Security Strategies

When Will Telco CFOs Say the 'F Word'?

Upon his capture in 1934, the legendary bank robber Willie Sutton was asked by FBI agents, "Why do you rob banks, Willie?" Sutton, who believed the question to be rhetorical, replied dryly, "Because that's where the money is."

More than 80 years later, if you asked a cyber criminal "Why do you do communications fraud?" you'd hear: "Because that's where the potential to make money is high and the risk of getting arrested is low."

The Communications Fraud Control Association estimates that mobile and fixed-line carriers lost $46 billion worldwide to fraud in 2013, a 15% increase in two years. This is over 2% of revenue, which is even more astonishing when this is close to the single-digit revenue growth of many mobile operators.

The dilemma that many CSPs face is that fraud is like an iceberg. Above the water is known, visible fraud and the battle here is around time windows. A cyberfraud gang can set up, go to work and disappear in 24 hours or less, before an operator knows the attack is happening. This is just the tip of the iceberg though.

Modern, sophisticated cyberfraud attacks mutate, evolve and arbitrage faster than an analyst can write rules. This type of mutating attack has a cloak of invisibility and sits under the water line impervious to detection with traditional methods. The time window here is not the issue as the opportunity for cyberfraud just goes undetected.

The industry is entering a period of hyper competitiveness with new packages being introduced continually by marketing. However, a cyberfraud gang analyzes every new package as an opportunity for a very profitable arbitrage attack that traditional systems again struggle to detect.

Given this context it was interesting to read the Telecoms.com Intelligence Industry Survey 2015, which asked a question, "Which of the following security breaches has your company experienced in the past year?" Thirty-five percent reported fraud!

This reminded me of two similar statements that were very widely quoted in the security world this year. The first is a the common refrain among security professionals: "There are two kinds of companies in the world: those that know they've been hacked, and those that have been hacked and don't yet know it."

The second is something Ian Livingston, CEO of BT Group plc (NYSE: BT; London: BTA) told delegates at Davos: "There are two types of CEO: those that know their systems are being hacked, and those that don't. For pretty much any company I've come across, it should be one of the top three risks."

Given the response to the Telecoms.com survey, I'd like to add a variation on the second sentiment: "There are two types of CFO in the world: those that know how much they are losing to fraud and those that are losing, on average, 2% of revenue to fraud and don't know it."

In the past, some CSPs have made growth a higher priority or have believed that fraud is too hard to detect and is a cost of doing business. Two things have changed: First, the competitive landscape and decreasing margins mean 2% of revenue cannot be written off as the cost of doing business anymore, and second, big data and machine learning can detect fraud above and below the waterline in a way that can compete with the innovation of cyberfraud gangs.

Gartner predicts that by 2016, 25% of large global companies will have adopted big data analytics for at least one security or fraud detection use case, up from 8% today. With technology finally catching up to fraudsters, fraud prevention can now be simplified down to a measurable line item in the IT budget.

Doing nothing is no longer an option. We are moving to a SIM-connected world where in 2014 over 1.5 billion smartphone and tablets shipped versus 308 million portable PCs and desktop PCs. We are getting to the point where the majority of computing power in the world is on smartphones not computers. In the very near future, smartphones will be joined by connected cars, NFC payments, health monitors and connected devices.

The common denominator here is that the new world is connected more and more, not by a network card, but by a SIM card that is always on, always connected and integrated into our personal lives in a way that the computer never was. This brings a whole new set of challenges when it comes to mobile carriers protecting their subscribers from cyberfraud. Just ask Chrysler or Sprint this week if this is the case. The new world is about new fraud, new devices and new data.

Fraud should be part of the risk assessment every telco makes, and those interested parties should be asking companies both financial and technical questions: What are the size of losses due to fraud in your company? What is the impact of fraud on your EPS and stock price? How do you compare to the average performer in your industry? What technologies are you using to stop fraud? What is your big data fraud strategy? How does your deployment compare to the peers in your industry?

Most important of all, stakeholders should be asking the telco CFO, "Where is the F-word in your annual report?"

— Tom Ryan, President and CEO, Argyle Data

mendyk 8/7/2015 | 7:50:56 AM
Re: Bottom Line not Top Line There was a story in the Wall Street Journal this week on this very topic. Amazon has moved a lot of applications to the cloud, but not the ones that have very sensitive information.
mhhf1ve 8/6/2015 | 6:30:15 PM
Liability, liability, liability...? The problem of fraud won't really be taken seriously until there's actual liability associated with the losses. A few million bucks can be rationalized and ignored if the revenues/profits far exceed that amount -- just buy some credit monitoring services for a few years, and wait for things to blow over in the media... 

I'll be interested to see what happens when the loss of personal id/info results in something more than just a financial loss? We haven't seen significant outrage from the OPM hack.. yet?


mhhf1ve 8/6/2015 | 6:21:10 PM
Re: Bottom Line not Top Line Hmm. You don't think Amazon eats its own cloud dog food? I think Amazon's retail site runs on AWS, if I'm not mistaken.


I don't know about Google or MSFT... they might not eat their own dog food in the same way as Amazon does.
mendyk 8/6/2015 | 10:55:38 AM
Re: Bottom Line not Top Line This is what makes some of what's going on in comms so difficult to grasp -- cloud services, for instance. Amazon, Google, Microsoft et al. have been aggressively marketing and providing cloud services to businesses for all sorts of sensitive applications, but they haven't been eating that dog food themselves to any great extent.
brooks7 8/6/2015 | 10:50:32 AM
Re: Bottom Line not Top Line  

Well, Dennis the reason for that is security is essentially impossible.

The best you can do is make it harder to do a break in.  Let me give you an example:

Suppose you wanted to rob a bank electronically and had a budget of say $1M.  Could you bribe some IT tech making $75K to allow you access?  And that is the real problem.  The big security problem is the people INSIDE the firewall.  They do stupid things (read about the 60% of random flash drives picked up in a DoD parking lot as part of a penetration test) or they are vulnerable to pressure.

Even with perfect software (HA!) it is impossible to completely prevent electronic security problems.

Heck go back to the bank.  Banks still get robbed today.  Nobody has solved physical security either to a level of perfection.


mendyk 8/6/2015 | 10:43:38 AM
Re: Bottom Line not Top Line seven -- To your point, theft of service is kind of a cost of doing business, and one that tends to be overestmated (as in the assumption that all stolen services would become real revenue). The much bigger issue with CSPs is security -- attacks that disrupt service or cause financial losses for customers are much more damaging than fraudulent use of service. But we've found that CSPs really don't want to talk much about security, either.
brooks7 8/5/2015 | 11:10:20 AM
Bottom Line not Top Line  

The question is what the cost to get the 2% or some fraction of it back is right?  You have to spend less (a lot less) than the profit on the revenue that you don't lose.  So the question isn't when will people talk about fraud...it is what can be done cheaply to keep some of it.

Because here is the other thing about banks and robbing.  Any bank can be robbed given enough effort.  You are not going to take fraud to 0.  The question is what is the percentage of the low hanging fruit AND how little can be done to keep it from leaving.

Sign In