THE DEFENSE DIVIDEND Value Preservation and Growth Protection Imperative
Laurence Duarte
MBA Edhec
TABLE OF CONTE NTS I. Preface............................................................................................... 5 II. Introduction.................................................................................... 9 III. What are criminal Risks?.............................................................. 12 IV. Types of Threat Actors................................................................... 14 V. Strategic growth protection planning process................................. 16 VI. Internal Risks assessment.............................................................. 18 Company illegal actions...........................................................................22 Zoom: Global Instability favors Global Crimes........................................24 Corruption Crimes...................................................................................26 Insider White Collar Criminal Attacks.....................................................28 Employees Illegal behaviors – Sexual Harassment – Mobbing..................30 Workplace Revenge Criminal Attacks.......................................................31 A brief overview of recent scandals Internal Crimes..................................32 VI. External risks assessment.............................................................. 34 Cybercrime, the new normal....................................................................38 The many faces of hackers........................................................................41 9 types of Cyber attacks............................................................................42 Cybercrimes.............................................................................................46 Terrorist threats and attacks......................................................................48 Espionage.................................................................................................51 Zoom: Your attack surface is bigger than you think..................................52 Petty crimes..............................................................................................53 Economic Crimes.....................................................................................54 Profile of the fraudster..............................................................................55 Competition Criminal attacks..................................................................56 Zoom: Cy-ops: Cyberpsychology Operations...........................................57 Subversive criminal attacks.......................................................................58 Sabotage crimes........................................................................................60 Hijacking crimes......................................................................................61 Zoom: Piracy...........................................................................................62 Counterfeiting, forgery, and copyright attacks..........................................63 Violent Crimes.........................................................................................64 KRE; kidnapping threats in 2017.............................................................66 A brief overview of recent scandals External Crimes.................................68
2-
Laurence Duarte - MBA Edhec
VII. The regional picture of criminal risks.......................................... 72 VIII. Risks Assets Impact.................................................................... 82 Asset characterization...............................................................................86 Critically & Consequence Analysis...........................................................88 Assets/Risks Visualization.........................................................................92 Business Reputation.................................................................................94 People......................................................................................................96 Property...................................................................................................98 Proprietary information..........................................................................100 IX. Risks Prioritization..................................................................... 102 Strategy Protection Program...................................................................105 The importance of information..............................................................108 Responding to risks................................................................................111 It is all about people...............................................................................117 X. Internal Risks countermeasures.................................................... 118 Company illegal actions.........................................................................120 Corruption Crimes.................................................................................122 Insider White Collar Criminal Attacks...................................................124 Employees Illegal behaviors – Sexual Harassment – Mobbing................128 Workplace Revenge Criminal Attacks.....................................................130 XI. External risks countermeasures................................................... 132 Cybercrimes...........................................................................................134 Terrorist threats and attacks....................................................................138 Espionage...............................................................................................142 Economic Crimes...................................................................................146 Petty crimes............................................................................................148 Subversive criminal attacks.....................................................................149 Competition Criminal attacks & Sabotage.............................................150 Counterfeiting, forgery, and copyright...................................................152 Violent Crimes.......................................................................................155 XII. Ready for the worst................................................................... 157 Crisis Management................................................................................159 The Importance of Business Ethics.........................................................163 XIII. An ongoing learning and improvement process....................... 165 XIV. A world of caution.................................................................... 167 XV. Acknowledgements..................................................................... 171 XVI. Glossary.................................................................................... 172 XVII. References............................................................................... 179
Laurence Duarte - MBA Edhec
-3
« However absorbed a commander may be in the elaboration of his own thoughts, it is sometimes necessary to take the enemy into account » Winston Churchill
4-
Laurence Duarte - MBA Edhec
PRE FACE Today, Criminal Risk is a strategic issue Risks are all around us: they are a part of everyday life. We deal with risks all the time, often without thinking about them. Some are small – some are huge. However, risks are not certainties: they may not happen. But if they do, they will have consequences. That’s why, whatever the level or the type, risk is something that all businesses need to be aware of and manage carefully. Entrepreneurs are defined by their willingness to bear risk, particularly the risk of business failure. They try to deal with uncertainties using analysis. The role of analysis in business management is vital to understand the competition, environments, organizations, and strategies to be successful. To limit and avoid risk, to benefit from positive political, business, social, and economic trends, most organizations review thoroughly their situation with respect to these trends. Now, Business leaders should as well deal with serious but new concerns. This new type of adversity is difficult. How many business executives can understand and mitigate criminal risks? How many organizations implement an effective criminal risk oversight and management? If you go by the number of damaging attacks on companies, which are offered up every day in the media, the answer is far too low. As the world becomes increasingly volatile, the skillful analysis and reporting of these risks become increasingly critical to the success of organizations of all types. Today criminal risk is a strategic issue. The primary responsibility of every leader is to secure the future of their organization. The very survival of their organization depends on the ability of management not only to cope with criminal attacks but to anticipate the impact those attacks will have on their company. To do so, it is imperative to not relegate the preservation of a company to the IT or security department but as a business leader to take an active role on the organization’s growth protection. It is the only way to avoid the possibility to see the most valuable assets of their company damaged or destroyed.
Laurence Duarte - MBA Edhec
-5
6-
Laurence Duarte - MBA Edhec
Businesses must carefully weigh up the criminal risk against profit and losses, in other words, the strategic consequences of action vs inaction. Criminal risk must be quantified and managed and it poses a constant strategic challenge. It is a difficult and uncomfortable topic. It is scary and reveals weaknesses; It is also overwhelming due to the range of potential threats facing any company and their tremendous impact. Even companies that have not traditionally been exposed to more than the most rudimentary of security risks are now exposed to events thousands of miles away that no one was previously aware of which can disrupt supply chains and highlight dependencies. Threats are networked and are often driven by interrelated issues. Given all of this, and the clear impossibility of forming a total barrier around the business (as may once have been the case), there is an urgency of supporting an agile, dynamic, and efficient growth protection strategy. Fortune favors the brave, but with people’s lives and the success of the business at stake, caution cannot be simply thrown to the wind. The statistician Nassim Nicholas Taleb said: “understanding how to act under conditions of incomplete information is the highest and most urgent human pursuit “. As much as I have tried to think of all the possible risks and solutions as I could, no single tool (books, experts, etc) has the capacity to be used as the only source of knowledge. I believe that mastering any subject requires extensive practice and thorough research using numerous sources and exploring various opinions. That’s why, to set up an effective growth protection plan we need to have a multi-talented team with specialists to solve technical issues and generalists with communication, leadership and strategic skills, to understand and anticipate criminal risks trends, and to build effective answers to limit the effects of any criminal attack.
Laurence Duarte - MBA Edhec
-7
ÂŤ Not everything that can be counted counts, and not everything that counts can be counted Âť Albert Einstein
8-
Laurence Duarte - MBA Edhec
I NTRODUC TION Business paradox When you ask a top executive leader in a global company about their business obsessions, they will answer by other questions: how can I protect the competitive advantage, the value, and the financial interests of my company? How can I develop and maintain my level of business throughout the world? Growth and protection are keys words in a leader’s minds. But it is also the 21-century business paradox. Without growth, no company can survive, but with growth every company can jeopardize its safety. As global players expand geographically and operate in more new and unfamiliar countries and markets, they face the increasing volatility, complexity and ambiguity of the world, putting their company into all sorts of risks. Business leaders have no choice but to hold the tension of this paradox and to acquire the willingness to understand the risks of their company and to limit the potential effects. Unfortunately, security does not have a good reputation, it does not generate profit; even worse it adds costs in the balance sheet. Furthermore, traditional business approaches perceived security as an obstacle to business. Sometimes, this can be true. If we see security and protection with a mindset of preventing all risks, it is, indeed, an obstacle to business that must take risks to stay ahead of competition and survive. However, business leaders are starting to realize that security and growth protection are not to prevent companies from taking risks but actually to help them mitigate the risks they must take in order to obtain profit. So it is true that security does not generate profit but it is also true that its actions protect the profit and reduce costs.
Laurence Duarte - MBA Edhec
-9
To conclude, I see a parallel between traditional Chinese Medicine and the XXI century security strategy. Indeed, the aim of Traditional Chinese Medicine is to preserve the health of the patient and to stimulate their body’s own protection and healing mechanisms considering all aspects of a patient’s life, rather than just treating symptoms. Inspired by this example, I propose an approach to preserve companies’ activities by providing actionable, relevant, and timely insights to mitigate criminal risks and to protect the growth and future of business organizations. In the following document, we will see how companies can acquire the ability to understand, mitigate and maintain a sustained level of protection while setting up a growth protection strategy.
« The superior man, when resting in safety, does not forget that danger may come » Confucius
10 -
Laurence Duarte - MBA Edhec
Laurence Duarte - MBA Edhec
- 11
CRI M I NAL RISKS, DEF INITIONS Crime Crime can be understood in various ways. Usually, the four major perspectives most useful in defining crime are the legalistic, the political, the sociological, and the psychological. I will add the business perspective to define crime. The legal system is there to criminalize forms of behavior that society agrees to punish. However, legislation takes time. Meanwhile, consumers play an important role to denounce, to condemn abuses and to shape a more ethical behavior. New forms of pressure and punishment have been created by consumers. That causes important damage to reputation and profit losses. The People are consumers, and they become more and more consumer-citizens, exercising their responsibility, forcing businesses to more ethical, responsible and sustainable ways of behaving. That’s why even if the legal principle «Nulla poena sine lege» guarantees a criminal punishment by law, it is not enough to encompass the issue regarding all the forms of business illegal and criminal behavior. Companies need to understand even if their behavior is not «illegal» regarding the legal system, that it is condemnable in front of the consumers due to unacceptable consequences (because of harm/pain to people or the planet) of their actions. That’s why I assert that the business perspective of crime may be an undesirable form of behavior or act, seen as illegal, and/or unethical, and/or anti-social.
“There are known unknowns; that is to say there are things that we now know we don’t know. But there are also unknown unknowns – there are things we do not know, we don’t know.” United States Secretary of Defense Donald Rumsfeld 12 -
Laurence Duarte - MBA Edhec
Criminal risk?
Risk is the like hood of occurrence of an unwanted event man-made that can adversely affect the mission of the organization. It comprises 4 elements: 1. An asset (facility, structure, proprietary information, brand‌) 2. The like hood of a threat actor with intent 3. Vulnerability within the protective system of the asset 4. Consequence of the threat action
of the triangle must exist: Mobile, Means & Opportunity.
BIL MO
In order for a crime to occur all three elements
S
Means: virtual, nonviolent, violent
AN
Motive: poverty, greed, ideology, harm, sex, etc.
The crime triangle
ME
E
Why does Crime Occur?
O PPO RT UN I TY
By eliminating any one of these elements a crime cannot occur. Motive, opportunity, and means together create the triangle of crime. A successful security strategy concentrates on understanding the motive, limiting the opportunity, and obstructing the means in the earliest possible stage of an incident. As an example, to conduct an action, a perpetrator must collect information (means) to execute an action successfully. Obstructing the collection of information is basically obstructing the means, therefore limiting the opportunity in the earliest possible stage (preparation phase) and preventing an incident from occurring.
Laurence Duarte - MBA Edhec
- 13
TYPES OF THREAT ACTORS The evil that is in the world almost always comes of ignorance, and good intentions may do as much harm as malevolence if they lack understanding.� Albert Camus
Organized Perpetrators versus Individual Perpetrators Organized perpetrators refer not only to criminal organizations, but to any organized group of career criminals who exercise planned and systematic criminal acts, have an organizational approach and internal division of responsibilities and tasks, and have sufficient logistics that enable them to target higher volumes and values. Organized criminal groups are motivated by greed. They will plan the action to get maximum gain with minimum damage. Basically, an organized group of criminals is aware of the consequences of its action in terms of possible punishment and will, in many cases, try to minimize damage. Experience teaches that an organized group is less likely to assault and harm during an armed robbery than single perpetrators. Individual perpetrators are not career criminals but impulse criminals motivated by immediate needs such as poverty, substance abuse, or gambling debts. Single perpetrators often do not thoroughly plan the action but act based on the impulse to satisfy a relatively immediate need. The focus is mostly on smaller amounts of primary value that can provide immediate profit (such as money, jewelry, electronic gadgets, etc.) and they usually have tunnel vision, which means that they focus on the goal and not the consequences. There is a higher chance of violence and injury during a robbery executed by a single perpetrator.
