covid-19 – Oliver Pickup

Fighting fraud in times of crisis

Cybercrime is always distressing for those affected, but when the resultant losses come from the public purse, it must be taken even more seriously

Coronavirus has coursed through every facet of our lives, and society and business have already paid a colossal price to restrict its flow. We will be counting the cost for years, if not decades. And while people have become almost anaesthetised to the enormous, unprecedented sums of support money administered by the government, it was still painful to learn, in October, that taxpayers could face losing up to £26 billion on COVID-19 loans, according to an alarming National Audit Office report.

Given the likely scale of abuse, it raises the question of how authorities should go about eliminating public sector fraud? Could artificial intelligence (AI) fraud detection be the answer?

Admittedly, the rapid deployment of financial-aid schemes, when the public sector was also dealing with a fundamental shift in service delivery, created opportunities for both abuse and risk of systematic error. Fraudsters have taken advantage of the coronavirus chaos. But their nefariousness is not limited to the public sector.

Ryan Olson, vice president of threat intelligence at American multinational cybersecurity organisation Palo Alto Networks, says COVID-19 triggered “the cybercrime gold rush of 2020”.

Indeed, the latest crime figures published at the end of October by the Office for National Statistics show that, in the 12 months to June, there were approximately 11.5 million offences in England and Wales. Some 51 per cent of them were made up of 4.3 million incidents of fraud and 1.6 million cybercrime events, a year-on-year jump of 65 per cent and 12 per cent respectively.

Cybercrime gold rush – counting the cost

Jim Gee, national head of forensic services at Crowe UK, a leading audit, tax, advisory and risk firm, says: “Even more worryingly, while the figures are for a 12-month period, a comparison with the previous quarterly figures shows this increase has occurred in the April-to-June period of 2020, the three months after the COVID-19 health and economic crisis hit. The size of the increase needed in a single quarter to result in a 65 per cent increase over the whole 12 months could mean actual increases of up to four times this percentage.”

In terms of eliminating public sector fraud, Mike Hampson, managing director at consultancy Bishopsgate Financial, fears an expensive game of catch-up. “Examples of misuse have increased over the last few months,” he says. “These include fraudulent support-loan claims and creative scams such as criminals taking out bounce-back loans in the name of car dealerships, in an attempt to buy high-end sports cars.”

AI fraud detection and machine-learning algorithms should be put in the driving seat to pump the brakes on iniquitous activity, he argues. “AI can certainly assist in carrying out basic checks and flagging the most likely fraud cases for a human to review,” Hampson adds.

John Whittingdale, media and data minister, concedes that the government “needs to adapt and respond better”, but says AI and machine-learning are now deemed critical to eliminating public sector fraud. “As technology advances, it can be used for ill, but at the same time we can adapt new technology to meet that threat,” he says. “AI has a very important part to play.”

Teaming up with technology leaders

Technology is already vital in eliminating public sector fraud at the highest level. In March, the Cabinet Office rolled out Spotlight, the government grants automated due-diligence tool built on a Salesforce platform. Ivana Gordon, head of the government grants management function COVID-19 response at the Cabinet Office, says Spotlight “speeds up initial checks by processing thousands of applications in minutes, replacing manual analysis that, typically, can take at least two hours per application”. The tool draws on open datasets from Companies House, the Charity Commission and 360Giving, plus government databases that are not available to the public.

“Spotlight has proven robust and reliable,” says Gordon, “supporting hundreds of local authorities and departments to administer COVID-19 funds quickly and efficiently. To date Spotlight has identified around 2 per cent of payment irregularities, enabling grant awards to be investigated and payments halted to those who are not eligible.”

We need to watch how the technology fits into the whole process. AI doesn’t get things right 100 per cent of the time

She adds that Spotlight is one of a suite of countermeasure tools, including AI fraud detection, developed with technology companies, and trialled and implemented across the public sector to help detect and prevent abuse and error.

Besides, critics shouldn’t be too hard on the public sector, argues David Shrier, adviser to the European Parliament in the Centre for AI, because it was “understandably dealing with higher priorities, like human life, which may have distracted somewhat from cybercrime prevention”. He believes that were it not for the continued investment in the National Cyber Security Centre (NCSC), the cost of fraudulent activity would have been significantly higher.

