With that, we see an increase in fraud online. Why? Simple, as Willie Sutton (bank robber) said when asked why he robbed banks, “Because that is where the money is.” Online fraud is a higher volume, lower-cost, and lower-risk alternative to physically robbing a bank.
What does that mean for Governance Risk Management and Compliance (GRC), fraud, and cyber professionals? Also simple, closer integration and greater learning amongst ourselves. Organizations have listed the following benefits.
- Faster threat detection
- More coordinate response
- Increased digital hygiene making use of people, processes, technical and organizational defense
- Improved financial loss prevention
- Increased Trust and Compliance.
Cyber professionals are deeply rooted in the digital world, while fraud professionals understand the motivations, techniques, and procedures for handling fraud. Risk professionals, on the other hand, are adept at managing fraud across the enterprise and determining the organization’s appetite. By learning from each other and leveraging each other’s expertise, we unite in our shared mission to protect our organizations and go further together.
The shape of things to come
 is a landscape where cyber and fraud professionals work hand in hand, leveraging each other’s strengths to combat digital threats. This future is not a distant one, but a reality we can create through collaboration and integration.
Fraud is increasingly relying on cyber for prevention and detection. Cyber can learn from fraud, which traditionally places greater emphasis on the human aspect, including social engineering, evidence collection, and preservation. The role of social engineering in cyberattacks continues to rise. Some reports say it is 60% while others say it is 98%[1][2]. Regardless of the numbers, social engineering is a significant factor in cyber incidents.
Barriers.
Having been through this a few times, I see the top three barriers:
Organization Silos. Some organizations are forming Cyber and Fraud Fusion Centers to break down silos. While the world continues to become increasingly more matrixed, silos still form. That will not change any time soon. It is organizational dynamics and human nature at work. To break down those barriers, senior leadership must consciously work to foster and reward the dynamics that enable collaboration across the silos. Common management chains go a long way. Individual staff members must also do the same. The barriers between silos only begin to dissolve when everyone makes it a deliberate act, to the point it becomes second nature, much like the couch in your family room. You expect it to be there.
Mental Sets. People are attracted to certain professions because of their natural inclinations and personal interests. The practices of those disciplines then reinforce those natural tendencies. Cyber professionals become good at protecting, detecting, and responding to cyber threats and incidents. Fraud professionals become skilled at preventing, detecting, and prosecuting fraud. By cross-training and forming integrated teams, we expand our horizons.
Legal and Regulatory Obligations. Both cyber and fraud are fundamentally about protecting the business, its customers, and stakeholders. A malicious actor’s drive towards economic gain is at the heart of both cyber and fraud. The source of the obligations and the mechanics are different. Both have obligations from legislation, regulation, and agreements, but rarely are they the same. Most cyber professionals have probably never heard of the Bank Secrecy Act (BSA), the Financial Crimes Enforcement Network (FINCEN), or the Consumer Financial Protection Bureau (CFPB). Fraud professionals likely lack insight into the roles of the National Institute of Standards and Technology (NIST), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA). Fraud professionals may have heard terms like Advanced Persistent Threats (APT) and Vulnerabilities, but do they truly understand their significance? Cyber professional probably thinks of “Smurfing” as something to do with small, blue creatures.
Quick Wins/ Obvious Places to Start
Cross Training. Educating each on the working of the others is table stakes. When the US and the Soviet Union began running joint space missions, they learned each other’s language. Not to become native speakers, but so they could communicate.
Shared analytics. Integrated analytics enables different skills to view the same data through a different lens, generating new insights and a more comprehensive view faster. Shared analytics also avoids the traditional problem of requiring teams to reconcile the data before acting, thereby fostering a faster and more thorough response.
Incident Response (IR). Fraud professionals have it drilled into their heads from day one to build the case by collecting evidence and preserving the chain of evidence. Cyber professionals are trained to get the enterprise back online, determine which control(s) failed, and remediate. I cannot tell you how many times I have worked on an incident where the cyber teams did not preserve the evidence, limiting next steps and the ability to prevent future occurrences. Having cyber and fraud teams participate in each other’s response goes a long way towards reducing the long-term impact on the business.
Social Engineering. Cyber incidents increasingly rely on social engineering. The widely publicized incidents at the Casinos in 2024 are prime examples. Why? Probably because of our historical success in implementing technical controls. Our technical controls have become our strongest defense, forcing malicious actors to turn their attention to the people, process, and organization dimensions. Fraud teams have been dealing with social engineering attacks for decades. Fraud teams regularly modify processes, procedures, and raise awareness to combat the threat. Segregation of Duties (SoD) is a prime example. Fraud teams do not have the same history with the digital world. Closer collaboration between the cyber and fraud teams presents a perfect opportunity for fraud teams to learn the digital world and for cyber teams to expand beyond technical controls.
Closing. Underlying both fraud and cyber are malicious actors pursuing a financial game. As the world becomes increasingly more digital and malicious actors increasingly use social engineering to achieve their aims, neither fraud nor cyber has all the expertise.
Together they have what is need to protect, detect, recover and most importantly craft more comprehensive defenses including people, process, technology and organizational defenses. Each has their strengths which the other can leverage.