14 -
Laurence Duarte - MBA Edhec
5 TY PES O F TH RE AT AC TORS Terrorists
Class I terrorist: government trained professional Class II terrorist: religious extremist professional Class III terrorist: radical revolutionary or quasi religious extremist Class IV terrorist: guerillero, mercenary soldier Class V terrorist: amator (civilian, untrained criminal or militia viligante)
Economic Criminals
Economic criminals can be external or internal perpetors. However, Fraud remains the most costly attack against companies. • Transnational criminal organizations • Sophisticated economic criminals • Organized crime • Employees, ex-employees Type of crimes: external & occupational fraud, equipment thefts, burglaries, break-ins, robberies, information thefts, vehicle crimes.
Non terrorist Violent Criminals
Persons other than terrorists who use violence as a means to achieving their goals. • Organized crimes • Workplace violent threat actors • Deranged people • Angry visitors • Employee, ex employee • Angry employees, ex employees • Unions • Sexual criminals Type of crimes: felonies, assaults, muggings, rapes, murders
Subversive Criminals / Subversive Crimes • Cause oriented subversives • Hackers • Political and industrial spies • Invasion of privacy threat actors • Saboteurs • Persistent rules violators • Cults and dedicated activist groups Type of crimes: activist organization activities, civil disorder, riots, protests, intimidation, drugs in the workplace, sabotage, corporate spying
Petty Criminals
• Vandals • Disturbance causers Type of crimes: purse snatching, desk pilfering, pickpocketing, vandalism, prostitution…
Laurence Duarte - MBA Edhec
- 15
ST RATEGIC G ROWTH PROT ECTION PLANNING PROC E SS When we think about security and protection, we may think that it is complicated, but it is not. Security is not an invented process but an evolution of one of the oldest natural processes, dating to the beginning of life and the instinct to protect it. These principles at the time of our distant ancestors did not change. The caveman guarded his cave with a spear while another was on the lookout on the edge of the settlement with the mission of spotting the danger at the earliest possible stage and alerting the others. Everyone in the community knew exactly what to do in case of danger and who was in charge of making the decisions. We have the cave as the physical element of security, the spear as technology, information about the proximate danger, communication among community members, all members of the community as the human element and procedures, both as a division of tasks in routine as well as emergency procedures, and the community chief as the management. If any of the elements were missing, the system would not work properly. Strategic growth protection planning process: How to become in control regarding the criminal risks:
WHAT ? Internal criminal risk assessment
External criminal risk assessment
SO WHAT ? risks assets impact
CRIMINAL RISK ASSESSMENT 16 -
Laurence Duarte - MBA Edhec
The strategic planning process can be divided into two parts: 1 The criminal risk assessment studies the risk, vulnerabilities, and threats to any asset that an organization faces. Criminal risk assessment addresses all the different human-made attacks that an organization could potentially face. The Internal and external risks assessments focus on threat identification; understand and recognize the type of threats / perpetrators. Risks/Assets impact on assets focus on asset characterization: understand the organization’s assets and the most valuable one’s and critically & consequence analysis; Understand the criticalities of the listed assets to the organization’s mission and the consequences in case of successful attack 2 The Criminal Risk management, after thoroughly analyzing external and internal risks that threaten enterprises and their impact on the most valuable assets, the second part of the process is to set up a growth protection strategy able to give tools and mindsets to mitigate risks that threaten tangible and intangible assets of companies in their various parts and during key processes. The Risk prioritization: prioritize the risks, to mitigate the most important risks. The Strategy protection Program design and implement the strategy to protect the value and the growth of the company including the three pillars of value protection: prevention, reaction, and recovery.
NOW WHAT ? risks prioritization
THEN WHAT ? strategy protection program Prevention reaction recovery
Performance evaluation
CRIMINAL RISK MANAGEMENT Laurence Duarte - MBA Edhec
- 17
I N T ERNAL CRIMINAL R I S KS ASSE SSME NT
18 -
Laurence Duarte - MBA Edhec
“Half the work that is done in this world is to make things appear what they are notÂť E.R.Beadle
Laurence Duarte - MBA Edhec
- 19
I NTER NAL C RIMINAL RI SKS ASSE SSME NT When we think criminal risks for a corporation, we think that the danger comes from outside. However, regarding any company, experience shows that the major harmful criminals’ risks come from internal actors. Companies are increasingly realizing that they must devote the same amount of time, level of attention, and resources to fighting both internal and external threats. Fraud, deception, distortion of the company’s communication, unethical behaviors are results of corporate executives’ decisions because of corporate negligence, quest for profits at any cost and willful violations of health, safety, and environmental laws. It can lead to the outright destruction of the company. Corporations primarily exist to generate profit. As such, they consistently seek to gain competitive advantages directed toward maximizing profits. Unfortunately, some of their actions fall outside of the law, violate human rights and / or harm society. Even if a company desires to have the highest standard ethics and sustainability, competition pressures from various sources (e.g., shareholders, supervisors), globalization, and limited law responses contribute to the occurrence and perpetuation of corporate crime. Today, scandals have a very negative impact on companies’ performance. The two elements explaining why, scandals have a nuclear effect on companies are:
20 -
Laurence Duarte - MBA Edhec
- In the 21st century, if secrets can be protected, they can‘t be hidden for long. Especially the unethical ones. There is a joke in the cyber security community that there are two kinds of companies: those that know they’ve been hacked, and those that haven’t found out yet. But if hackers can be seen as the most evident threat to steal company’s information, it is not the most frequent one’s; the employees denunciate unethical behaviors much more easily. - Brands are parts of consumers lives. Consumers are waiting for products that fill their needs. Obviously, they want products that don’t harm them or their loved one but also products which reflect their choices and their way of thinking; their thoughts include ethics, compassion for people and concern for the planet. That’s why when the poor social, environmental or ethics practices of a brand are exposed; the reaction of consumers is more vicious and the downfall rapid.
Insider White Collar Criminal Attacks
Company Illegal actions
Employee Illegal Behaviors
Workplace Revenge Criminal Attacks
Corruption Crimes
Laurence Duarte - MBA Edhec
- 21
COMPA NY ILL EGA L AC T I O N S ACTORS Corporate executive, managers, employees
METHODS Illegal and unethical behavior including: Fraud: stock manipulation and fraudulent/forged financial statement, illicit financial flow, tax evasion Fraud to international trade restrictions and embargoes Anti-competitive behavior, anti trust violation Deception (lies, distortion, generalization) Unethical & illegal use of big data Global Crimes Environmental Crimes
RISKS TYPE Intentional & Negligence Risks. Reputational & financial risks Fraud like stock manipulation & fraudulent/forged financial statement, illicit financial flow, tax evasion has a tremendous bad impact in reputation and financial losses. Fraud to international trade restrictions & embargoes: An embargo consists of an official ban on trade or other commercial activity with a designated country, regime, or individual to exert political pressure or halt a conflict. The European Union and U.S. government are highly sensitive to this matter and lead a strong and continual political commitment to stamp out the frauds to embargoes. Fraud to embargos may not seem obvious. However, it can be very costly to a company. Criminal violations of the regulations — which involve willful violations of the sanctions regulations — can lead to fines of up to several billions of dollars and a multi-year prison sentence. Anti-competitive behavior, trusts & cartels are agreements between competitors to intentionally eliminate a part of the competition. It is typically condemned as illegal in Europe and the United States. Governments around the world legislate and enforce antitrust laws. For instance, the fines which the European Commission imposes on organizations that infringe EU competition rules are typically substantial, even as high as 22 -
Laurence Duarte - MBA Edhec
10% of a company’s annual worldwide turnover. The laws of some countries even allow custodial sanctions for individuals involved in general competition law infringements and certain pre-defined types of infringements (e.g. bid-rigging). Such sanctions can be separate or cumulatively applied on top of pecuniary sanctions. Company managers who behave illegally, therefore, run the risk of jail in certain States. Finally, executives will put their company reputation and activities at risks with bad press for lawbreakers and other collateral consequences. Deception is false or misleading representations and deceptive marketing practices in promoting services and products. Legally and reputation speaking, it can have serious economic consequences for businesses (fines and year of prison, depending on the country). Unethical & Illegal use of big data The global economy is now seen as a knowledge economy. In this economy, as evidenced by the massive growth in data storage in recent years, companies are amassing data and information. Risks come from: - inappropriate use of data and algorithmic modeling or analysis by companies may have detrimental results on freedom, privacy, moral reasoning, and autonomy. If a breach of privacy protection, discrimination, unfair advantage in the employment process, for instance, can be proved, companies will face costly lawsuits and damage to their reputations. - The breach of sensitive data (i.e.: personal information, business contracts) gives rise to recourse to the courts by consumers and businesses. Companies which experience data breaches will face consumer class action lawsuits and businesses lawsuits. Global crimes include violations of domestic, international, and humanitarian law. These abuses and harms include the contamination of natural resources, health complications, high rates of poverty, extreme inequalities, predatory activities, toxic waste dumping, violations of sovereignty, forced evictions, thefts of homelands, recolonization, human trafficking, and the violations of civil rights, worker rights, women rights, and children rights. Global crimes always lead to reputation damage, as well as financial losses (lawsuits, boycotts…)
Laurence Duarte - MBA Edhec
- 23
GLO BAL INSTABILITY Over 400 political conflicts continue to destabilize large parts of the world. The Middle East, the Maghreb region, and Sub-Saharan Africa concentrate 21 wars. Worldwide, 65,5 million people fled their homes due to war, or persecution (one person every three seconds) in 2016. The conclusion of these alarming facts is that more and more organizations are currently operating in fragile or conflict-affected areas. Whether by choice to beneficiate of business opportunities post-conflict or by accident because of their former presence in the conflict-affected country, the risks to be involved in illegal or unethical behavior is high. Human rights abuses remain the major risks in these areas. The presence of foreign companies can also extend the conflict, their business activities supporting specific parties in the countries. Finally, their presence may outspread conflict when community grievances are not sufficiently addressed due to ignorance or lack of empathy.
24 -
Laurence Duarte - MBA Edhec
Council on Foreign Relations Criminal Violence in Mexico
Sectarian Conflict in Lebanon
Taliban in Afghanistan
Boko Haram in Nigeria
Refugee Crisis in the European Union
Islamist Militancy in Pakistan
Civil war in libya
Conflict in Ukraine
Conflict Between India and Pakistan
Islamist Militancy in Egypt
Civil War in Syria
Territorial Disputes in the South China Sea
War in Yemen IsraeliPalestinian Conflict
Kurdish Conflict War Against Islamic State in Iraq
Tensions in the East China Sea
North Korea Crisis
Laurence Duarte - MBA Edhec
- 25
CORRU PTION C RI ME S ACTORS Corporate executive, managers
METHODS Political, administration, legal corruption: bribery, extortion, conflict of interest, abuse of discretion, embezzlement, patronage, nepotism, cronism
OBJECTIVE Economic advantage.
RISKS TYPE Intentional Risks. Reputational & financial risks Corruption Corruption can be seen as an internal Criminal Risks if the company is seen as an active actor or as an external criminal risk if the company is a victim of corruption. Engaging in corruption and bribery creates an unfair advantage and an unfavorable business environment. Apart from supporting and strengthening organized crime, corruption is one of the primary obstacles to the economic development of a country and is the main risk that could deter potential investors. Every company experience types of behaviors typically labeled corruption, including bribery, extortion, embezzlement, conflicts of interest, patronage, nepotism and cronyism, whether as an actor or a victim. Corruption adds up to about 10% of the total cost of doing business globally. We may think that corruption is more visible in weak undemocratic states for instance but we will also see that even in mature democratic states the corruption is here to influence markets and can harm the company in many aspects.
26 -
Laurence Duarte - MBA Edhec
Discovered, corruption inevitably leads to a diminished business climate and the defiance of consumers regarding the company accused. Not one single country, anywhere in the world, is corruption-free. Many behaviors that can be seen as corrupted. These occur in many settings and have varying consequences. Very often there is a debate about whether the behavior is acceptable, harmful, simply routine, if the corruption is structural, opportunistic or episodic. Different methods of corruption are used depending on where the company operates: • in weak democratic states with leaders using power for personal use, like Pakistan, Sierra Leone and Zimbabwe, • in weak transitional regimes with oligarchs and clans searching for opportunity, like Kenya, Thailand, Turkey and Bulgaria, • with Elite Cartels who own economic and politic power like Italy, Taiwan, Greece and Argentina, • or in mature democratic states via Influencing markets, trading by influence with questionable Corporate Political Actions like purchase of access to the politicians and bureaucrats, lobbying activities to ‘game the system’ and protect vested interests. Evaluate corruption crime and risks is never easy, it requires moral competence, perfect knowledge of culture difference and accurate evaluation of the equation risks/costs/benefices.
