|© 2016 Black Swan Telecom Journal||•||protecting and growing a robust communications business||• a service of|
|Email a colleague|
Fraud threats in the circuit switched world of only 15 years ago were relatively tame. Phone hackers stealing voice minutes were a minor annoyance. The biggest threat was probably on the credit side: a seemingly promising startup business racking up 30 to 60 days of long distance minute charges then skipping town before paying the bill.
But those sleepy days of “small town” fraud are gone forever. Today, the fraudsters have long since packed their smartphones, routers, and fake IDs for the Big City.
Threats are exploding, in part, because today’s communications world is a candy store for the fraudster — so many mouth-watering opportunities to steal a fortune: errant SIM cards, on-line banking accounts, mobile banking, and hacking into a VPN when an employee logs on at Starbucks.
The new threat gateways are so numerous that we can no longer afford to develop technical solutions for every threat. And understanding where to focus a telco’s fraud and security energies and resources is no easy task.
Making the right choices requires a broader intelligence: an understanding of fraud and security infrastructure such as traffic usage data, IP intrusion appliances, and physical barriers, but also real-life experience in fighting criminals and devising strategies to anticipate their next moves.
Mark Johnson, chairman of The Risk Management Group (TRMG), is a guy who cuts across these very different knowledge domains and in this exclusive Black Swan interview, he gives us a preview of the insights he delivers in the consulting and training services he brings to worldwide clients.
|Dan Baker: Mark, I understand you came into the telecom risk business from a non-traditional path?|
Mark Johnson: Dan, my entry into fraud and security didn‘t come from the technical side at all. I was originally an intelligence officer in drug enforcement with my first assignment being on the island of Jamaica. It was at that time I realized how key the intelligence activity is to crime fighting of all types. And intelligence is really about collecting data and looking for patterns. It could be the pattern of enemy patrolling, or the pattern of vessel movement, or the pattern of containerized cargo movement, or the pattern of phone calls, or the pattern of data packages coming in through the firewalls. The basic concepts are essentially the same.
You can take those principles and apply them across the board to all facets of security and fraud.
|One of the things that struck me when I finished TRI’s latest research study was that the subjects of insider fraud, revenue assurance, and cyber security are very related, but you would never know that by looking at the sales literature of the vendor companies.|
Revenue assurance and fraud vendors rarely pay any attention to cyber security, and I don‘t think they fully recognize just how far convergence is going to push things -- how hard it’s going to be to make a distinction between different types of security incident. We need to get beyond the silos and look at the total picture.
A good example: many fraud cases involve changes to rules or activating accounts on a platform somewhere. So the revenue assurance guy will reconcile and find 5.3 million people activated on the HLR, when the billing system says there should only be 5.25 million. But what’s often never explored are the platform security and cyber security issues that may be the root causes of those particular issues. They often just focus on the revenue leakage and the reconciliation rather than the true root cause.
Likewise, the cyber security guys focus on authentication, access rights, and data classification, but don‘t seem to address the question: what are the revenue assurance implications of these cyber breaches? So a stronger business case needs to be built to understand the end-to-end issues, root causes, and costs. And I think they are really missing a trick there.
|The only company I can think of that made the leap from usage analysis to cyber security is the mediation vendor Narus, who had Japan’s KDDI as a mediation customer. Narus was ultimately acquired by Boeing Information Systems.|
Yes, unfortunately, people want to remain in their comfort zones, and they fear, once you start using acronyms that they are not familiar with, that it sounds like too much hard work or it’s not “core business” for them, so they avoid it.
|I suppose one indicator that things are converging is that assurance professionals increasingly struggle with industry terminology. Now with the “Risk Management” term in your organization’s name, I’m curious what you mean by the term “risk management”. Is it the traditional corporate use of the term that looks at issues like: what business are we in? and where should we go next? Or conversely, are you referring to more systems-, IT- and threat-oriented kinds of risk management?|
I find the best term to clarify things is “revenue risk management”. If you lose a dollar through fraud or through revenue leakage, and you are making a 20% profit, it cost you 4 dollars to make that one dollar. But if you can lock down the fraud and revenue leakage, you are making a direct contribution to the bottom line, which means cutting the level of investment required. That’s a very tangible financial benefit, but I find that argument is very often not articulated well by the fraud and revenue assurance team because they haven‘t got the confidence to express it, but it is very real. Revenue risks are strategic business risks if they occur frequently and involve big numbers.
|Mark, when you consult with or provide training to clients, what are some of the things you focus on at the outset.|
The most important starting point is always an assessment of how risks and controls map against each other — where are the main gaps today. Personally, I usually end up talking to my clients about the future of risk, which is really where I like to be personally, as opposed to dealing with today’s risks. After I understand the big picture and provide visioning inputs, my team comes in to cover current operational fraud and revenue assurance topics. I am happiest working in the blue sky area, because that’s more exciting.
Another one of the first things we look at is how risks are going to map onto a client’s business model. So, for example, if the business model is evolving towards more data and less voice traffic, then controlling monthly or fixed payments for data services, or looking at new charging options in the pipeline, will become more important than examining current transaction-based charging accuracy. A changing business model implies that your risks are going to take on a different form very soon.
A key point I make to them is that 50% of risk management is about user awareness — having an aware group of users, both employees and customers. If you have that, a lot of your problems are going to be dealt with very early on. But here’s the challenge: as the number of users on the network of networks — all the networks combined — grows, the mean level of education, competence, and awareness of those users falls.
I also use a diagram that illustrates the observation that as the number of different devices and users grows and as the number of vulnerabilities grows because the service mix gets more complex, the overall risk is sure to rise overall. It really is primarily a function of the lack of the awareness and lack of education multiplied by the rising number of unaware consumers and employees.