Work to be done to prevent fraud

Greg Day, vice president and chief security officer, Europe, Middle East and Africa, at Palo Alto Networks, who sits on Europol’s cybersecurity advisory board, agrees. Day points to the success of the government’s Cyber Essentials digital toolkit. He thinks, however, that the NCSC must “further specialise, tailor its support and advice, and strengthen its role as a bridge into information both from the government, but also trusted third parties, because cyber is such an evolving space”.

The public sector has much more to do in combating cybercrime and fraud prevention on three fronts, says Peter Yapp, who was deputy director of incident management at the NCSC up to last November. It must encourage more reporting, make life difficult for criminals by upping investment in AI fraud detection and reallocate investigative resources from physical to online crime, he says.

Yapp, who now leads law firm Schillings’ cyber and information security team, says a good example of an initiative that has reduced opportunity for UK public sector fraud is the NCSC’s Mail Check, which monitors 11,417 domains classed as public sector. “This is used to set up and maintain good domain-based message authentication, reporting and conformance (DMARC), making email spoofing much harder,” he says. Organisations that deploy DMARC can ensure criminals do not successfully use their email addresses as part of their campaigns.”

While such guidance is welcome, there are potential problems with embracing tech to solve the challenge of eliminating public sector fraud, warns Dr Jeni Tennison, vice president and chief strategy adviser at the Open Data Institute. If unchecked, AI fraud detection could be blocking people and businesses that are applying for loans in good faith, or worse, she says.

“We need to watch out how the technology and AI fit into the whole process,” says Tennison. “As we have seen this year, with the Ofqual exam farrago, AI doesn’t get things right 100 per cent of the time. If you assume it is perfect, then when it doesn’t work, it will have a very negative impact on the people who are wrongly accused or badly affected to the extent they, and others, are fearful of using public sector services.”

There are certainly risks with blindly following any technology, concurs Nick McQuire, senior vice president and head of enterprise research at CCS Insight. But the public sector simply must arm itself with AI or the cost to the taxpayer will be, ultimately, even more significant. “Given the scale of the security challenge, particularly for cash-strapped public sector organisations that lack the resources and skills to keep up with the current threat environment, AI, warts and all, is going to become a crucial tool in driving automation into this environment to help their security teams cope.”

This article was originally published in Raconteur’s Public Sector Technology report in December 2020

Tech-enabled finance could save your company

When crises hit, organisations always lean heavily on their internal finance specialists to reduce costs, streamline operations and plot a roadmap to recovery, in that order. While lessons should have been learnt after the global economic crash a dozen years ago, and more robust business continuity plans established, it was impossible to predict the speed, scale and severity of the coronavirus pandemic.

Once again, business leaders are looking, desperately, to their finance teams for rapid solutions to colossal challenges. It’s a mighty responsibility, given the amount of uncertainty and an impending global recession.

“During the current crisis, C-suite executives rely on financiers to identify the most cost-effective sources of financing, not only for the survival of the firm in the short run, but also for the growth that follows economic stagnation,” says Dr Nikolaos Antypas, finance lecturer at Henley Business School.

“For most companies, the top-down directive is: survive first, grow later. Since the pandemic started, the role of internal finance has shifted towards turning down or postponing indefinitely any project or cost item with non-existential importance.”

However, unlike in 2008, access to digital technologies, cloud storage and data analysis are enabling faster results, greater agility and collaboration, and better forecasting. If COVID-19 has accelerated digital transformation, the financial function is in the driving seat of that change.

Tech-savvy organisations have major advantage

Laggard organisations that decline to embrace technology will fail. And even industries that have rallied well since lockdown, such as ecommerce and healthcare, should be anticipating more obstacles on the road to recovery.

“The threat of decreasing revenue looms ominously,” warns Antypas, nodding to the tapering of the furlough scheme, which could trigger a sharp rise in unemployment. “No company should be complacent with their current success; their customer base is about to lose its revenue stream and that loss can have devastating ripple effects. Even the most profitable company can suffer if cash flows are not managed efficiently.”

Red Flag Alert, a credit risk management company, has amassed financial data of UK businesses for the last 16 years. The analysis is bleak. “UK industry is facing a mountain of unsustainable debt; it could be as much as £107 billion,” says Mark Halstead, a partner at the Oldham-based firm.

“Technology and data will be critical to companies bouncing back from the pandemic. It will also enable businesses to protect themselves and strive for growth in an economy saddled with record levels of debt.”