“Knowing your own darkness is the best method to deal with the darkness(es) of other people” Carl Gustav Jung
Laurence Duarte - MBA Edhec
- 27
INSIDE R WHI T E CO L LA R CRIMINA L AT TAC KS ACTORS Corporate executive, managers, employees
METHODS Embezzlement, theft, money laundering, securities fraud, occupational fraud and abuse: kickbacks, procurement fraud, travel and subsistence fraud, personnel management fraud…
OBJECTIVE To exploit company’s economic power for personal gains
RISKS TYPE Intentional Risks Reputational & financial risks Today it is easier to steal money with a computer than it is with a gun. Insider White collar crime refers to those offenses that are designed to produce financial gain using some form of deception by employees inside the company. If these types of crimes have financial repercussion, there is also damage to the business reputation. Specific stakeholders (analysts, bankers, investors, partners) may review their trust and view on company’s reputation. Embezzlement is the most common and costly type of employee crime. Although embezzlement is both a type of theft and a type of fraud, not every theft or fraud is embezzlement. For a crime to be categorized as embezzlement, it has to be a theft committed by an employee who is entitled to be in possession of (have access and manipulate) the property that was stolen. Like any crime, embezzlement needs to have three elements to be committed successfully: motive, opportunity, and means. When looking at the crime triangle, it is obvious why embezzlement is so widespread. An employee entrusted with assets has both the opportunity and the means.
28 -
Laurence Duarte - MBA Edhec
Theft in a company is basically any theft of tangible assets that is not embezzlement, whether it is performed against the company or a client or another employee. It is estimated that approximately 95 percent of all businesses experience some level of employee theft. Internal fraud : occupational fraud and abuse. Internal fraud is dishonest behavior exercised by an employee or employees to secure unfair or unlawful gain. In 2016, the results of the global ACFE fraud study shows that: . A typical organization loses 5% of revenues in a given year as a result of fraud. . Asset misappropriation is the most common form of occupational fraud, financial statement fraud was on the other end of the spectrum and corruption cases in the middle. Like embezzlement and theft, fraud is not exclusively reserved for the bottom of the company hierarchy. Senior executives are not immune to employee dishonesty. Common types of senior executive fraud that do not cause material damage are falsification of achievements and creating false payment and financial information to mask the losses temporarily. Other common types of fraud include: Procurement fraud, when the tender (bidding) process has not been followed, so that fraud can be committed. Procurement fraud is mostly executed by employees, and as such it is one of the most frequent frauds that affect businesses. However, procurement fraud can also be executed by vendors. Common methods of procurement fraud include presenting fake information, delivering lower-quality goods or services than agreed, invoicing services that were not delivered, or exaggerating the delivered service. Travel and subsistence fraud include claims for fake journeys or fake client entertainment claims, claims for amounts higher than those spent, and forged receipts and signatures authorizing payment. Personnel management fraud represents employee working elsewhere while on sick leave, abuse of flexible working time systems, using a company’s computer for private purposes, etc. Finally, exploiting information— e.g., employee supplying information to outsiders for personal gain.
Laurence Duarte - MBA Edhec
- 29
E MPLOYE E I L L EGA L BE HAVIORS - S E XUA L HA RA SSME N T - MO B B I NG ACTORS Company, Corporate executive, managers, employees
METHODS Sexual Harassment, mobbing
RISKS TYPE Intentional Risks Reputational and financial risks Sexual harassment and mobbing are issues mostly dealt with by human resources in companies. However, many times, sexual harassment and mobbing are not reported; as such, they often depend on security to notice and report them. Although both are issues have to be properly addressed in a timely manner to protect the well-being of employees, if not addressed, they can lead to security risks such as sexual assault, physical assault, retaliation, and numerous other issues. In many countries there are anti sexual harassment and anti-mobbing laws aimed at protecting victims and punishing abusers, as well as punishing companies in case they were aware of the crimes and failed to stop it.
30 -
Laurence Duarte - MBA Edhec
WORKPLACE RE VE NGE CRIMINA L ATTAC KS ACTORS Employees, ex employees, trade unions
METHODS Acts of protests: Sabotage, product contamination, rumors, theft, assaults, bossnapping.
RISKS TYPE Intentional Risks Reputational & financial risks A disgruntled employee or union can cause serious problems for any company. Whether because they’re dissatisfied in their work conditions, their current position or have recently been fired, these potentially malicious individuals need to be monitored to prevent common forms of retaliation. Acts of protest are usually initiated by decisions made by the company or its managers and can range from massive protests organized by trade unions such as work stoppage (strike) and demonstrations, to personal protests such as sabotage, self-mutilations, suicide, and assault, caused by the loss of a job, mobbing, sexual harassment, and so forth. What is common to all acts of protest is that they are usually announced, communicated either openly or hinted at, or anticipated leading to reputational damage.
Laurence Duarte - MBA Edhec
- 31
Z O O M
A BRIEF OVERVIEW OF RECENT BUSINESS SCANDALS Toshiba’s accounting scandal. (Company Illegal Actions: fraudulent/forged financial statement) Toshiba decided to fudge its financial results to meet aggressive profit targets set by executives and managers. The company admitted to inflating its earnings over a sevenyear period by close to a whopping $2 billion.
Goldman Sachs employee uses stolen confidential materials. (Insider White Collar
Criminal Attacks: theft) Last year, the investment firm Goldman Sachs was fined $50 million for not supervising an employee who purposely used confidential regulatory information for the benefit of a client. The employee had worked for the Federal Reserve Bank of New York.
Volkswagen cheats emissions tests. (Company Illegal Actions: deception) Volkswagen was exposed to a massive scandal that possibly cost to the company as much as $87 billion. The Environmental Protection Association disclosed that diesel-engine VW models sold in the United States had a software installed allowing the cars to falsely pass emissions tests. Since then, The automotive company has admitted to cheating the tests voluntarily and admitted that 11 million cars worldwide were fitted with the so-called «defeat device.» Toothpaste maker Crest fined 6 million yuan for faking white teeth in advertisement. (Company Illegal Actions: deception)
Consumer goods giant Procter & Gamble producer of the toothpaste Crest received a record fine of 6.03 million yuan ($978,000), for a deceptive advertisement exagerating the whitening effect of one of its products.
32 -
Laurence Duarte - MBA Edhec
Johnson and Johnson has a serious baby powder problem. (Company Illegal Actions:
deception) Johnson & Johnson was ordered by a Missouri jury to pay $72 million in damages to the family of a woman whose death from ovarian cancer was linked to her use of the company’s talc-based Baby Powder and Shower to Shower for several decades. Johnson & Johnson faces 1000 lawsuits claiming that to boost their sales, the company refused constantly to warn consumers that its talc-based products could cause cancer.
Exxon Mobil deliberately misleads the public about climate change. (Company Illegal Actions: deception) For a decade Exxon had teams of scientists studying global warming in the Arctic. The researchers concluded that global warming is real and that it posed probable dangers for the company. Indeed, higher sea levels could accident Exxon’s drilling platforms, plants, pump stations, and pipelines. But company documents reveal that, instead of helping to combat the environmental risk, Exxon decided to launch a multimillion-dollar campaign questioning climate change to bolster company profits.
BNP Paribas sentenced in $8.9 billion accords over sanctions violations (Company
Illegal Actions: fraud to international trade restrictions & embargoes) BNP Paribas paid a record settlement for Illegally Processing Financial Transactions for Countries Subject to U.S. Economic Sanctions.
U.S Government prosecutes Peter Thiel’s secretive big-data startup for discrimination (Company Illegal Actions: Unethical &
Illegal use of big data) The Labor Department declares that Palantir “routinely eliminated” Asian applicants during the hiring process.
Laurence Duarte - MBA Edhec
- 33
EXTER NAL CRIMINAL R I S KS ASSE SSME NT
34 -
Laurence Duarte - MBA Edhec
“If you know the enemy and know yourself you need not fear the results of a hundred battlesÂť Sun Tzu
Laurence Duarte - MBA Edhec
- 35
EXTER NAL C RIMINAL R I S KS ASSE SSME NT Businesses are threatened by a wide variety of external risks. The larger and more complex they are, the more vulnerable they are to a variety of risks. Until recently, threats associated with companies were mostly traditional types of crime such as fraud, theft, and robberies. Technology has not only improved the way companies do business; it increased their vulnerability to new threats. Today It is extremely difficult for businesses to maintain business continuity and recovery after an incident due to the development of new business models and to the attention on cost savings. Furthermore, the complexity and interdependency of business processes show that minor incidents can gain the potential to have disastrous consequences. The design of excellent protection strategies requires from Business Leaders to be proficient in identifying, understanding, evaluating, and anticipating specific risks that threaten their enterprise and important partners. I will explore the most common external risks that can threaten the tangible and intangible assets of an organization, including its reputation, processes, and people.
36 -
Laurence Duarte - MBA Edhec
Terrorism Threats
Terrorism Attacks
Sabotage
Hijacking Crimes
Cyber Crimes
Economic Crimes
Petty Crimes
Competition Attacks
Counterfeiting Attacks
Espionage
Subversive Attacks
Violent Crimes
Laurence Duarte - MBA Edhec
- 37
CY BE RCRIME , T HE NE W NORMAL “Technological progress is like an axe in the hands of a pathological criminal” Albert Einstein The internet related technologies are transforming societies, economies, and ways of doing business. Computer networks manage our world from personal finances to business operations, public and private services and amenities and thus are consequently vulnerable to attack. The Internet of Things is a growing reality, for the best with new efficiencies but also some concerns with new vulnerabilities and interconnected consequences. This technological progress has been beneficial in many aspects but also detrimental with the wave of cyber-attacks such as economic espionage, cyber crime, and even state-sponsored exploits that are increasingly perpetrated against businesses. Firms have been affected by the increased complexity, novelty and persistence of cyber-attacks, with consequences from the reputational to economic and legal. The internet has opened a new frontier: everything is networked, and anything networked can be hacked. IBM Corp.’s Chairman, Ginni Rometty, said that cybercrime might be the greatest threat to every company in the world. In 2015, Lloyd’s estimated that cyber attacks including direct damage and post-attack disruption to the normal course of business cost businesses as much as $400 billion a year.
38 -
Laurence Duarte - MBA Edhec
As cyber-dependence rises, the resulting interconnectivity and interdependence can diminish the ability of any company to fully protect itself. The failure to understand and address these technological risks could have far-reaching consequences for global companies due to the systemic cascading effects of cyber risks, or the breakdown of critical information infrastructure. Anyone can be targeted, unfortunately, the reasons are always aggressive and visible. It sounds simple to learn that the problem can’t be ignored and isn’t going away, but there are still companies that have remained unconvinced and are now paying the price. Because of this, organizations need to make IT security a top priority. Cybercrime (or computer crime) is basically any crime that involves a computer and a network. However, there are various forms of cybercrimes, not all of which threaten companies. Like traditional crimes, cybercrimes can be divided into several categories: • Fraud and financial crimes— theft of funds and vital information, extortion (also in the form of sextortion), embezzlement, blackmail, etc. • Cyber-vandalism— defacement of a Web site, denial of service attacks, altering or deleting stored data, etc. • Crimes against persons— cyber-stalking, identity theft, harassment, threats, hate crimes, bullying, online predators, etc. • Victimless crimes— for example, online gambling • Crimes against the state— espionage, etc. • Obscenity— for instance, distributing, downloading, and viewing illegal pornography The ideas behind cybercrimes that affect businesses are to steal financial and other sensitive information from the business and its customers and partners, steal funds, cause business discontinuity, or cause denial of service to the company’s Web site or modify its content so that it damages the company’s reputation.
