Identifying IoT fraud risks: The challenges for operators
Today’s increasingly connected world is introducing many new elements of commerce into everyday objects, from cars to energy meters. However, the reality of whether we’re ready to embrace the concept of the Internet of Things (IoT) and make the most of it from a revenue perspective is quite different. The IoT is progressively driving different behaviours and dynamics across business, bringing with it a whole new set of challenges and disruption – especially when considering the backdrop of protecting customers, assets and revenues. As a result, revenue discussion will no longer be confined to a purely finance function; there will be implications for IT spend as we know it and company culture as a whole.
The progression to the IoT will introduce new device manufacturers and application providers that the telecoms industry has previously not worked with, and who don’t understand the risks. This will result in additional security and fraud risk, as these ‘trusted’ parties will need to be audited to ensure the expectations of the CSPs are being met, says Luís Brás, head of professional services, Fraud Management Area, WeDo Technologies
Considerations for a Successful Risk Management Strategy
Fraud and revenue risks associated with IoT may mean different things to different people, depending on where they reside within the product and service delivery chain. In order to stay ahead of the curve, organisations will therefore need to consider and evaluate from as risk perspective what elements of their existing fraud type exposure will increase (or decrease) as a result of launching the new devices or services, and understand the full risks that can be posed by the IoT; both what can result from failures with the technology and what fraudsters stand to gain from attacking the service. As part of the product and service lifecycle, the fraud and security functions will need to be directly involved in performing ‘product and services risk assessments’ that are ultimately linked to defining the required strategies. By making a thorough risk assessment, businesses can ensure they are adopting a balanced approach, with technology, people and processes working together to create an effective strategy.
What defences can be defined?
As CSPs are already aware, they have a responsibility for storing and managing highly sensitive and confidential data associated with their customers and business partners. Consideration will need to be given as to how these new connected devices with the IoT will be secured to maintain the integrity of the information held or exchanged with their partners. Data and privacy protection risks will include the potential for eavesdropping on other users, a device’s data being transmitted over the network by the criminal masquerading as the customer’s device, or network ID and information being subsequently provided illegally to third parties.
As evidenced by recent high profile fraud and security incidents and breaches, the criminal fraternity are becoming more innovative, deploying new and more focused techniques for obtaining exactly what they want from the services and products they target. The IoT will be no exception. CSPs must never become complacent or forget that these highly organised fraudsters operate their own businesses and need to “service” their own customers. Their business model for committing fraud spans all types of technology and crosses international boundaries, and has traditionally relied heavily on the CSP’s inability to respond and recover in a timely manner. It is this aspect that they will again look to prey upon. One of the essential business requirements for CSPs will be to continually consider the risk, and implement clearly defined fraud, security and risk protection models for the IoT.
The demand and requirements for this progression will lead to more exciting results in the formation of strategic partnerships. CSPs must however, consider the implications and requirements to enable them to minimise exposure to fraud risks associated with mobile devices, applications, processes and different business models. At WeDo, we believe that an Enterprise Business Assurance (EBA) approach allows businesses to face innovation such as the introduction of a new range of connected devices as part of the IoT, head on, capitalising on the opportunity for growth while maintaining tight control over business processes, the customer experience and revenue.
The author of this blog is Luís Brás, head of professional services, Fraud Management Area, WeDo Technologies