Technology and data will enable businesses to protect themselves and strive for growth in an economy saddled with record levels of debt

Organisations that invested in digital technologies and evolved the financial function before the pandemic have an early-adopter advantage. Kaziu Gill, who co-founded London-headquartered LimeGreen Accountancy in 2009, has long promoted accountancy software and other digital tools to his clients, who are mostly small and medium-sized businesses in the creative industries.

“COVID-19 has forced many businesses to change and become leaner and more mobile, but we have managed to continue without any disruption,” he says. “In some cases, we have been more productive.

“We are seeing more businesses exploring how they can grow digitally and the suite of tools that we use complements any organisation’s approach to budget and forecasting.”

Finance functions arm themselves with digital tools

LimeGreen enjoys a partnership with cloud-based accounting software platform Xero. “We offer plug-ins to Xero, like Spotlight, which is a great forecasting tool, and Receipt Bank,” says Gill. “And there are other project management tools that help link the financial function with human resources, such as CakeHR. We have always strived to utilise tech and now financial functions simply have to make that transition to digital. Pieces of paper are no good when you can’t send or receive physical mail during lockdown and with remote working.”

He argues that the recent open banking directive – a government-enforced programme designed to open up banking data, launched in 2018 – strengthens the case for finance departments to embrace digital tools. “It’s the perfect time because every bank in the UK is obligated to open up their application programming interfaces so third-party software companies can use them.”

Xero, for instance, recently launched a short-term cash-flow tool that projects bank balances 30 days into the future, showing the impact of existing bills and invoices, if paid on time. “This capability helps the financial function to scenario plan accurately and make changes to business plans instantly,” explains Donna Torres, Xero’s general manager of global direct sales and operations.

“It’s more important than ever for organisations to have an up-to-date view of their cash flow so they can plan, forecast and make the right decisions about their future. Cloud accounting technology provides a real-time snapshot.”

Empowering finance teams to change business plans

Financial functions that push to arm their organisations with other digital tools, including artificial intelligence-powered document scanning and e-signature, are discovering they can achieve company-wide efficiencies almost overnight.

Mike Plimsoll, industry head of financial services at Adobe, offers a banking example. “Facing increased demand with reduced branch capacity to maintain social distancing, TSB acted quickly to transform a significant amount of offline forms into digital-only interactions, creating an end-to-end journey for its personal and business banking customers,” he says.

“After implementing Adobe Sign, TSB managed over 80,000 customer interactions in the first eight weeks, saving the need for up to 15,000 potential branch visits.”

Plimsoll posits that by switching their processes and establishing digital technologies, finance teams have been able to “keep the business moving and react quickly to the shifting landscape and help steer a course through the uncertainty”.

Adopting a shorter planning window is paramount for business continuity and recovery, says Thomas Sutter of Oracle NetSuite’s Global Solutions Centre of Excellence. “Most businesses operate on a 12-month budget cycle and manage strategictra plans with longer timeframes, but at this time the focus must shift to immediate priorities,” he says.

“Now more than ever, establishing a clear framework of visibility and control will streamline and protect cash flow in the short term, keep customers happy, and reveal new and innovative options business leaders have available to drive the business forward in the future. Finance leaders and their teams will be at the heart of these strategic moves.”

Finance departments may have had more responsibility thrust upon them when COVID-19 hit, but it seems their role will only grow in importance in the coming months and years. Technology is both empowering and enabling their new lofty status.

This article was originally published in Raconteur’s Business Continuity and Growth report in August 2020

Hackers smell blood as crisis exposes cyber vulnerabilities

Less than two years ago, in June 2018, when Ticketmaster UK revealed cybercriminals had stolen data from up to 5 per cent of its global customer base via a supplier, it set alarm bells ringing.

The following month, a CrowdStrike report laid bare how ill-prepared organisations all around the globe were against hackers seeking to exploit third-party cybersecurity weaknesses. Two thirds of the 1,300 respondents said they had experienced a software supply chain attack. Almost 90 per cent believed that they were at risk via a third party. Yet, approximately the same number aadmitted they didn’t deem vetting suppliers a critical necessity.

Given Symantec’s latest Internet Security Threat Report, launched early last year, highlighted that supply chain attacks had increased by 78 per cent in 2018, one hopes organisations heeded the warning signs and shored up their third-party cybersecurity policies well before COVID-19 hit businesses.