Laurence Duarte - MBA Edhec
- 39
Cybercrimes are not driven only by greed. In fact, because the Internet offers a powerful tool for sending a mass message, cyber-activism (hacktivism or cyber-terrorism) has become a constantly growing threat. Like traditional terrorism, but in a much wider manner, cyber-terrorism is a threat to both national security and businesses. More so, activists use attacks against companies to protest against states. For example, hackers are known to have executed countless attacks against the Web sites of Israeli and US companies after their founding countries’ military actions and political moves. This type of terrorism (or activism) is inexpensive and does not require physical gathering but can have many people spread over the world working together from the comfort of their homes. Although cyber-activism may not be greed motivated, its intention is to cause financial loss to the target. Companies are financially affected by cybercrimes in several ways: • Direct financial loss caused by cyber-theft • Loss of sales caused by Web site denial of service • Business (service, production, etc.) discontinuity resulting from unavailability of systems and applications caused by cyber-attack • Damage to reputation such as loss of trust of clients if, for example, their personal information was stolen, or because of mass messages about the company’s alleged business practices. Customers are not likely to do business with a company vulnerable to attacks. • Penalties paid to customers for inconvenience, loss, or contractual compensation such as delays, failure to deliver the service or product, etc. • Fraudulent orders and payments (chargeback) • Cost of protection against cybercrimes— including expensive software and hardware, hired experts, as well as regular testing and monitoring costs • Cost of insurance • Cost of recovery from cyber-attacks
40 -
Laurence Duarte - MBA Edhec
T HE MANY FAC E S O F H AC KE RS Hackers comes in many shapes and sizes and utilize a broad range of attack to steal or destroy valuable data. To prevent security breaches, it is important to understand not only the types of attacks you are likely to face but the motivations of the hackers.
Professional Mercenary Commercially motivated cybercriminal (part of criminal syndicate), with sophisticated skills and significant resources. Goal : Steal corporate financial information to resell and/or re-direct funds Modus Operandi : APTs, SQL injection, Malware, Trojans, Sniffers
Cyber Warrior Sate actor motivated by nationalist interests, motivated and highly trained. Goal : misinformation & cyber warfare, theft of proprietary IP Modus Operandi : APTs, Malware, SQL injections, Trojans, Sniffers
Malicious insider Commercially or ideologically motivated employee, or ex-employee saboting operations for revenge. Trained and proficient insider knowledge, typically an individual. Goal : Steal intelligence trade secrets and proprietary IP Modus Operandi : Data Theft via email, USB or mobile. Disruption via servers/networks
Principled Idealist Agenda driven hacker, ideologically motivated. Goal : operation disruption Modus Operandi : Bonets, DDOS, Trojans, Malware.
Laurence Duarte - MBA Edhec
- 41
9 TYPE S OF CY BER ATTAC KS* Malware Malware is an all-encompassing term for a variety of cyber threats including Trojans, viruses and worms. Malware is simply defined as code with malicious intent that typically steals data or destroys something on the computer. How does it work? Malware is most often introduced to a system through email attachments, software downloads or operating system vulnerabilities.
Phishing Often posing as a request for data from a trusted third party, phishing attacks are sent via email and ask users to click on a link and enter their personal data. Phishing emails have gotten much more sophisticated in recent years, making it difficult for some people to discern a legitimate request for information from a false one. Phishing emails often fall into the same category as spam, but are more harmful than just a simple ad. How does it work? Phishing emails include a link that directs the user to a dummy site that will steal a user’s information. In some cases, all a user has to do is click on the link.
42 -
Laurence Duarte - MBA Edhec
Password Attacks A password attack is exactly what it sounds like: a third party trying to gain access to your systems by cracking a user’s password. How does it work? This type of attack does not usually require any type of malicious code or software to run on the system. There is software that attackers use to try and crack your password, but this software is typically run on their own system. Programs use many methods to access accounts, including brute force attacks made to guess passwords, as well as comparing various word combinations against a dictionary file.
Denial-of-Service (DDoS) Attacks A DDoS attack focuses on disrupting the service to a network. Attackers send high volumes of data or traffic through the network (i.e. making lots of connection requests), until the network becomes overloaded and can no longer function. How does it work? There are a few different ways attackers can achieve DoS attacks, but the most common is the distributeddenial-of-service (DDoS) attack. This involves the attacker using multiple computers to send the traffic or data that will overload the system. In many instances, a person may not even realize that his or her computer has been hijacked and is contributing to the DDoS attack. Disrupting service can have serious consequences relating to security and online access. Many instances of large scale DoS attacks have been implemented as a sign of protest toward governments or individuals and have led to severe punishment, including jail time.
Laurence Duarte - MBA Edhec
- 43
“Man in the Middle” (MITM) By impersonating the endpoints in an online information exchange (i.e. the connection from your smartphone to a website), the MITM can obtain information from the end user and the entity he or she is communicating with. How does it work? Normally, a MITM gains access through a non-encrypted wireless access point (i.e. one that doesn’t use WAP, WPA, WPA2 or other security measures). They would then have access to all of the information being transferred between both parties.
Drive-By Downloads Through malware on a legitimate website, a program is downloaded to a user’s system just by visiting the site. It doesn’t require any type of action by the user to download. How does it work? Typically, a small snippet of code is downloaded to the user’s system and that code then reaches out to another computer to get the rest and download the program. It often exploits vulnerabilities in the user’s operating system or in different programs, such as Java and Adobe.
Malvertising A way to compromise your computer with malicious code that is downloaded to your system when you click on an affected ad. How does it work? Cyber attackers upload infected display ads to different sites using an ad network. These ads are then distributed to sites that match certain keywords and search criteria. Once a user clicks on one of these ads, some type of malware will be downloaded. Any website or web publisher can be subjected to malvertising, and many don’t even know they’ve been compromised.
44 -
Laurence Duarte - MBA Edhec
Rogue Software Malware that masquerades as legitimate and necessary security software that will keep your system safe. How does it work? Rogue security software designers make popup windows and alerts that look legitimate. These alerts advise the user to download security software, agree to terms or update their current system in an effort to stay protected. By clicking “yes” to any of these scenarios, the rogue software is downloaded to the user’s computer.
Exploit Exploits are malicious programs that take advantage of application software or operating system vulnerabilities. Criminals frequently use exploits to help their threats infect a large number of systems. How does it work? Translating this into a real-life situation, it’s like a padlock (the system or application) has a design flaw that allows people to create keys to open them (the exploit) and gain access to the place it’s supposed to be protecting, allowing access for criminal acts (malware). When these are used, there don’t tend to be any measures that can be used to block the malware that takes advantage of them, and this makes them practically undetectable. For this reason, they are highly valued by criminals, since they enable them to steal important information from companies or governments or, in extreme cases, to attack certain critical infrastructures. *Sources Megan Sullivan
Laurence Duarte - MBA Edhec
- 45
CYBE RC RIME S ACTORS Competitors, hackers, organized crime, stalkers, spies
METHODS Cyberattacks: Identity theft, compromised online banking transactions, theft of personal and company credit card details, blackmailing and ransomware, destabilization, reputation damage or destruction (if the company has something to hide), cyberstalking
OBJECTIVE Invasion of privacy, extortion, blackmail, theft, destruction
RISKS TYPE Intentional Risks Reputational and financial risks Threats to cyber security for businesses and their industrial infrastructures are varied, evolving and have been reaching new levels of complexity and maturity for some time. In recent years, the use of ransomware has emerged as the prevalent threat. This is expected to continue, as the lucrative low-cost and relatively lowrisk nature of ransomware is exploited by cyber criminals for primarily financial gain and data theft. Ransomware is malware that is used by cyber criminals to gain illegal access to networks and associated devices and block access to the network or device and encrypt data, and then demand or extort some form of payment to regain access to the network or device and data. There are several variants, each designed to infiltrate and/or infect systems and manipulate access to networks and data for malicious gain. While the use of malware is not new, today everything has network connectivity, «co-dependent» systems, creating new risk avenues and increasing the cyber security threat.
46 -
Laurence Duarte - MBA Edhec
Cybercrime can also impact employees lives in various ways. One of the fastestgrowing areas of cybercrime is ransomware; it refers to malicious software specifically designed to take control of a computer system or its data and hold it hostage so the attackers can demand payment from their victims. It is important to notice that if ransomware initially targeted PCs, it is now migrating to mobile platforms as well. Finally, if theft of credit cards is still a major theft, hackers want to concentrate on the pattern of your employees’ lives. For criminals, just trying to grab credit card information is not enough, they are now looking for broader sets of data including names, addresses, dates of birth, every identifying material useable to carry out fraud, blackmail, and other crimes. The Consequences of cyber attacks for organizations are double. Firstly, the damage of bottom line, with the disruption of operations, the recovery from an attack can cost an enormous and sometimes unbearable amount of money and the exhaustion of the workforce who must go into disaster recovery mode. Secondly, the damage to reputation. The consumer loss of trust may lead to the reevaluation of their choice of company’s products that is in a critical state because of a serious attack. Consumers may also be concerned about the safety of their information with these companies, leaving them with doubts on why they should buy from them or why they should use their services. This could have grave implications for their bottom lines and their reputations.
Laurence Duarte - MBA Edhec
- 47
TE RRORISM ATTAC KS , D I REC T OR COL LATERA L VI C TI M ACTORS Cyberterrorists, state sponsor terrorists, religious extremists, radical revolutionary terrorists, amator
METHODS Cyberattacks, explosive devices, armed assault, kidnapping, assassination
OBJECTIVE To commit acts of violence including kidnaping and assassination, to damage, to destroy properties. These acts draw the attention of the people, the government, and the world to Terrorist’s cause, and/or to obtain money to finance their actions
Corporations are affected by all forms of terrorism ranging from cyber-terrorism and actual physical attacks to being used to facilitate terrorism through illegal financial transaction and illegal use of the supply chain. Corporations are targeted by religious and separatist terrorist groups because they are symbols of the financial strength of their founding states, have huge media potential, and still do not have adequate protection capabilities. Left-wing terrorism seeks to establish communist regimes, sees corporations as symbols of capitalism, and perceives companies as their worst enemy. Issue-oriented terrorism targets companies because of their effects on the environment or, for example, the use of animals for testing. Right-wing terrorists can target corporations for various reasons such as ownership by members of an ethnic or sexual minority. Every world region is vulnerable to terrorism, and most attacks are directed at businesses and business-related infrastructure. Exporting can help to reduce the risk of terrorist impact. Because it permits a broad and rapid coverage of global markets, it reduces dependence on highly visible physical facilities, and it offers much flexibility for making quick adjustments. Terrorist risks can’t be avoided entirely. Management needs to travel very often and can be impacted by terrorists, brand sellers can also be taken as targets. Every day, we have evidence of our vulnerability to deadly terrorism. High-profile attacks on the main cities in England, Belgium, France and the United States have set the world on edge. Specialists are talking about a new kind of war stretching from the Americas and Europe across Africa, Asia, and the Arab world. This means that terrorism re-emerges as a significant business risk. Twice every day, Businesses are affected globally
48 -
Laurence Duarte - MBA Edhec
TE RRORISM TH RE ATS RISKS TYPE Intentional Risks, People risks & financial risks
OBJECTIVE To threat to commit acts of violence on properties in order to obtain money, equipment or a company’s change of behavior (ideological demand)
RISKS TYPE Intentional Risks, Financial risks
by terrorism incidents. An attack not only on, but near the companies’ premises could cause human casualties, property damage, business disruption, legal liability issues and long-term damage to reputation. Terrorism is the premeditated use or threat of use of violence. Terrorists are individuals or subnational groups who are willing to obtain a political or social objective through the frightening of a large audience, beyond that of the immediate victim. Even though the motivation of terrorists may be not equal, their actions follow standard «actions» including airplane hijackings, assassinations, kidnappings, threats, bombings, and suicide attacks. There has been a constant increase in terrorism over the years, 28 328 people lost their lives to terrorists in 92 different countries in 2015. If Iraq, Nigeria, Afghanistan, Pakistan and Syria cover over the highest percentage of deaths, terrorism is also spreading to more countries, Somalia, Ukraine, Yemen, Central African Republic, South Sudan, Cameron and of course in Europe and the United States. Two main terrorist groups are Boko Haram and ISIL. However, in Western countries, lone wolf attackers are the main perpetrators of terrorist activity driven by right-wing extremism, nationalism, antigovernment sentiment and political extremism and other forms of supremacy. The consequences of terrorism can assume many forms including casualties, destroyed buildings, a heightened anxiety level, and myriad economic costs. According to the new 2015 Global Terrorism Index. The cost of terrorism to the world was $52.9 billion in 2014, the highest since 2001.
Laurence Duarte - MBA Edhec
- 49
In parallel of the “traditional terrorism,” there is a rise of cyber terrorist attacks. Cyberterrorist attacks may not be very sophisticated, but they are efficient and damage painfully the reputation and the financial results of companies (ie: Sony hack). Consequences for organizations: Terrorism can disturb the flows of goods and services, with the interconnectedness of the global economy magnifying the impact. Due to terrorism, companies may experience a broad range of adverse effects like the increase of direct losses associated with a terrorist attack including goods destruction, the value of lives lost, the costs related to injuries, destroyed operations, damaged infrastructure, and the reduction of short-term commerce. And the increase of indirect or secondary costs such as the rise of insurance premiums, the increase in security costs, the greater wages to those at high-risk locations, and the costs tied to attack-induced long-run changes in commerce.
