As IT supply chains become larger and more complex, they’re becoming more at risk of supply chain fraud. Read on to find out how to implement the best compliance and risk mitigation measures, including which market tools can help you do so.
What potential risks and vulnerabilities affect IT supply chains?
It’s inevitable that new risks emerge when your business undergoes digital transformation. You’re handling large amounts of data. You’re maintaining relationships with third parties who might be handling your data on behalf of you or completing transactions with you. And so, it makes sense that the more businesses digitally transform their processes, areas like supply chains are becoming an increasing target of cybercriminals.
If your supply chain involves dealing with third parties, ensuring you know who you’re working with is important. Below, we’ll run through a few types of IT supply chain cybersecurity risks and how they might affect you.
Third-party data security
One of the biggest threats to your IT supply chain security is the way that third parties handle your data. These can be your suppliers, contractors, or partners, who often have access to your customer data. You might be managing hundreds of third parties with access to data in your supply chain. Making sure you have data protection in your plan is a good idea if you’re working with third parties.
Sometimes, criminals disguise themselves as legitimate customers or suppliers to exploit your supply chain. Criminals can disguise themselves as a customer or supplier by using deep-faked identity documents or biometrics like video calls, selfies, or social engineering (pretending to be a relative or coworker). In the case of your supply chain, they might pretend to be a customer or supplier in order to change their payment details.
Fraudsters might also create a fake invoice containing their payment details rather than a legitimate supplier’s. Businesses of all sizes have been affected recently by this type of scam: take, for example, Amazon, which was scammed out of $19 million. According to PYMNTS, the scheme was: “led by two brothers who were billing the company for goods that were never actually purchased.”
Criminals usually include a convincing but fake tax ID, business name, account number, phone number, and email address. Supplier or vendor fraud is often hard to spot Without the right tools, as their tactics can be very convincing.
How can these damage supplier relationships if not dealt with effectively?
Compliance with Customer Due Diligence (CDD) regulations and/or major security risks in your supply chain will most likely damage your pre-existing supplier relationships. You may be considered less trustworthy if you’re not following the law.
That’s why it’s essential that you mitigate risk as a business by conducting background checks for every third party you have dealings with. While you might not be able to prevent risk entirely, if you have a good risk mitigation management plan in place, you should be able to prevent many cases of supplier fraud or data breaches.
How does risk mitigation ensure IT organizations stay compliant with regulations in their country?
Customer Due Diligence applies to any company that’s a bank or financial institution, like a fintech firm or an investment company.
You’ll need to ensure you have a Know Your Customer (KYC) process in place to stay compliant, which can involve gathering biometric identity information alongside a customer’s age, address, and name. On top of a KYC check, CDD also involves making sure you know where a customer, supplier, or vendor’s funds are coming from. This is to prevent cases of money laundering.
For any organization that falls under this category, the law says that you must have a CDD process in place in order to remain compliant. Even if your IT organization doesn’t, practicing CDD can help keep your reputation clean (as well as save you money in the long term).
An effective CDD program often has different steps. This can include:
- A customer identification program (CIP)
- Ongoing due diligence (ODD)
- Customer risk profiling (CRP)
- Enhanced due diligence (EDD)
Below, we’ll look at how you can incorporate these steps into your risk mitigation plan.
Ways to mitigate risk
As criminals are becoming increasingly sophisticated in trickling Know Your Customer (KYC) processes into thinking that they are legitimate and trustworthy customers, vendors, or suppliers, it’s important for organizations to be able to counter this with the right tools. Running a comprehensive background check is one helpful way to ensure that the person you’re dealing with is who they say they are. This can be part of your Customer Due Diligence plan as an initial Customer Identification Program (CIP) step.
To remain compliant, you’ll need to conduct these background checks on an ongoing basis – after all, a criminal posing as a third party might try to update their payment details in order to siphon money from that account. This is known as Ongoing Due Diligence (ODD).
Creating a risk profile
If you decide that a customer or vendor is potentially a threat, you can conduct customer risk profiling (CRP). SEON explains on Customer Due Diligence: “An organization that is considering serving a customer who has been flagged as a potential money laundering risk will need to go through a process where they can decide the extent to which that person is a small, medium, or high risk.” You might decide it appropriate to create a risk profile for every third party you work with, regardless of whether you believe them to be a threat to your business.
Know Your Customer (KYC)
You have several ways of conducting the identification process, such as via identity document verification or data enrichment. Identity document verification is usually part of a business’s KYC process. They can include a driver’s license, passport, social security number, and/or proof of address.
While identity document verification and KYC can be a useful part of your initial CIP, you might find that criminals are able to fake documents well enough to bypass your identity verification tools. This can be done via synthetic identity (a fake identity pieced together with real or fake parts of identity information like a photo and social security number) or an account takeover (where a criminal gains access to a real customer’s account information). The process can also be costly if you’re using it to identify every customer who registers with you.
Fortunately, data enrichment tools can be useful prior to the KYC stage, as they can provide you with more information about a user’s digital footprint (social media, whether their phone number is disposable or real). By gaining a big picture of their digital background, you can make more informed decisions about whether a customer is legitimate or not before they even reach your KYC stage. For example, you can enrich a user’s phone number or email address to determine whether the data point is linked to other points like social media accounts.
If a phone number or email address is linked with a digital footprint that goes back over several years, it’s likely that you are dealing with a legitimate user. After all, fraudsters are much more likely to use an email address or phone number that’s disposable and not linked to any social media presence.
Data enrichment is helpful at many stages of your CDD program. For example, you can use it to identify whether a customer is legitimate during your CIP, but you can also use it to help build a user’s risk profile during the CRP stage. If a customer lacks a social media footprint, then they might be flagged as higher risk by your fraud prevention and detection tool. As stated by Toreon, based on the risk level of the application, we can then define which type of security controls should be implemented.
You can also use device fingerprinting in order to find the exact configuration of a user’s device software and hardware. With a device fingerprinting tool, you can gain information on their browser or phone type. It then creates a unique hash based on this unique configuration, which is difficult to hide even with a proxy server or anonymous browsing. A user may look suspicious if they’re using an emulator or frequently switching between different browsers. With a user’s social media footprint, you can combine a device fingerprint to build a risk profile of any customer using your site.
Creating your own Customer Due Diligence Program
With some of these ideas in mind, you can create your own CDD program today by sourcing the right fraud prevention and detection tools. Having a checklist is always a great way to ensure you meet all legal requirements. This will usually require a KYC stage but may differ from industry to industry.
Consider combining identity verification tools that help with your KYC processes with pre-KYC checks in the form of digital footprint analysis. That way, you have more bases covered. With the help of digital footprint analysis, you can stop illegitimate vendors or customers from even reaching your KYC check stage, as you can filter them out based on information such as their social media profile or device.