Experts fear companies that failed to bolster their cyber defences are now even more exposed because supply chains have become fragmented, and hackers, like great white sharks, smell blood. “Criminal groups have recognised that to catch the big fish they need to catch some smaller fish first,” explains James McQuiggan, security awareness advocate at KnowBe4.

To extend the fishing – or rather phishing – analogy: to net the whopper organisations hackers are scooping up the tiddlers in the supply chain, McQuiggan says, as they “may not have the robust security programs and often unable to afford adequate cybersecurity resources or personnel.

“As such, they are potentially more susceptible to social engineering scams or attacks. The criminal groups will attempt to gain access and then leverage the connection to attack a larger organisation.”

You’re only as secure as your weakest link

Predators know when to attack vulnerable prey, and COVID-19 has weakened the cybersecurity of countless organisations. “Coronavirus passes from person to person, and a percentage of victims are asymptomatic, yet can infect others – cyberattacks work in a similar way,” says Matt Lock, UK technical director at Varonis.

“A smaller supplier that’s fallen behind on their basic cyber hygiene can become infected with malware and unknowingly spread it to their business partners.”

Alluding to the issues presented by lockdowns enforced because of the pandemic, he continues: “At first, we were seeing cases where companies took shortcuts to get their employees online to keep their businesses running. Now companies are starting to settle into their new normal. They’re taking a step back, actively trying to rein in access and resolve security issues that cropped up in their race to get everyone the access they needed to do their work.”

Chris Sherry, a regional vice president at Forescout, argues there has never been a more vital time to have a cyber-resilient supply chain. “COVID-19 is the ultimate stress test for many supply chains,” he says. “The demand for critical supplies has never been greater, and it’s the biggest challenge. It’s a marathon to continue with ‘business as usual’ while trying to achieve an output of 150 per cent. Industry 4.0 and the industrial internet of things are driving improvements in operational efficiency, but also leaving suppliers more vulnerable than ever to downtime or data loss if critical processes are interrupted.

“The benefits of operational technology and automation are clear, but they also significantly increase the potential attack surface of any organisation. As bad actors look to take advantage of the crisis, the cybersecurity strategy of any supplier should ensure this is well understood, continuously monitored, and appropriately secured.”

Top tips to shore up cybersecurity

If an organisation’s cybersecurity is only as sturdy as its weakest link in the supply chain, what could – and should – be done in the face of an increasing number of attacks?

“Ultimately, the relationship of ‘trust’ many organisations once had with their third-party suppliers is no longer enough,” says Sherry. “The National Cyber Security Centre puts out a huge amount of guidance on the right questions to ask, as well as the right parameters to measure the security of your supply chain.”

Nigel Stanley, chief technology officer at TÜV Rheinland, agrees that the NCSC is a good source of information, and points to its Cyber Essentials certification scheme, which offers a “base level of cybersecurity assurance”. For him, streamlining supplier assessments is crucial, as is how deeply the supply chain network is traversed.

However, he notes: “Managing this is a challenge as presenting suppliers with 150 questions to answer every month can be a real turn-off. Using supplier contracts to enforce cybersecurity controls can be useful as it links payments and contracts to cybersecurity performance. The problem is how such a program can be implemented proportionately, balancing supplier and customer requirements.”

Criminal groups have recognised that to catch the big fish they need to catch some smaller fish first

The ‘zero-trust’ certification offered by analyst firm Forrester is worth the money to improve cybersecurity across the supply chain, suggests Patrick Martin, head of threat intelligence at Skurio. “Securing the supply chain is key,” he says. “Look for suppliers with certifications like Cyber Essentials Plus and BS 10012 ISO/IEC 27001, and don’t be afraid to ask suppliers and partners to provide proof of their practices.”

Serving up a final piece of expert advice, he adds: “Another great first step is to monitor the deep and dark parts of the web for breached data, credentials and mentions in attack planning scenarios. In this way, businesses can be much better prepared to mitigate an attack if they see it coming.”

Considering Ticketmaster UK’s supply chain breach was almost two years ago, it’s fair to say organisations have had ample time to prepare, but those who failed need to move quickly with the fallout from COVID-19 likely to be long and painful.

This article was originally published in Raconteur’s Procurement and Supply Chain Innovation report in May 2020