Fraud and cybersecurity carry different weight on the corporate agenda. With the latter a hot topic with the media, enterprises and consumers, there is a strong business case for security teams seeking budget to bolster internal defences or service offerings.
“Historically, it has proved difficult to sell new security programmes internally,” says Carlos Olea, responsible for security at Telefónica Global Solutions. “In the last four years, however, it has become much less difficult because of security concerns arising around new technologies, media coverage of high-profile breaches and direct requests from customers. Taken together, there are big numbers involved.”
Fraud, however, has tended to fly under the risk radar. Pursuing fraudsters through the law courts is costly, with little chance of restitution for the claimant, while complex interconnect agreements present difficulty in establishing liability and bilateral contracts prevent carriers withholding payment. But with fraudulent activity on a sustained upward trajectory and carrier margins heading the other way, the scales are tipping.
“Every Euro we cannot collect we are eating up on an EBITDA level, and you have to report it because it’s part of your revenue,” states Stefan Amon, director of wholesale, Telekom Austria. “This brings me to the question of whether or not the impact of fraud is visible at the board level, and I would say that in the past, perhaps not. However, it is an upcoming topic that CXOs have to address, especially CFOs, because they are looking at the profit and loss in more detail.”
Big-ticket items
Fraud losses as a percentage of global telecom revenues were estimated at 2.09% in 2013 by the Communications Fraud Control Association (CFCA), putting fraud losses in the global communications industry at $46.3 billion in 2013, up 15% from 2011.
Although Amon was unable to provide an exact figure, he did confirm that Telekom Austria has seen a sustained increase in fraud on its networks and that it is growing at a faster rate than in previous years.
“The challenge is the many different fraud areas telcos have in their retail business – from PBX hacking and SIM boxes on the voice side, to online fraud and VAS on the data side,” he said. “CFOs must consult with other areas of the business and with CEOs, because they are seeing a portion of their total EBITDA being lost to crime.”
A further challenge is that board members look at big-ticket items. At Telekom Austria for example, the poor macro and micro-economic conditions in the central European countries where it has operations impact directly on the “share of the wallet” of its subscribers.
“Our core responsibility is to grow Telekom Austria Group,” Amon continues. “We have been looking at innovation, how to develop our markets, and how to manage crises in different markets. But where issues like fraud and security reach a certain level on the EBITDA line, then these topics do get attention and are a focus right now for our CFO, together with our treasury team.”
Security blind spots
Unlike fraud, security is inherently a big-ticket item. Telecoms networks form part of critical infrastructure, making them an attractive target for cyberattacks. Yet even with security, blind spots exist at an organisational level. PwC polled 456 telecoms executives as part of its Global State of Information Security Survey 2014 to measure and interpret how they combat cyber-threats. It found that while the number of cyberattacks detected against critical infrastructure had risen 25%, telecoms executives detected 17% fewer security incidents compared with 2012. Respondents also reported a decrease in the financial costs attributed to security incidents.
Moreover, PwC’s survey found that downtime of networks, applications, and services had jumped to an average of 21 hours, up from 15 hours in 2012, with exploitation of networks the most commonly cited impact of security incidents, followed by compromise of data. According to PwC, the average cost of a large organisations’ worst breach is between $1 million and $1.9 million.
Shawn Henry, CSO at security firm CrowdStrike, argues that the executive level is indeed where “blind spots” can exist, and that this is the case irrespective of industry or sector.
“This is a broad statement, but there are some people whose outlook is six months down the road,” Henry says. “I have come across CTOs who have said they don’t want to know, because if they know with certainty there is a problem, then they have an obligation to report it. With the board however, you get a different perspective, because they are all held accountable, are looking further out and are more willing to implement strategies and polices. So these issues must get into the board of directors.”
Organisational boxes
For Henry – formerly an executive assistant director of the FBI’s Criminal, Cyber, Response and Services Branch – obtaining the intelligence necessary to provide full visibility and obtain board buy-in is where the hunt begins.
“There are teams within the carriers responsible solely for identifying activity by an adversary,” he explains. “In collecting that intelligence, they can put together a profile of who’s there in the network. If you were to go to a major company and tell the CEO that there are 10 computers on the network with a virus on them, the CEO would say just go ahead and fix them. But if you could go to that CEO and say there are 10 computers with a virus and that you have attributed that virus to a group that is selling your intel to a foreign government, that is a story the board will definitely want to hear.”
Although Henry is seeing more collaboration at executive level to gather this intel, he believes that the CSO should be responsible for all forms of security (including fraud) and that the CISO should report to the CSO so that all security (physical and IT) reports through one chain of command. “Moving the boxes on the organisational chart will give the C-suite much greater visibility and encourage closer co-ordination of activities.”
It is also vital to appoint the right type of CSO. Often this is someone from a law-enforcement background, but Henry also stresses the importance of understanding business risk and having a global contacts book. When it comes to security, he sees a compelling business case.
“At the end of the day, the objective of the company is to have money in the bank. That is achieved by generating revenues through sales and by protecting what you have. I would argue that the latter is worth more, because you have already made the investment to generate the sales,” he says.
Putting a number to the risk
Executives must also be able to measure risk. Telefónica for example, employs a risk-sizing methodology to follow measurable indicators and objective costs, as well as two corporate tools, Sungard and Pilar (funded by the Spanish National Security Agency) to manage risk and support ISO 27001. It also uses tools to collect indicators and manage the daily activities of each department.