50 -
Laurence Duarte - MBA Edhec
E SPIONAGE ACTORS States, competitors, insider spies (employees, ex-employees).
METHODS Economic espionage/trade secret theft via Hacking, espionage.
OBJECTIVE Loss of know-how, loss of confidential information, company’s destabilization, company’s destabilization
RISKS TYPE Intentional Risks Financial risks
In the United States, the FBI stated that each year about $300 billion of US intellectual property and business intelligence are stolen via espionage by countries including China, Russia, Iran, North Korea, and even France. Espionage is not an American problem, it is experienced all over the word, even if it’s hard to have data, as many public companies never report their losses for fear of shaking investor confidence. If cyber attacks represent a significant trend for espionage, “traditional espionage” exploits the Business Travelers. Thousands of executives, scientists, consultants, and lawyers pass through airports around the world each day, carrying their smartphones, laptops, and tablets, proprietary documents, secret computer files, which may represent an immense value to a competitor, a foreign intelligence service, or a private data collector such as a hacker. Today, with the help of Wi-Fi networks and social networks, operatives can steal intellectual property and business intelligence by disabling encryption, breaching firewalls, and employing the latest networking technologies without their target’s knowledge and with little risk of exposure. The most dangerous locations to be robbed are international airport terminals and hotel rooms. It is notorious that Complimentary Wi-Fi networks permit operatives to intercept activities. In many cases, host governments provide these systems specifically to create data-collection opportunities. The threat is equally real in foreign hotel rooms.
Laurence Duarte - MBA Edhec
- 51
Z O O M
Your attack surface is bigger than you think,
“ YO U ’RE ONLY AS ST R O NG AS YOUR WEAKE ST LINK” During five years (between 2010 & 2015) a group of Ukrainian hackers infiltrated three newswire services— Business Wire, Marketwire and PR Newswire— and shared thousands of embargoed corporate news releases over time with a group of traders. If hacking the press release databases doesn’t sound like a fascinating scheme, it shows a larger problem: criminals extend their activities creatively using banal systems and infrastructure, like a company interacting with a press release service, to steal valuable data. In cybersecurity, an important concept of defense is the idea of reducing a system’s “attack surface.” The more third parties, contractors, consultants, lawyers, advertising companies, etc. companies interface with, the bigger the attack surface for potentially accessing sensitive data. It is important to not only protect your data inside your company but also outside your company regarding how your stakeholders protect your sensitive data.
52 -
Laurence Duarte - MBA Edhec
P E TTY C RIME S ACTORS Street criminals, gangs
METHODS Employee attacks: purse snatching, pickpocketing, mugging and parking lot violence, Prperty attacks: vandalism.
OBJECTIVE Money & Destruction or damage property assets
RISKS TYPE Intentional Risks Financial risks
Petty crimes include any misdemeanor with punishment being less than, one year of jail or no prison time. Even if it is minor, the persistence of these crimes can affect the operations, or reputation of the organization. Vandalism and graffiti affect facilities such as factories and distribution center. Vandalism occurs when perpetrators knowingly damage company property. It is a constant concern of many businesses. The location is a key risk factor when it comes to vandalism. Motives for vandalism can be numerous. Apart from targeting businesses because they have a convenient location, vandals could specifically target certain businesses as revenge. Reasons may include targeting foreign businesses to demonstrate dissatisfaction with foreign politics, and trivial rationales, such as angry minors who were annoyed because they were not allowed to hang around the premises.
Laurence Duarte - MBA Edhec
- 53
ECONOMIC CRI ME S ACTORS organized crime, mafia, drugs & weapons cartels, violent criminals
METHODS Fraud: application fraud, financial identity takeover, check fraud, insurance fraud, short and long firm fraud, procurement fraud, Corruption and bribery
OBJECTIVE Earn money or acquire materials
RISKS TYPE Intentional Risks Financial risks
Fraud is basically any illegal and intentional deception enacted for personal gain. Fraud that targets corporations ranges from general fraud that can target any company to industry-specific fraud. However, although fraud is always committed for gain, victims of fraud do not necessarily experience losses. According to the Price Waterhouse Coopers “2016 Global Economic Crime Survey� conducted on over 6,000 global respondents, fraud continues to be a major concern for organizations of all sizes, across all regions, and in virtually every sector. One in three organizations reports being hit by fraud. According to the same report, industries especially at risk from fraud are financial services, retail, and communications.
54 -
Laurence Duarte - MBA Edhec
PROF ILE OF THE F RAUDSTE R According to the Price Waterhouse Coopers “2016 Global Economic Crime Survey” the gap between internal and external fraud actor is closing. The studies show that “More than half of internal perpetrators still originate from middle and senior management, but junior management also contributed a great deal to the perpetration of internal fraud in some regions. This points to a potential weakness in internal controls, whereby these measures serve as check-box exercises rather than effective processes embedded into an organization’s culture. This is further suggested by the fact that 22% of respondents have never carried out a fraud risk assessment and a further 31% only carry out such an assessment annually. In some regions (for example Asia Pacific), senior management fraud, which is the hardest to detect and tends to have a much greater impact, has jumped significantly. At the regional level, internal actors remain the main perpetrators of fraud in Africa (7% higher than the global average), Asia Pacific (9% higher) and Latin America (9% higher), despite significant falls in respondents stating internal actors were responsible for perpetrating fraud (6% – 15% decline across these regions since 2014). Conversely, external actors were responsible for more fraud incidents in Eastern Europe (44%), Western Europe (49%) and North America (56%) compared to the global average of 41%. The most fundamental change in perpetrator type was in North America where there was a very significant swing from internal to external perpetrators.”
Laurence Duarte - MBA Edhec
- 55
Z O O M
COMPE TITION C RI MI NA L ATTAC KS ACTORS Competitors, states
METHODS Word of mouth rumors, online rumors (Hoax, internet troll), Cy-ops
OBJECTIVE Manipulate, deceive, and destroy reputation of products. Brands, business reputation.
Competition is always a risk. Competitors may decide to use criminal methods to damage brands. These days, it’s easier than ever for a competitor to spread false or malicious rumors about competitors. Whether in emerging countries, where the word of mouth plays a big role in purchase decision or via the internet which allows even the smallest piece of false information to spread rapidly on blogs or social networking sites. Nota: States can also use criminal attacks in order to push their “national” brands or companies.
56 -
Laurence Duarte - MBA Edhec
CY-OPS: CYBER PSYCHOLOGY OPERATIONS Psychological Operations or PSYOP are planned operations to convey selected information and indicators to audiences, to influence their emotions, motives, objective reasoning, and ultimately the behavior of organizations, groups, and individuals. Initially used by armies to control, infiltrate, manipulate, and warp online discourse, the techniques are starting to be used by pressure groups and competitors to push their cause toward the public. Tactics to discredit online: I) To inject a wide variety of false material onto the internet in order to destroy the reputation of its targets:
THE COMPANY AND COMPANY’S PRODUCTS • “False flag operations” (posting material to the internet and falsely attributing it to someone else), • Fake victim blog posts (pretending to be a victim of the product’s company whose reputation they want to destroy) • posting “negative information” on appropriate forums. • Leak confidential information to the company
THE TOP HIGH VISIBLE MANAGEMENT • Set up a honey trap (luring people into compromising situations using sex) • Change their photos on social networking sites • Write a blog purporting to be one of your top executives • Email/text their neighbors, colleagues, friends, etc. II) to use social sciences and other techniques to manipulate online discourse and activism to generate outcomes it considers desirable
Laurence Duarte - MBA Edhec
- 57
Z O O M
SU BVE RSIV E C RI MI NA L ATTAC KS ACTORS Activists, hacktivists (social, political, religious, environmental, racial), cause oriented organizations, cult and dedicated activists groups, deranged people
METHODS Demos including marches, strikes, sit-ins, sleep-ins, teach-ins, street theater, hunger strikes. Violent actions including vandalism, sabotage and hacking, online signatures, boycotts, livestreaming operation, Cy-ops, bad coverage campaigns
OBJECTIVE To judge companies on societal, environmental, political criteria. To denounce and destruct reputation of (supposed or not) unethical company behavior, to create obstructive marketing.
RISKS TYPE Intentional Risks Reputational risks.
58 -
Laurence Duarte - MBA Edhec
“We are Anonymous. We are legion. We do not forgive. We do not forget. Expect us,” “The corrupt fear us. The honest support us. The heroic join us.” Anonymous Motto Subversive acts can be defined by a war of nerves against the company; most of the time the actions are pacific, but in some cases radical activists may decide to use violence against people and property. (H)activist attacks can be perpetrated by insiders, but can also originate from outside activist groups looking for justice. (H)acktivists of all types are motivated by political, environmental and social issues. The potential harmful effect of activists needs to be taken very seriously. With modern technology, the information spreads all over the world almost instantly, influencing the consumers. As the economist Frank Fetter wrote: “the market is the democracy where every penny gives the right to vote”. In the neo-liberal framework, we observe the emergence and strengthening of consumer rights, the rights citizens have as consumers, when purchasing good and services. The People are consumers and they become more and more consumer-citizens, exercising their responsibility, forcing the market to more ethical, responsible and sustainable ways of behaving.
Laurence Duarte - MBA Edhec
- 59
SA BOTAGE C RI ME S ACTORS Competitors, angry employees or ex-employees
METHODS Sabotage
OBJECTIVE Damage property assets.
RISKS TYPE Intentional Risks Reputational risks & financial risks
The term «sabotage» derives from French factory workers throwing their wooden shoes («sabots») into machinery to jam them and stop production. Sabotage refers to all activities which workers (radical labor unions, angry employees), or exterior people (competitors) can undertake to reduce production or rate of work. The deliberate action taken with the purpose of weakening company operations can have various consequences, from disruption to major destruction of key properties. Social instability, presence of radical labor unions, as well as unethical behavior from the management in suppliers or companies factories will help to evaluate the risk of sabotage.
60 -
Laurence Duarte - MBA Edhec
HIJACKING C RI ME S ACTORS Guerillas, organized crime
METHODS Piracy, assets kidnapping with the use of violence (armed attack).
OBJECTIVE Earn money or acquire materials.
RISKS TYPE Intentional Risks Financial risks
Hijacking crime is more regional crime, but it can have global consequences with possible disruption of buinesses global chain (supply of raw materials, and packaging goods, disruption in logistics).
Laurence Duarte - MBA Edhec
- 61
ď‚ą
Z O O M
P IRACY Civil wars and terrorism can disturb the flow of company goods (raw materials, packaging goods), with the interconnectedness of the global economy magnifying the impact. 90% of traded goods travel by sea, often through stretches of water in Asia and Africa that are increasingly part of the territorial disputes or target of piracy: The Suez Canal, the Strait of Malacca, the Gulf of Guinea and the Strait of Hormuz –thoroughfares for trade and supplies- are all surrounded by violent conflicts.
Piracy & Armed Robbery Map 2016 (ICC)
62 -
Laurence Duarte - MBA Edhec
COU NTE RF EI T I N G, FO RGE RY, AND COPYR I GH T AT TAC KS ACTORS Organized crime
METHODS Illicit counterfeit products sold in official markets and underground markets, forgery, copyrights infringements
OBJECTIVE Using company’s assets to its own interest (financial).
RISKS TYPE Intentional Risks Financial risks Counterfeiting is basically creating illegal imitations of genuine products with the intention of fraudulently passing them off as genuine. Products that are especially vulnerable are established brands with a relatively high retail value, such as alcohol, cigarettes, electronics, popular food brands, watches, and clothes. Moreover, illegal imitations include Web sites that imitate genuine commercial Web sites for the purpose of fraudulent activity, such as social engineering. Counterfeiting is a direct threat to legitimate business. Firstly, counterfeit products cost millions to companies. Secondly, the quality, safety and effectiveness of counterfeit products cannot be assured. The potential danger to the consumer Security and health is like a sword of Damocles hanging over any Business reputation. Forgery is the process of creating, adapting, or imitating objects or documents. The most common forgeries include money, works of art, documents, diplomas, and identification. Forgeries often accompany other fraud such as application, insurance, or check fraud, financial identity takeover, and so forth. Copyright infringement is the unauthorized use of copyright products and patents. Knowing that success in today’s global economy is increasingly dependent upon effective identification as well as innovation, managing risk and protect intellectual property is critical. It is a matter of business survival.