So risk is very much a part of our future and we have to understand it and how it’s evolving. If we don‘t do that, we’re wasting our time.
|You’ve been involved with many of the fraud software vendors over the years, How would you characterize the kind of solutions being offered today versus those in the past?|
The biggest shift, I think, has been away from the sort of subscriber centric, CDR centric view which is great if you looking for a guy in a phone booth. Today the picture has moved far more towards enterprise-level fraud -- somebody setting up a bypass operation or international revenue share — plus all the data challenges. So, while you still need to keep a lid on the older cases, the general trend is towards more sophisticated cases where the fraudster looks more like a professional businessman than a teen hacker.
As everything moves to IP and IP is accessible to everybody, you can set up a fraud operation in a garage with fairly cheap, high-tech equipment. That’s what I envision for the future and so the vendors have to move in that direction as well. It’s away from CDR-based analysis of individual records towards much more of a trending, profiling and macro-level statistical analysis approach.
|A big issue in fraud solutions today is in-house vs. a service bureau or managed services solution. The service bureaus argue you can lower costs and leverage off-premises expertise while the in-house champions figure it’s better to build and maintain an in-house expertise in fraud. Now an operator can certainly straddle both worlds, but what’s your take on this issue?|
That’s a difficult question. And it kind of runs parallel to the whole discussion around cloud and security in the cloud. Regulation is an important consideration as well. If you go with a service bureau, then questions come up about protecting sensitive, personalized data. You also need to ensure the service bureau is going be effective in fraud control and that may be a challenge where different cultures are involved — just look at the consumer push back against call centres that has been going on for a while now. So, there are many facets to this question.
I think both options are valid however. I don‘t think that there’s any one-size-fits-all solution in this market. There will be operators who don’t have the headcount or the budget to run a proper fraud team, but they still recognize their risks and they will opt to outsource. And they will do that in a way that makes them compliant with local law. On the other hand, there are other operators who have the budget and see internal fraud expertise as part of their operating model, so they will want to maintain and keep an in-house team.
|What about insider fraud? Do you feel that threat has increased?|
The insider as a risk has always been predominant, though not always recognized as such. Even in the retail market, in the pre-cyber days, it was a big threat. I remember at the conferences I attended in the 1980s when experts were saying that 70% to 80% of all losses stemmed from insider activity. I don‘t know what the percentage is today, but I suspect it hasn’t changed dramatically.
And this isn‘t all malicious-insider activity either. Much of it has to do with neglect, ignorance, a lack of appropriate training, or awareness. So, there is a sort of 50/50 split between an insider deliberately stealing something and someone just facilitating theft through sheer ignorance or disinterest. But as we get more and more technical and everything moves to a platform somewhere — almost every aspect of life these days is controlled by an electronic system somewhere — the opportunity for the people who control or have access to management systems to do bad things will continue to increase. And because there are more and more boxes, it all becomes more and more complex and thus more risky — it’s Murphy’s Law writ large.
But the other side of the coin we have to consider the democratization of access and control — the whole Web 2.0 idea of managing customers and giving them access rights. Any way you look at it, lots of power is in the hands of users right now, inside and outside the business.
|Right, the Bring Your Own Device or BYOD issue. In many cases, I understand the iPhone is being brought into a company and it isn‘t necessarily supported by the IT department or overseen.|
People have traditionally viewed security as a series of layers like an onion. And you can imagine you’ve got your assets in the center, and then around that you have many concentric rings of defense. Some of those will be virtual, others will be things like awareness. Still others will be physical fences and gates; and some will be electronic barriers. But you’ve got these rings of defense around the main assets and the whole psychology behind the onion analogy is that you perceive the threats as being external and the assets as being internal.
That’s the traditional view and many people still have that view — a good example of that is the firewall or intrusion detection system, or antivirus software. But now there’s a shift where we have the Cloud or Web 2.0, social media, outsourcing and so forth, which means the assets are no longer always internal — many of the key ones are external. On the other hand the threats themselves are not solely external: many of them are internal which could as simple as an employee leaking something through Twitter -- or malicious activity.
So the whole idea of likening security to an onion has been turned inside out. Yes, we still have the traditional threats from external sources, but the threats are bi-directional now instead of being in a single direction as was previously conceived; assets are internal AND external, while the threats are external, AND internal. It’s a 360 degree, real time picture viewed through 4D glasses!
|I think a botnet is a good example of that. It penetrates a company and starts gathering intelligence, then starts feeding the information to outside people.|
Yes, and you can include in that list: worms like STUXNET and FLAME — all those sorts of things. I read that the STUXNET worm was possibly inserted into the Iranian nuclear facility by people who left USB sticks lying around that employees innocently used for storage. That’s how one commentator thought the infection spread.
In another interesting case, a GSM operator had a trial which involved putting GSM SIM cards into traffic lights for remote management purposes. The SIM cards were not locked down and when hundreds of them were stolen, the fraudsters were able to make thousands and thousands of free calls, costing the operator a fairly significant amount of money.
So, that is a good example of how there is disconnect really between the technology guys and the fraud/risk guys. One meeting would have revealed that risk and sorted the problem out. In other words, in this complex world you can easily lose a few million dollars overnight through a failure to have a 30-minute discussion between risk control and the product development teams.
And in our training courses, we have dozens of examples of fraud, and many of them can be traced to this lack of internal communication and follow up. But while cross-departmental communications is key, assurance people must learn to communicate up the executive chain as well. And if you can go to a telecom CEO and show him how he can increase his shareholder value or his market cap by merely one percentage point, that’s a huge strategic benefit that he is likely to become very, very focused on. Unfortunately, the fraud and revenue assurance teams -- and the vendors, too -- have struggled to get that message across.
Copyright 2012 Black Swan Telecom Journal