“If you cannot measure the risk or put a number to it – whether in terms of a direct financial cost to the business, cost in terms of damage to the brand or reputation, or in terms of lost customers – then it is hard to sell a new security or fraud initiative to the board,” says Telefónica’s Olea.
However, when evaluating less tangible concepts such as reputation, social responsibility and market credibility, the process is “open to discussion”. In such cases, Olea recommends using real-life examples from the past to support the numbers.
The biggest challenge, he says, is how to meet the requirements of regulators and PTTs globally, while working within the confines of the need to reduce cost, reduced margins and delivering the same quality and more security.
“The quality of a service is good, but that is what people expect,” Olea suggests. “Security, however, is what customers want to know about, and this question is coming into RFPs. So where we are looking to meet customer requests and when money is coming in, the business case is clear. Internal security, however, is only a cost. Of course, it is also a risk. So the key question is whether you are able to put a number to that risk.”
Appetite for risk
According to Ian Smith, CEO at the Telecommunications UK Fraud Forum (TUFF), establishing the risk model entails looking at where threats exist and what they may be, given the nature of the market, and how the organisation in question needs to act to counter them. Or indeed, what attitude to risk and the cost of mitigating that risk it adopts.
“Using an analogy from my consulting days, say we run a sweet shop near a school,” Smith says. “One of the risks is that kids pinch sweets from the counter. So the question here is how much are our profit margins and how much can we take a hit? So the penny sweets are kept on the counter and the high-value items are kept out of the reach of sticky hands. Here we are doing a risk assessment and we are doing a mitigation strategy. But part of that strategy is also that if we can’t catch the perpetrators (we might remember their faces and bar them), what are the acceptable losses?”
That, says Smith, is part of the discussion for any company that has got shareholders external to the board. The size of the organisation, the nature of the shareholding/ownership and the nature of the stakeholder/shareholder base that looks in will also have a direct but variable impact on the models employed.
“Clearly, if someone has a 100% stake in the business, they will take a very different view than is taken across a very wide-based corporate, where there are many different high-level strategic departments and also many lower-level tactical departments and silos within,” Smith explains. “So it is a question of how you communicate fraud prevention, security and implementation up the lines and across a wide-ranging body, as well as across the industry. That becomes a challenge and the board has got to look at that as well.”
A question of duty
For Smith, the starting point is the UK’s Companies Act 2006 – and specifically section 172: Scope and nature of general duties of directors: “Looking at section 172, it says ‘Duty to promote the success of the company’. I often use that as the discussion point, because ultimately that is the start (and one might argue also the end point) of what the role of board members is all about: to represent shareholders and deliver shareholder value. And that is what the law mandates them to do.”
However, going through the whole act, there are only about half a dozen hits on “fraud” or “fraudulent” in the whole act, while fraudulent trading is covered only in section 993. “So out of a document that runs to 1,300 sections, there is a great deal in there other than fraud to distil down and put forward about how you govern a company. And I think that in respect of that – especially when you are talking about large MNCs with multiple jurisdictions – any board has got a tough job ahead of it.”
As such, tackling fraud is not just about putting in barriers, but more importantly about timely intelligence-based information sharing. This is where TUFF is working closely with its members, industry partners, and central and local government to be more supportive in aiming to bring fraudsters to book. Smith also points to Action Fraud, the UK’s national reporting centre for fraud and internet, as an example of how consumers, industry, law enforcement and government can work together and deliver results. Collaboration is also key to addressing areas such as interconnects.
“Without legal backing from the regulator, should a carrier on one side withhold payment, this invariably results in sanctions, which both parties need to avoid – especially where carriers are reliant on counterparties for connectivity across the water. So in incidents where you face a problem, you have to look at a far more co-operative model in terms of how you deal with this,” Smith argues.
Joining the dots
Certainly, carriers are cognisant of the need for greater collaboration. “I think we have to be open from a high level of management, to act quickly in sharing new scenarios which happen on the market that we as operators can address together to help prevent this,” says Telekom Austria’s Amon. “Because the fraudsters are getting smarter and smarter every day, and I compare it with doping in sports, where the dopers are much further ahead than the people tasked with catching them.”
TUFF’s Smith agrees: “The fraudster is always on the front foot. It is like us doing the 100m, where we are 5m behind on the starting blocks to begin with. The other guy is a lot faster and you are constantly in that loop. What we do is pick up the crumbs left behind, from the crumbs we develop the knowledge – obviously there are blocking manoeuvres that we can do, and eventually look to catch them before they get to the finish line.”
Telefónica is also actively engaged with regulators and industry. “In Europe we are in discussion with the EU on data storage, and we are dealing with France Telecom, where their regulator needs to double network resilience between France and Spain,” says Olea. “This is a big barrier as we need to reduce margin to sell connectivity and services at lower cost, but the regulator is pushing us the other way.”
Data privacy is a further issue. Here, Telefónica is working closely with the European Network Information Security Agency (ENISA). “Regulation on the OTTs is completely different, because the OTTs are not ‘selling’ anything directly. However, they are collecting their user’s information. So in terms of privacy, I believe they need stronger regulation as they are playing with free data from their customers.”
Ultimately, TUFF’s Smith sees the challenges as being generic within industry.
“It’s about people, it’s about legislation, it’s about the processes you have in place, the communication and the attitude,” he says. “And it doesn’t matter where you are, that’s what you’ve got to deal with. Because the fraudsters are there, and they will always be ‘shopping’ for the best deals.”