Laurence Duarte - MBA Edhec
- 63
VIOL E NT CRI ME S ACTORS Guerillas, organized crimes, street criminals, mercenaries, subversive’s groups
METHODS Employee attacks : assaults, muggings, rapes, hostage taking (barricade incident or kidnapping) & property attacks including equipment thefts, burglaries, robberies, bank transfer cyber scam, Business Email Compromise (BEC) scam to extort money, cargo theft
OBJECTIVE Money, violence, ideological demand
RISKS TYPE Intentional Risks Reputational risks People attacks are always tragic events in a company. They can create disruption or perturbation in the organization if key people disappear. They can also create demotivation. Indeed, these tragedies can cause unspeakable pain not only for the people directly involved but also for those who see misfortune befall colleagues. Losing property assets can be a major blow to your company. While most theft won’t destroy your business, internal or external theft can lead to important economic damages.
64 -
Laurence Duarte - MBA Edhec
Based on the 2015 Screen global Intelligence Report issued by the Freight Watch International Supply Chain Intelligence Center, globally, cargo thefts are experiencing growth in terms of the number of incidents and their financial impact. Organized, often transnational criminal groups are targeting easily resalable goods that have left the safety of a production facility or warehouse and have not yet reached a safe destination. As with other thefts, the criminals are targeting traditionally hot products with a high black market value, such as alcohol, cigarettes, branded clothing, computers, mobile phones and other electronic devices, entertainment equipment such as televisions, and prescription. For instance, a truckload of expensive cigarettes may be worth up to 2 million Euros. Still, the focus of the thefts depends on the demand and the goods are often ordered or even presold before the theft. Also on the rise are the number of assaults on drivers and the increasingly violent nature of supply chain incidents. As presented in the EUROPOL report from 2017, criminals are showing increasing willingness to employ firearms, explosives, and gas and to use violence with little regard for human life. Incidents involving the use of a weapon have significantly increased in several countries. The impact of supply chain incidents can be devastating for a business whether they affect production through the delay of cargo with necessary raw materials or cause the loss of product during distribution to consumers.
Laurence Duarte - MBA Edhec
- 65
ď‚ą
Z O O M
K R E, KIDNAPPING THR EATS IN 2 017 Traditional kidnap for ransom and extortion (KRE) and increasingly, short-term traditional kidnapping variants, continue to impact the security environments of numerous countries. Traditional and short-term kidnappings for financial gain affect locals and foreign nationals in many higher-risk locations, including Latin America and Africa. Criminal gangs have traditionally targeted high-profile and wealthy executives and industrialists, and their dependents. However, as has been the case in recent years, kidnappers are expected to continue to become increasingly indiscriminate and target a range of middle-income individuals, including businesspeople, landowners and corporate executives, and their dependents. Most kidnappings, especially express kidnappings, will conclude with the release of the victim, usually by the perpetrators following a ransom payment. Kidnapping durations will generally be short, with incidents concluding within several hours or days. However, when it comes to traditional KRE incidents, incident durations may be longer. As criminal perpetrators are usually armed and violence is frequently threatened to expedite a payment, there is high potential for violence during a KRE or express kidnapping incident. Hostages have been subjected to acts of violence and/ or torture in the past. Should a police rescue be initiated, which occurs often, there is also a possibility that the hostage(s) may be affected by violence.
66 -
Laurence Duarte - MBA Edhec
kidnapping risk rating key Low risk Medium risk
Hight risk
Extreme risk
KIDNAPPING THREAT TYPES Tiger kidnapping A kidnapping orchestrated to facilitate another criminal act; a company employee is abducted and forced to facilitate a robbery at the business premises. The victim’s dependants are often held hostage until the robbery is complete.
17% Asia
Virtual kidnapping A ransom demand is made under the pretext of an individual having been kidnapped; however, no abduction is actually committed. A ransom is demanded via telephone from the purported victim’s family; demands are generally fairly low
31% Sub Sahara Africa
Extortion The obtaining of property or priveleges by way of duress, be it actual/threatened force, or under the pretence of official right. Perpetrators often threaten the release of confidential/potentially damaging personal information.
35% Middle East North Africa
Cyber extortion The threat or act of denying access to or the stealing or destroying of data held on an electronic device unless a ransom is paid. Undesirable/illegal information may also be transferred onto the victim’s computer.
13% Americas
4% Europe
% KRE in the world
Laurence Duarte - MBA Edhec
- 67
Z O O M
A BRIEF OVERVIEW OF RECENT BUSINESS SCANDALS Cyber Attack with the use of a malware: 100 terabytes of data stolen and some destroyed + terrorist threats Sony Pictures entertainment experiences the most devastating hack in corporate history. The hackers released publicly highly confidential company information—salary details, private e-mails (some of them harshly critical of top Hollywood talent). For good measure, the hackers wiped out huge amounts of data on the
company’s servers. The hackers also threatened retaliation if The Interview, a Sony Pictures comedy set in North Korea that includes the assassination of Kim Jongun, was released. Fearing reprisals, many theaters declined to screen the film, and Sony had to look for alternative distribution.
« The bigger challenge was that the folks who did this didn’t just steal practically everything from the house; they burned the house down. » Michael Linton (CEO of Sony Pictures Entertainement)
Screenshot of a message sent to Sony Pictures employees
68 -
Laurence Duarte - MBA Edhec
Fake press release sends Vinci shares crashing Shares in the French construction giant Vinci fell by more than 18% after a fake press release said the firm would restate its accounts and sack its chief finance officer, Christian Labeyrie. The hoax claim was first published late on Tuesday afternoon by the Bloomberg website, according to Vinci. The false statement said the company would revise its 2015 and 2016 accounts after supposed accounting errors. «This is false, totally false. We deny it,» said a Vinci spokesman.
Shares in Vinci, which has businesses in more than 100 countries, are traded on the French stock market. After the denial was issued the company’s share price swiftly recovered to end the day down just 4% at €58.8. «Vinci denies formally all the information contained in this fake press release and is investigating all legal actions in furtherance thereof,» said the firm. The hoax said the company had uncovered irregularities which had been hiding losses amounting to 3.5bn euros.
The daily share price graph highlights when the fake news broke.
Laurence Duarte - MBA Edhec
- 69
ď‚ą
Z O O M
THE 21 OC TOBE R 2 016 DDOS ATTAC K
The 21 october 2016 DDoS attack focused on a single point of failure; the DNS provider Dyn resulting of major trouble for websites to function properly like the New York Times, Netflix, Twitter, Pinterest, Reddit, GitHub, Etsy, Tumblr, Spotify, PayPal, Verizon, Comcast, EA, and the Playstation network.
RAN SOMWARE In may 2017, a devasting global cyberattack called WannaCry spread ransomware to countless computers over 150 countries and has alerted millions of people to the dangers of ransomware. Hospitals, utilities, businesses, and more were locked out of their computers, facing payment demands from anonymous hackers.
70 -
Laurence Duarte - MBA Edhec
THE ASH LE Y M A DI SON H ACKING Companies are being urged to identify employees who could be blackmailed into revealing sensitive market information following the Ashley Madison data dump. After hackers leaked 37 million email addresses used by people who had accessed the Toronto-based adultery website, there are fears that blackmailers will start demanding money to keep the details of extra-marital affairs secret. But the major threat came from targeting people who had access to market-sensitive information. Most of the email addresses used are corporate addresses, it is easy to identify and blackmailing people for sensitive corporate information.
Yes, life is short, but don’t have an affair.
Laurence Duarte - MBA Edhec
- 71
« It is impossible to provide a forecast of future contingencies, especially because on our expeditions we are obliged to go across great waters and vast solitudes by dangerous ways… on account of which they frequently depend on God’s will and disposition, and of course the weather. » The Grand Master of the Teutonic Knights, 1394
72 -
Laurence Duarte - MBA Edhec
T HE R EGIONAL PIC TURE O F CRI MINAL RISKS
Laurence Duarte - MBA Edhec
- 73
THE REGI ONAL PICTURE S O F CRI MINAL RISKS Global companies are particularly permeable to the current geopolitical context and the specific risks linked to particular markets. The geopolitical and international security context shows that chronic and resurgent violence, conflicts, and economic and social volatility will remain prominent today and tomorrow. Businesses should be prepared for all sorts of problems associated with recession on top of pure economy effects. Illicit trade, brand integrity issues, hardships associated with redundancies, crime on all levels, partner integrity concerns, and corruption are some of the problems known to affect businesses and security in times of crisis. Corporations are not immune to global politics. The criminal risks for doing business differ significantly from country to country. However, similarities exist. In developed economies, white collar crimes, technological risks such as cyber-attacks and data theft may lead to major damage for companies. In these countries, connectivity plays a central role in production processes, service provision and spread of all sort of communication.
74 -
Laurence Duarte - MBA Edhec
In emerging and developing economies, the worries are political instability and failure of national governance leading to corruption. The inability to efficiently govern a nation increases the risks of the weak rule of law and thus corruption, illicit trade, organized crime, impunity, and political deadlock. Weak or failing national governance help the development of organized criminals and terrorists which can benefit from illegal trading in weapons, counterfeited goods, and worst humans. These illegal activities create damaging economic, social, and environmental business context at regional and global levels. Risks and costs affect organizations in countries with poor governance or conflicts. The difficulties of working in an unpredictable environment and complying with international standards when weak states do not themselves adhere to international regulatory regimes, create unfavorable conditions for business. Finally, to lower the costs of their operations, corporations are often pushed into relocating their operations to cheaper emerging markets, which are often characterized by lower costs and higher security risks. On a more indirect level, corporations are the true ambassadors of their founding countries, for good or bad. Any security threat that a country is facing is immediately spread to its trademark companies worldwide. Although a state has planned and anticipated the risks and has a homeland security mechanism in place to mitigate these risks, companies are left alone on a foreign ground to fight against the threats, with incomparably lower resources and capabilities.
Laurence Duarte - MBA Edhec
- 75
LATI N AME RIC A CR I M INAL RISKS Main Threat Actors Drug cartels, Criminal Gangs, Opportunistic low-level criminals, Governments.
Assets People: Violent crimes, Kidnapping (KRE), Extortion. Business reputation: Corruption. Property: Robbery, Damage. Extreme criminal risks countries: Mexico, Guatemala, El Salvador, Honduras, Venezuela, Colombia. High criminal risks: Brazil, Argentina.
Keys findings Latin America has been named as the world’s highest risk region for violent crime, due to the widespread prevalence of drug trafficking organizations (DTOs), kidnapping, extortion and robbery across 11 countries, including in its four largest economies, Brazil, Mexico, Argentina and Colombia. The continent faces governance challenges, with organized criminal gangs gaining influence over many aspects of society in various countries, as a steady stream of drugs continue to flow from the region into the United States, Europe and Africa. Latin America is at a crossroads. The combination of slower growth prospects, increasing social unrest and political instability combined with high levels of violent crime pose serious security challenges for the region.
76 -
Laurence Duarte - MBA Edhec
N O RTH AME RICA CR I M INAL RISKS Main Threat Actors Terrorists (Islamists, far right), Activists, Hacktivists, Employees, Management.
Assets People: Kidnapping, Assassination (terrorists). Business reputation: Scandals, Subversive attacks. Property: Terrorism attack, Vandalism, Sabotage. Proprietary information: Theft, Cyber-attack.
Keys findings In North America, which includes the United States and Canada, majors risks are cyberattacks and business reputation attacks, followed by data fraud or theft. North America is extremely well connected, and ICT usage is high. The risk of terrorist attacks is also very high, according to the House Committee on Homeland Security, ÂŤthe home-grown Islamist extremist threat in the United States has escalated dramatically in 2015, with more terror cases than in any full year since September 11, 2011.Âť
Laurence Duarte - MBA Edhec
- 77
AS I A PAC IF IC CRI M INAL RISKS Main Threat Actors Governments, Organized crime, Conflicts.
Assets Business reputation: Scandals, Economic damage. Property: Damage and Destruction. Proprietary information: Theft, Cyber-attack, Cyber espionage.
Key findings The end of the commodity boom, the economic slowdown in Russia, the weaker-than-expected growth in China and the slow recovery in the Eurozone are among the factors putting pressures on Central Asia’s economies. The interstate conflicts and corruption remain the major criminal risks. Business in this region remains uncertain, the conflict between Russia and Ukraine, the complicated process of the annexation of Crimea, and the involvement of Russian military in Syria fulfill instability that may be affecting the business in this area. Finally, Russia, China are well known to have the best cyber warriors. Companies need to be aware of major risks regarding the Nation state cyber espionage as well as cyber theft.
