with whom you do business about the threat of fraud
DartRight Make sure that you have in place holistic and robust pre-employment screening & vetting processes and that they are applied to all new members of staff
DartRight Carry out regular Security Risk & Threat Assessments in your business or organisation
DartRight Ensure that the physical security of your business premises are up to an appropriate standard
DartRight Ensure that there is a corporate ‘clear-desk’ policy applying to all staff and that sensitive material is locked away after use
DartRight Implement controls on the removal of intellectual property from the workplace (e.g. Laptop computers and hard-copy files)
DartRight Inform your staff of the consequences of engaging in fraud and that action will be taken against offenders

This paper has been kindly prepared by Mike Bluestone MA MSyI FIISec who is a member of the Fraud Advisory Panel’s Education, Events & Training Working Party

Datamining Top Ten Tips

Definition

Data mining is a process of analysing information to identify useful or unusual information, trends and patterns. The data traditionally comes from corporate databases but can also include information obtained from external sources and extracted from manual records. 

Data mining as a fraud detection and investigation tool

One use of data mining is the analysis of corporate data to identify indicators (red flags) of fraud and risk.  Research has shown that most frauds are discovered by accident and data mining is one way that an organisation may protect itself by adopting a proactive approach to systematically reviewing all of its data.  These techniques can be implemented quickly and easily and invariably reveal hitherto unknown relationships and unusual transactions.  Data mining is an invaluable technique and should be considered a significant tool within the auditors or investigators armoury.   However, positive results from a data mining test are not conclusive proof that fraud has been committed, they are a starting point for further investigation.  Such results should only ever be considered as confirmation that the initial suspicions may have some substance that that it is prudent and sensible to continue with the investigation. 

There are a number of basic rules that should be remembered, the first of which is:

there is no single magic bullet,

which means that there are many ways to perform data mining, with differing software tools and costs. These can vary from generally available spreadsheets, to specific audit software costing about £1,500 to enterprise wide continuous monitoring solutions where the costs can run into hundreds of thousands of pounds.

The following top ten tips are based on many years of data mining and investigation experience:

1 Plan to use data mining.  The most productive data mining tests will include personal information about employees and possibly clients or suppliers. Consequently, in the UK it will be subject to the Data Protection Act 1998.  Review the company’s data protection registration on the Information Commissioner’s website.  If there is no registration, SUBMIT one.  Check employment contracts and ensure that the company has a Fraud Policy that mentions data mining as a fraud control technique.
2 You can use spreadsheets such as Excel to perform data mining tests but remember that a single spreadsheet will only process 67,500 records after that you will have to use several workbooks.
3 Beware - Excel automatically reformats data when using the auto-import feature.  This means that text fields that start with a leading “0” will be treated as a numeric field and many become a numeric field with decimal places.  For example importing “0857241” becomes “857241.00”.  There is an equal issue with the importation of date fields, the auto-import feature in Excel may reformat the dates.  This may change the results making them invalid or at least less meaningful.
4 Spreadsheets do not have any audit trails and the information within a spreadsheet can be accidentally (or deliberately) altered.  If data mining is going to be part of a civil or criminal investigation where the results may be used in a court of law, you would be better of using a more robust software tool which has been specifically designed for use by auditors, such as ACL or IDEA.
5 Not all data is held in an electronic format.  Do not be put off by the lack of a recognised electronic or computerised database.  Manual data such as time sheets or expense claims can still be incorporated as part of the data mining project.  You just have to create a specific data base to capture the manual data.
6 Whatever data mining technique is used it will generate more results than were expected.  These are known as “false positive results”.  Excessive false positive can result from structuring the question too loosely and not being specific enough.  Conversely, if the data mining query is too specific, a “false negative situation” may result.  This is where valuable results are excluded because the query was too prescriptive.
7 Multinational organisations should recognise that even within the European Community different privacy laws exist that may prevent data being moved from one country to another for processing.  Check out the situation before embarking on a data mining review.
8 Sometimes the most important information in a database is what has not been recorded.  It is easier to falsify data by omission rather than generate false information that could be checked.  If some data is missing, it may be worth investigating why.
9 The worse the data the poorer the controls.  The poorer the controls the greater the exposure to fraud and risk.
10 Data mining will reveal early indicators of fraud.  Just like an iceberg, the real problem is below the “water line” and requires further investigation to reveal the full nature of the problem.

This paper has been kindly prepared by Richard Kusnierz who is a member of the Fraud Advisory Panel’s Education, Events & Training Working Party.  He may be contacted via email at Richardkusnierz@idmfraud.com.

 

 
 
spacer spacer