July 30, 2019 By Christine DeFazio 5 min read

This is the second installment in a three-part series. Be sure to read part one and stay tuned for part three to learn more.

Partnering with a new fraud protection and authentication vendor can seem overwhelming. You may be asking yourself, “Where do I start?” or, “How will my team respond?” From onboarding to implementation, you and your vendor should be in constant communication, and the vendor should help your team across the finish line.

What does a successful onboarding and deployment process look like in practice? Rob Rendell, cybersecurity and fraud prevention expert, is back to help us understand what components are important for a smooth kickoff and how to prepare both your team and your new vendor’s team.

A Digital Trust Expert Explains How to Ensure a Smooth Kickoff With Your Fraud Protection Vendor

Question: Change management can be challenging, so what steps should security teams take to help gain internal buy-in and drive adoption?

Rendell: Building a solid business case is key and will be leveraged heavily throughout signoff and onboarding of a solution. A concise overview of the issue, reasoning for project/funding proposal, overall return on investment (ROI) and how the proposal works into the long-term organizational road map should be clearly outlined.

Gaining management support is obviously key. A good practice is to have one-on-one meetings with decision-makers before general signoff meetings are held. This proactive approach is valuable to address questions and concerns ahead of time and, more importantly, deflect any curveballs that might be pitched in a larger meeting forum that could spark additional questions and potential setbacks.

As previously mentioned, showcasing the business case to direct management is important, and a second step is to socialize the project with line-of-business partners and articulate potential indirect benefits they’ll see. This cross-review is great at getting incremental support to help push a business case to the finish line. Supporting feedback from indirect leadership is valuable and shows that tangible benefits are being thought of outside of the primary scope area.

Once fraud/risk managers have buy-in from their stakeholders, how can they secure the right budget, and what should the ROI breakdown showcase?

Rendell: This is a core component of the business case. The important thing to remember with regard to ROI calculations is to keep it realistic with a conservative estimation and, more importantly, ensure that post-implementation can actually quantify the ROI. Being able to quantify the impact is necessary to justify the expense in the out years when securing funding.

When calculating or assuming what the ROI should be, it’s helpful to bucket how a solution will be meaningful to core areas. In the case of authentication and fraud, one might project ROI against areas of potential benefit:

  • Customer experience — Net promoter scores should improve where passive authentication controls are enabled, meaning customers can feel less friction throughout the user journey. Surveys can be used to benchmark pre- and post-solution results to quantify the value customers see.
  • Fraud lossesAuthentication and fraud solutions ideally will drive down fraud losses. Additional key metrics to benchmark against are overall detection rate and alert rates — these metrics are key. A well-tuned solution will offer high detection rates while maintaining alert rates that are in line with operational capacity. In some situations, organizations will work down into false positive zones to increase the chances of finding fraud in a lower-risk bucket.
  • Operational benefit — As mentioned above, high detection with low alert rates is optimal. It’s obviously a goal to drive down fraud losses, but as workforces become more expensive, it’s critical to keep operational expenses in check too. Here, it’s key to identify a solution that has high detection, low false positives (negative customer impact) and low alert rates.
  • Attestation to regulators that business controls are in place — Regulatory compliance is a major task for financial institutions and insurers. There are myriad regulations from bodies such as the Federal Financial Institutions Examination Council (FFIEC), Securities and Exchange Commission (SEC) and New York State Department of Financial Services (NYDFS), as well as international mandates such as the EU’s Revised Payment Service Directive (PSD2). For other sectors, such as transportation and e-commerce, there are data privacy laws with fraud control stipulations. An organization would want to demonstrate to a regulatory body that its controls surpass the minimum guidelines outlined in the requirement. Not fulfilling regulatory compliance can be very costly once fines are assessed.

Will organizations need to build out new teams for this fraud prevention mission, or can they use existing team members? Who should be included and why?

Rendell: It depends. In the age of digital transformation, organizations have started standing up specialty teams that have been up-trained on digital threats, such as malicious malware and targeted account takeovers, and understand how redirect attack campaigns work. These specialty teams could include associates that have proven their value in the transaction alert space and have, in a sense, “graduated” to the next level.

If an organization has already been leveraging digital alerts for some period, it would be recommended to validate what overlap in alerting is being proposed, the incremental value the proposing solution would provide to help drive down alerts while amplifying detection rates and, finally, any new alerts that would be produced as a result of solution differentiation. This analysis is helpful and beneficial with the business case to help showcase the operational impact; in some cases, if alert rates will be lower, there could be a potential benefit from an operational expense perspective.

For organizations where this would be a net-new process, teams would need to be identified and trained. It’s key to inquire with the proposing solution provider what level of professional training they would provide from both a data analytics viewpoint and operational execution: What alerted, why is it alerted, and how does one work and remediate with the end user (consumer).

As fraud and digital transformation teams near deployment, what are critical components to a smooth kickoff?

Rendell: One of the most important tasks a stakeholder can do, given the size of these projects, is to find a strong project manager (PM) to keep the various teams synced and on point to help deliver a smooth and successful project. A strong PM will man the troops, manage the project plan and escalate issues to responsible areas as soon as they are identified.

Aside from identifying a great PM, weekly or biweekly stakeholder (cross-functional group) meetings are helpful to understand progress, roadblocks and issues (internally/externally). Transparency and socialization of information is a must for a successful project.

Recently, when working with a customer, a best practice emerged from the standpoint of how a solution provider’s supplier — in this case, IBM — can improve by creating a living document and updating it throughout the life cycle. The document should include lessons learned that showcase what went right, wrong and how both sides can improve the next time around.

Finally, testing, testing and testing. Too often, something simple that could’ve been detected in a test script goes amiss and, in the end, causes major setbacks. The testing practice applies to operational execution as well, ensuring operations teams are ready, have proper entitlements and can fully execute an alert review before the light switch is turned on for full production.

Learn how to establish digital identity trust with customers

More from Fraud Protection

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today