By Dan Morrison
Litigation partner at Mishcon de Reya
An attempt to steal £220m ($423m) from the London offices of the Japanese bank Sumitomo Mitsui by hacking into the bank's systems has been foiled by the police of several countries.
Dan Morrison of Mishcon de Reya
Dan Morrison, litigation partner at London law firm Mishcon de Reya and a specialist in fraud investigations and asset recovery, explains how companies can take steps to defend against this kind of attack.
Dan Morrison writes:
Over the last few months, fraud professionals have noticed an increasingly sophisticated use of technology both in the perpetration of frauds and also in attempts to conceal evidence of the fraud from any subsequent investigation.
The legal tools used to bring the fraudsters to justice and make recoveries from them remain largely the same whether the scam is a "traditional" paper based fraud or a large scale diversion of funds through electronic payment systems.
That said, there are clear differences of approach required in terms of deterring and preventing such frauds and identifying those responsible for them when they happen.
There are a number of straightforward steps you can take to dramatically improve your security and the efficacy of your response if the crooks do strike:
- Careful scrutiny of prospective employees who will have high level access to your IT and security systems - experience shows beyond doubt that the majority of these frauds are carried out by insiders or at least with some level of inside help.
- Make sure you have in place a company policy permitting monitoring of emails and telephone calls in order to detect and prevent fraud. Provided such a policy has been adopted and reasonable steps have been taken to draw it to the attention of employees, the monitoring will not fall foul of the interception rules under the Regulation of Investigatory Powers Act. Intelligent monitoring in risk areas may provide advance warning of a planned fraud and, at the least, makes the insider's job more difficult.
Online or offline, the law on fraud is much the same
- Ensure that your hardware and software are set up so that only those who truly need such rights can install new software to any part of your network. Also ensure that PCs do not have floppy, CD or DVD drives (whether read only or read / write) unless there is a genuine business need for the user of a particular unit. By the same token, remove or disable unnecessary USB (or equivalent) ports and thereby prevent the use of portable data storage devices that are now readily and inexpensively available to the public.
- Sensitive areas within your premises (such as server rooms) can be monitored by CCTV. This will act as a deterrent to wrongful interference and if a dishonest employee does introduce unauthorised software to your system the CCTV records may assist in identifying the responsible individual.
Most of all, though, you need to have a clearly defined Fraud Response Plan for your organisation.
No amount of security or deterrence will ever completely guarantee immunity to fraud. If it does happen, you need to be ready to investigate quickly and efficiently.
A suitable senior corporate officer (and a deputy for when the primary designate is unavailable) should be designated to take the lead and head up the response to any fraud that occurs.
Those individuals should have in place delegated powers to take all such steps as the investigation may require, such as authority to instruct external specialists.
Specialists such as providers of IT forensic services, investigators and lawyers should be identified and pre-approved before the crisis happens.
That way you will avoid having to go through a time-consuming appointment process when you most need speed.
The first few hours of an investigation can make the difference between success and failure. Those hours should not be wasted.
The opinions expressed are those of the author and are not held by the BBC unless specifically stated. The material is for general information only and does not constitute investment, tax, legal or other form of advice. You should not rely on this information to make (or refrain from making) any decisions. Always obtain independent, professional advice for your own particular situation.