78 -
Laurence Duarte - MBA Edhec
EUROPE CRI M INAL RISKS Main Threat Actors Terrorists, Employee theft, Management (unethical behavior), Cyber criminals, Organized crime.
Assets Property: Terrorist attack (target or collateral), Employee theft, Cyber-attacks, Extortion, Vandalism. Business reputation: Scandals (Deception, Unethical behaviour, Corruption, Employee fraud). Proprietary information: Theft, Cyber-attack.
Key findings In Europe, like in the US, majors’ risks are cyber-attacks, business reputation attacks, followed by data fraud and internal corporate crime. The refugee’s crisis can lead to a certain level of instability, and a potential development of illegal work. Companies which have plants, operate directly or important partners in Italy, Sweden, UK and middle east countries (Slovenia, Albania), may faced a risk of infiltration of organized crime groups (OCGs) in these legal businesses. OCGs infiltrate legitimate businesses to maximize economic and non-economic benefits. They aim to launder the profits from criminal activities, to obtain considerable earnings and benefit from their profitability, to perpetrate frauds (e.g. insurance fraud, VAT and tax fraud, benefit fraud) to achieve other goals such as maximizing social consensus and achieving control over a sector or territory.
Laurence Duarte - MBA Edhec
- 79
A FR I CA / E URASIA CR I M INAL RISKS Main Threat Actors Terrorists (Islamists), Organized crime, Tribal Gangs, Conflicts, Governements.
Assets Property: Terrorist attack, Damage and Destruction, Extortion, Hijacking, Corruption, Theft. People: Kidnapping, Assassination (guerrillas).
Key findings Unsurprisingly, in Middle East and North Africa, the risks of terrorist attacks and interstate conflict are important, as a proliferation of conflicts is putting the region’s geopolitical stability at stake. Violent and extremist groups are also at work in parts of the Sahel, northern Nigeria, the Horn of Africa, the African Great Lakes area and the Central African Republic. Others countries as well, are facing political tensions leading to violence. Burundi faces worrisome political tensions, which raises the risk of further severe civil unrest and interethnic violence. However, elsewhere in Africa, economic growth continues despite serious security, social and corruption problems.
80 -
Laurence Duarte - MBA Edhec
The regional picture of criminal risks
THE REGIONAL PICTURE O F BRI B E RY INC IDE NC E In some countries, businesses may require making unofficial payments or gifts to «get things done.» Bribery incidence
percent of firms experiencing at least one bribe payment request source World Bank Group. • East Asia & Pacific: 30.4
• Sub-Sahara Africa: 23,7
• South Asia: 24,8
• Europe & Central Asia: 18
• Middle East & North Africa: 24
• Latin America & Caribbean: 10,4
Irak Corruption Score: 16 Libya Corruption Score: 16
Afghanistan Corruption Score: 11
Sudan Corruption Score: 12
Yemen Corruption Score: 19
South Sudan Corruption Score: 15 Venezuela Corruption Score: 17
North Korea Corruption Score: 8
Somalia Corruption Score: 8 Angola Corruption Score: 15
The 10 countries most corrupted in the world, as ranked by Transparency International’s 2015 report.
Laurence Duarte - MBA Edhec
- 81
Z O O M
« War is the realm of uncertainty; three quarters of the factors on which action in war is based are wrapped in a fog of greater or lesser uncertainty. A sensitive and discriminating judgment is called for; a skilled intelligence to scent out the truth. » Von Clausewitz, On War
82 -
Laurence Duarte - MBA Edhec
RISKS ASSE TS IMPACT
Laurence Duarte - MBA Edhec
- 83
U N DE RSTAND ASSE TS IMPACT “Proactively identifying risks is one of the main benefits of threat modeling. Rather than waiting for something bad to happen and waiting for the risk to be realized it means taking control of risks and making risk informed decisions in advance and initiate design changes ahead of a future deployment of the application. But a lot of businesses out there don’t see the return on investment, they look at it as a liability, and until they can understand that proactive security actually returns, gives them a return on investment, it’s still a hard sell for people.” Kevin Mitnick
The 3 steps of Assets Impact assessment
84 -
Laurence Duarte - MBA Edhec
ASSETS IDENTIFICATION
Usually the first step of a risk assessment is to understand the asset at risks. However, I have decided to start from a macro point of view of the criminal risks to sensitize my readers on the complexity and the wide variety of criminal risks companies have to face. My point is to encourage the business leaders to think like a perpetrator, before starting an asset characterization and Identification. My objective is to invite business leaders minds to understand the quickest as possible the assets at risk. Being able to know the danger they need to address will help to develop a lucid vulnerability analysis and to determine the possible consequences if the most important assets are compromised. Criminal actions toward company can critically harm these assets and the value of the company, whether by the loss of life, the loss of property (and the difficulty to replace them), the loss of proprietary information, the loss of business productivity, or the loss of business reputation. Each asset has two critically factors. The first is the asset’s criticality to the mission of company, the second is the lost time and productivity and the cost of recovering the asset if it is damaged or lost. To achieve a successful strategy of assets protection, it is important to understand the type of threat companies are facing as well as the type of perpetrators the company can expect to be able to limit the opportunity and to obstruct the means in the earliest possible stage of an incident.
ASSETS CRITICALITY
CONSEQUENCE ANALYSIS
Laurence Duarte - MBA Edhec
- 85
ASSE TS I DEN TIF ICATION Asset characterization is the identification of critical assets while performing a preliminary evaluation of any criminal attacks. Assets can take many forms like business reputation, contracts, facilities, property, etc. Assets need to be identified and prioritized to compile a list of the highest value ones. This step is crucial to determine the vulnerability and criticality of each asset and to allocate the appropriate resources to protect them.
86 -
Laurence Duarte - MBA Edhec
All organizational assets fall into four main categories: Property real property, fixtures, furnishings and equipment, supplies, cash vaults, bank accounts‌ Property is a primary target of economic crimes.
People management, employees, contractors, vendors, visitors and customers. People are the primarily target of terrorism and violent crimes.
Business reputation including brands, business reputation is self-evident. It represents what your stakeholders think about you. Business reputation is a key asset, that if lost can destroy an entire organization.
Proprietary Information business processes, patents, paper files, computers files‌
Laurence Duarte - MBA Edhec
- 87
ASSE TS CR I TIC ALITY There are two measures of criticality. The first is the impact that an asset has on carrying out the mission of the organization, and the second is the impact that cost or time to replace the asset would have on the organization. Basic criticality is the measure or estimate of a business unit or asset’s importance to the mission of the organization. Certain of the organization’s assets are more important than others to its mission. Criticality may be intrinsic or derivative. Intrinsic criticality is the extent to which a specific asset is directly important to the mission of the organization, while derivative criticality is estimated by the impact that the loss of the asset would have consequentially. The two measures of criticality: I - Criticality to operations: the first is the impact that an asset has on the carrying out of the mission of the organization. If an asset (person, property, information, or business reputation) is essential to the mission of the organization, it can be said to be critical. II - Criticality to sustainability: the second is the impact the asset has on the sustainability of the organization.
Criticality scale To Operation •Absolutely critical to daily operations: loss would cause immediate shut down of operations •Very Critical, but operations could continue up to several days •Critical, but operations could continue at diminished capacity. •Somewhat critical, but operations would be seriously impacted. •Not critical, but helpful to operations. •Absolutely not critical to the mission.
88 -
Laurence Duarte - MBA Edhec
To Sustainability • Absolutely critical to sustainability and no suitable and affordable work around could be arranged. Loss of asset would cause the loss of the organization. • A work-around could be arranged but would seriously affect operations or profitability. • An affordable work-around could be arranged. • Absolutely not critical to the mission.
From not critical to absolutly critical to Sustainability
Heat map
From not critical to absolutly critical to Operations
Laurence Duarte - MBA Edhec
- 89
CO NSEQUE NC E A NALYSIS Consequence identifies the effect that the loss of an asset would have on the organization. For every unwanted event, a range of consequences are possible, and within most of these, there is a range of severity.
Possible consequences include • Mass casualties • Loss of property • Loss of production • Loss of proprietary information • Environmental impact • Loss of business reputation
90 -
Laurence Duarte - MBA Edhec
As for criticality analysis, we can map the consequences by scoring between 1 and 10 (10 being the worst) those assets with the greatest consequences. Consequences need to calculate in term of costs as well, cost to the organization to replace the asset if lost: • Absolutely critical as the cost to replace would be impossible to bear • Very critical, replaceable at very great cost in dollars or lost production • Critical, replaceable at significant cost in dollars or lost production • Somewhat critical, cost would impact other operations or development plans • Not critical, easily replaceable We can use a risks measurement matrix to count the level of risks:
Laurence Duarte - MBA Edhec
- 91
“Capture their minds and their hearts and souls will follow�
92 -
Laurence Duarte - MBA Edhec
A SSE TS / RISKS VI SUALIZATION Assets / Risks Visualization summarizes the biggest potential risks which can generally hit company’s assets.
Laurence Duarte - MBA Edhec
- 93
B US I N ESS RE PUTATION BRA N D CRIMINAL RISKS Business Reputation is a key asset that if lost can destroy an entire organization. Brand damage and destruction represent a major risk for the loss of value. Most of companies rely directly on the business reputation of its brands to distribute and sell its products to the customers all over the world.
94 -
Laurence Duarte - MBA Edhec
INSIDER WHITE COLLAR CRIMINAL ATTACKS
COMPANY ILLEGAL ACTIONS CORPORATE VIOLENCE CRIME OF GLOBALIZATION
Actors Employees, ex employees
Actors Corporate executive, managers
Methods Insider Fraud, Embezzlement, Stock manipulation, fraudulent/forged financial statement, conflicts of interest, illicit financial flow.
Methods Insider Fraud, Embezzlement, Bribery, Stock manipulation, fraudulent/forged financial statement, conflicts of interest, cartels, Illicit financial flow, tax evasion.
COUNTERFEITING ATTACKS Actors Organized crime Methods Illicit counterfeit products sold in official markets and underground markets.
WORKPLACE REVENGE CRIMINAL ATTACKS
BUSINESS REPUTATION
Actors Employees, ex employees
BRAND REPUTATION
Methods Sabotage, product contamination, rumors, theft
CORRUPTION CRIME
SUBVERSIVE CRIMINAL ATTACKS
Actors Corporate executive, managers
Actors Activists, Hacktivists (Social, Political, Religious, Environmental, Racial) Methods Demos including marches, strikes, sit-ins, sleep-ins, teach-ins, street theater, hunger strikes. Violent actions including vandalism, sabotage and hacking, online signatures, boycotts, Cy-ops, bad coverage campaigns.
Methods Political, administration, legal corruption: bribery, extortion, conflict of interest, abuse of discretion, embezzlement, patronage, nepotism, cronism.
COMPETITION CRIMINAL ATTACKS Actors Competitors, States Methods Word of mouth Rumors / Online Rumors (Hoax, internet troll) / Cy-ops
Laurence Duarte - MBA Edhec
- 95
PROPE RTY CR I M INAL RISKS The property risk deals with the fixed assets of companies and the risks of the value of these assets being diminished. Property Classify company’s property in the following ways: • Real property (land and buildings) • Equipment and supply • Bank Accounts • Business processes Criminal property attacks damage or destroy these assets, disrupt the supply chain and lead to some sort of economic damage. The severity usually depends on the affected company asset resiliency and ability to recover, from a total unrecoverable loss of operations resulting in the permanent collapse of the organization, to a very minor disruption for a short period such as a few days.
96 -
Laurence Duarte - MBA Edhec
TERRORISM ATTACKS
TERRORISM THREATS Actors Cyberterrorists, State sponsor terrorist, religious extremist, radical revolutionary, amator.
Actors Cyberterrorists, State sponsor terrorist, religious extremist, radical revolutionary, amator
Methods cyberattacks, explosive devices and weapons
Methods cyberattacks, explosive devices and weapons
ECONOMIC CRIMES
HIJACKING CRIMES Actors guerillas, organized crime Methods piracy, assets kidnapping with the use of violence (armed attack)
COLGATE PROPERTY
Methods Sabotage, product contamination, rumors, theft
PETTY CRIMES
SUBVERSIVE ACTS
Actors street criminals, gangs
Actors Activists, cause oriented organizations, cult and dedicated activists groups, deranged people Methods unarmed or armed attacks, civil disorder, intimidation, riots, protests, sabotage.
Actors Hackers, street criminals, guerillas, organized crime, Mafia, drugs & weapons cartels, violent criminals
Methods vandalism.
SABOTAGE CRIMES Actors competitors, angry employees or ex-employees Methods sabotage
Laurence Duarte - MBA Edhec
- 97
P EO PLE CRIMINAL RISKS People are the primary target of Terrorism and Violent Crime. People include management, employees, contractors, vendors, visitors and customers. People are the most important asset of every organization, and the most important value we are protecting is certainly human life. Security risks differ among locations, exposure of position to risks, organizational hierarchy, gender, and many other influencing factors. Risks are various and can range from theft to threats, assault, kidnapping, and murder. A company’s main mission is to create a safe working environment and protect employees at work and from work-related security risks, but company cannot be responsible for all off-work security risks to employees. However, businesses should do their best to protect employees even from off-work risks that follow them to work and also encourage them to come forward with serious private security concerns and advise them on how to handle them or where to seek professional assistance. Some groups deserve special attention, such as expatriates in and business travelers to risky areas. The transnational nature of corporations and their focus on emerging markets create new opportunities for reward, but in many cases they are accompanied not only by investment risks but also by specific security risks to both the business and its people. Opening a business in a less traveled location is an exciting opportunity to conquer the market before the arrival of competition. However, locations that are new to business usually lack highly skilled professionals and practically require companies to import more skilled professionals and experienced managers (expatriate positions); they also require tighter management, including frequent visits to the new part of the business (business travelers). Traditional expatriate and business travel assignments recently started expanding to give companies more efficient models of increasing employees’ mobility and creating alternative options for sending employees where they are required. Such assignments include short-term assignments and peer-to-peer assignments.
98 -
Laurence Duarte - MBA Edhec
Although kidnapping for ransom, hostage taking, terrorism, and political violence are not exclusively reserved for emerging markets but can happen anywhere, such risks are higher in some places than others. The risks could be also heightened by corrupt and ineffective local security forces as well as risk factors such as the nationality, position, and behavior of the employee, the effectiveness of security measures, and the image of the company and its founding country. According to the number of incidents against foreigners, especially kidnappings for ransom, based on numerous sources and news reports, the following countries are marked as kidnapping hot spots: Mexico, Venezuela, India, Nigeria, Afghanistan, Pakistan, Iraq, Syria, Philippines, Guatemala, Colombia, Libya, Egypt, Algeria, Brazil, Yemen, Kenya, Malaysia, Bangladesh, Burkina Faso, Cameroon, Chad, the Democratic Republic of Congo, Eritrea, Ethiopia, Mali, Mauritania, Morocco, Niger, Peru, Sudan, South Sudan, Senegal, Somalia, and the area of the Indian Ocean off the coast of Somalia.
VIOLENT CRIMES TERRORISM ATTACKS
Actors Guerillas, organized crimes, street criminals, mercenaries, subversive’s groups
Actors State sponsor terrorist, religious extremist, radical revolutionary
Methods Assaults, muggings, rapes, hodtage taking (barricade incident or kinapping)
Methods Armed assault, Kidnapping, assassination
PEOPLE
PETTY CRIMES Actors Street criminals, organized crime Methods Purse snatching, pickpocketing, mugging and parking lot violence.
CYBERCRIMES Actors Competitors, hackers, stalkers, spies Methods Cyberattacks: Identity theft, compromised online banking transactions, theft of personal and company credit card details, blackmailing and ransomware
Laurence Duarte - MBA Edhec
- 99
PR OPRIE TARY CR I M INAL RISKS Proprietary information includes Business processes, vital records, strategic plans, customer lists, information technology system, electronic security system, voice communication system. Any company in the modern world is vulnerable to cyber-attack. Malicious individuals and groups thrive on bringing together information that can be used to improve their attack strategies. For instance, hackers are becoming more focused on spear-phishing attacks targeting individual people to gather any bit of employee’s information. The interconnections between people and machines, the relative centralization of the services will increase the odds of cyber-attacks with potential cascading effects across the Cyber ecosystem of companies. As the cyber dependence rises, the resulting interconnectivity and interdependence can diminish the ability of companies to fully protect their entire enterprise which may lead to theft or destruction vital proprietary.
100 -
Laurence Duarte - MBA Edhec
ESPIONAGE CYBERCRIME
Actors States, competitors, insider spies (employees, ex-employees)
Actors Hackers, Hactivists
Methods hacking, espionage
Methods hacking (malware, Ddos)
PROPRIETARY INFORMATION
TERRORISTS CRIMES Actors State sponsored terrorists, religious extremists, radical revolutionary terrorists Methods Hacking (malware, Ddos)
Laurence Duarte - MBA Edhec
- 101
ÂŤ A danger foreseen is half avoided Âť Cheyenne Proverb
102 -
Laurence Duarte - MBA Edhec
RISKS PRI O RITIZATION We can’t protect everything. But we can anticipate even if no one can predict with certainty when and how a severe disruption of business will occur. With anticipation, every organization can determine what is vital to protect at which cost. Firstly, the organization needs to develop awareness of criminal risks. And how these risks can impact their organization. Companies adapt their strategy whether on dealing with threats of terrorism or with criminal activity, depending on multi-factors like their activities or location for instance. Certain industries have unique risks, such as for transport hijackings or depot firms smuggling. And some areas or properties may have local problems that are unique like vandalism, gang activity, kidnapping, etc. Secondly, prioritization is needed to develop a strategy to prevent, to mitigate the most important risks and of course to develop a budget. The reason to have a protection program is to prevent the undesired consequences to happen. By identifying all risks and consequences, organizations can develop the priorities in their budget thinking about consequences and acceptable losses. The risks prioritization variables are acceptance of the loss / duplication the asset / insure the asset /protect the asset.
Laurence Duarte - MBA Edhec
- 103
104 -
Laurence Duarte - MBA Edhec
STRATEGY PR OTECTION PROG RAM Building from Resilience Criminal risks recognize no boundaries. The cascading effects of human-made criminals attacks can be felt oceans away imposing economic and human costs. How can companies prevent or mitigate the adverse effects of these attacks in our complex and evolving environment? Rather than reactions and compliance, they now need to focus on prevention, preparedness, adaptation and to strengthen resilience. UN Office for Disaster Risk Reduction defines “Resilience” as “the ability of a system, community or society exposed to hazards to resist, absorb, accommodate to and recover from the effects of a hazard in a timely and efficient manner, including through the preservation and restoration of its essential basic structures and functions.” The three main objectives of resilience are to prepare for disruptions, to recover from shocks and stresses, and to adapt and grow from a disruptive experience. Companies which have built resilience become more able to prevent or mitigate stresses and shocks and they identify and better respond to those they can’t predict or avoid. They have also developed greater capacity to bounce back from a crisis, learn from it, and achieve revitalization. When companies are more adept at managing disruption and skilled at resilience building, they create and take advantage of new opportunities in good times and bad. Judith Rodin qualifies these possibilities gained as the resilience dividend. For her, “It means more than effectively returning to normal functioning after a disruption, although that is critical. It is about achieving significant transformation that yields benefits even when disruptions are not occurring.”
Laurence Duarte - MBA Edhec
- 105
T HE 5 M AI N C H ARACTE RISTIC S OF R SITUATIONAL AWARENESS ABILITY AND WILLINGNESS TO CONSTANTLY ASSESS Aware of strengths, assets, liabilities, threats, risks you face, to be able to effectively prepare for disruptions, respond to them, and bounce back from them.
Q u al i t i e s Agility, real time adjustment, complexity
H ow Sensing and information gathering, robust feedback loops, going out into the field.
106 -
Laurence Duarte - MBA Edhec
DIVERSITY MULTIPLE SOURCES OF CAPACITY Ability to withstand some amount of unaccustomed stress or even continue functioning during a shock or crisis.
INTEGRATION COORDINATION Individuals, groups, organizations, and other entities have the ability to bring together disparate ideas and elements into cohesive solutions and actions.
Q u a l i ti e s Agility, diverse people and perspectives to bring a wide range of ideas and opinions, alternatives and options
How Emergency back up: replacement of Critical, core components/activities (hard&soft elements).
Qu a l i ti e s Analyze the data, collaboration, cohesive solutions, coordinate actions
How Coordination on actions and functions across systems, shared information, transparency communication
RES I L I EN CE SELF REGULATION WITHSTAND Own regulation enables to deal with anomalous situations and disruptions without extreme malfunction or catastrophic collapse.
Qu al i t i es Capacity to “island� or de-network in order to contain
ADAPTATION ADJUST Capacity to adjust to changing circumstances.
Q ua lit ie s Flexible: ability to apply existing resources to new purposes or for one element to take on multiple roles
H ow How Creating processes to failing safely (no cascading disruptions).
Developing new plans, taking new actions, modify behaviors
Laurence Duarte - MBA Edhec
- 107
“Observe your enemies, for they first find out your faults� Antisthenes
108 -
Laurence Duarte - MBA Edhec
T HE I MPORTANC E O F I NFORMATION When companies set up a security system, they have to put together the physical security, the security technology, the human factor of security, the communication, the management, the procedures and the information. Having information is essential to implement and to feed an efficient security system. Organizations need multiple sources of information from macro-information about the international political climate down to the immediate microenvironment concerning the business and activities of companies. Collecting the information, it is important to have ethical boundaries like not crossing the line of privacy intrusion or exaggerated control. To create information to be useable, companies must answer to the following questions: What? (is happening, will happen?) Who? (are the actors) Where? (did/will it happen or is it happening?) Where from? (reliable source?) When? Why? (reasons? Background?) How could it affect us?
Laurence Duarte - MBA Edhec
- 109
110 -
Laurence Duarte - MBA Edhec
RESPONDING TO RISKS “Business, more than any other occupation, is a continual dealing with the future; it is a continual calculation, an instinctive exercise in foresight” Henry R Luce
All organizations face risks by operating in an uncertain world. “For a business to survive, growth is an imperative, not an option.” Growth, especially, brings added risk because of the increased uncertainties that come with new products, customers, geographies, or strategies. If risks are an inevitable part of business growth, criminal risk management and resilience which are detection, prevention, and response/ consequence management will help to mitigate these risks and to protect the growth. Growth protection building integrates “hard” and “soft” solutions; With technologies, systems, mechanisms, and products to protect; with governance, leadership, knowledge creation, communication, community development, and social cohesion to prevent companies from the threats they can identify.
Laurence Duarte - MBA Edhec
- 111
In the following part, I will propose a broad range of countermeasures to reduce the duration, likelihood, and magnitude of disruptions and to strengthen resilience. The main objective of a value and growth protection strategy is to understand risks that could be exploited by potential threat actors and to create measures to counter the potential threats. There are three broad types of countermeasures, high-tech, low-tech, and notch. High-tech (electronic) countermeasures employ electronic systems to deter, detect, and assess threats; to assist in the response, and to collect evidence. Low-tech solutions include locks, barriers, lighting, and architectural and crime prevention through environmental design solutions. Notech solutions include policies and procedures, security staffing, training, awareness programs, investigations, and so on. Employees are obvious people to implicate but external security stakeholders have a role to play due to their significant know-how and resources that can improve preparedness and mission-critical planning processes in a global security context.
112 -
Laurence Duarte - MBA Edhec
Mitigation / Prevention “Facing down reality. Facing reality, really facing it, is grueling work. Indeed, it can be unpleasant and often emotionally wrenching” Diane Coutu Awareness starts with a “big ears” policy which includes a detailed radar screen of your criminal risks potential and a robust feedback loop. Employees may have experienced threats and have some knowledge of the risk to which they are exposed. Mitigation means, mixing that “common-sense” awareness of risk based on historical experience with knowledge of the criminal trends and moving to a systematic assessment of the risks to which company is exposed, engaging in analyzing the conditions that generate risk. It includes mapping the strengths and weaknesses of the company regarding criminal risks, and the interdependencies among the ecosystem of the company business including suppliers and purchasers. Prevention is the action of stopping something from happening or arising. The aim of prevention is to take sufficient measures to shield the organization against threats and vulnerabilities. The anticipation phase will help to identify the matters of concern, and preventive measures will help to avoid the detrimental consequences of these concerns. It includes deterrence measures, protection measures and resilience measures. For a growth protection point of view, the old maxim that one ounce of prevention is worth a ton of cure always applies.
Laurence Duarte - MBA Edhec
- 113
Response / consequence management Once a crisis or disaster occurs, executives are expected to avert or contain the threat, minimize the damage, and prevent critical systems from breaking down. