How to prepare for those inevitable security threats

THE management of risk has been a crucial and complex undertaking for businesses globally. Its efficient and effective handling requires solid corporate governance. Every business must protect themselves against the risk of potential interruption by fully assessing their vulnerabilities and deploying mitigating controls. One such risk is fraud.

The Report to the Nations 2020, submitted by the Association of Certified Fraud Examiners (ACFE), noted that data collected from more than 120 countries, and representing 23 major industry categories, resulted in over 2,504 real cases of occupational fraud.

A company’s approach to adverse events such as fraud is called contingency planning (CP). During this process, both the information technology and information security community’s interests are aligned to prepare for, detect, react to and recover from events that threaten the security of information, resources and assets.

An incident is an adverse event that could result in a loss of information assets but does not threaten the viability of the entire company. The process used by a business to plan, detect, react, contain, eradicate or recover is therefore, in effect, incident response management (IRM). For the avoidance of doubt, although IRM, disaster response management and business continuity management have some overlapping similarities, and are all major components of a business’s contingency planning, they are fundamentally different.

Building an enterprise-wide resilient business must include risk identification and assessment, risk controls and risk responses. I will address incident response management while underscoring its importance to business continuity or company resilience, then focus on the core steps involved in IRM and their direct link and importance to building a resilient security culture within a business.

IRM and its importance

Historically, the control-centred approach to incident management was considered the standard. However, the focus has recently shifted to recovery rather than prevention as the complexity and consistency of threats increases. By centring information security management on the moment at which a security event occurs, rather than on preventative control, management strategies can better address the balance between the two paradigms.

Having a robust incident response plan places a company in a position to respond efficiently and effectively to threats. Without a strong incident response plan, incidents can quickly escalate to disasters. Weakness in these plans, if exploited, can increase the possibility of reputational risk, meaning the direct or indirect negative impact to a company’s goodwill.

Core steps of IRM

Investment in an incident response plan could prove critical in the likely event of fraudulent attacks, cyber attacks or a combination of both. Given the potentially huge financial and reputational risks, it is incumbent on the company to thoroughly implement an IRM plan. A basic fraud response plan should consist of the following:

Incident response methodology – There are a wide range of approaches that can be deployed or adapted. A widely-used base framework for risk management is the National Institute of Standards and Technology (NIST) Incident Response Process.

Fraud incident response team – Depending on the company’s size, this team should include a legal resource (internal or external), human resources, an investigator and an audit committee representative.

Pre-incident plan – Creation of teams and their roles, and the training of staff on the plan details and responsibilities; fraud risk assessments; document policies and procedures, while simultaneously ensuring their alignment to the regulatory environment, are all components of this step.

Post-incident plan – The key focus of this phase is to properly identify the scope of the suspected fraud in order to define your investigations and interviews. Seek expert advice if needed. Secure and preserve financial and non-financial information, and determine the next steps.

Post-incident remediation – Companies must complete gap analysis on plan effectiveness, procedures and training with a view to decreasing gaps, improving the incident response plan, and maintain fraud incident reporting that are aligned with internal policies and procedures plus the external regulatory environment.

Bruce Schneier, an information security expert, once wrote: “Security is a combination of protection, detection and response.” Incidents of fraud cannot be stopped. However, a company’s preparation and response can be effectively managed through a robust risk response and fraud incident response plan.

NB: Derek Smith Jr is the compliance officer and money laundering reporting officer (MLRO) at Higgs & Johnson, a leading law firm in The Bahamas and a former assistant vice-president, compliance and money laundering reporting officer, at an international private bank. His professional career started at a ‘Big Four’ accounting firm and has spanned over 20 years, including business risk management, compliance, internal audit, external audit and other accounting services. He is also a certified anti-money laundering specialists (CAMS) and certified risk and compliance management professional (CRCMP).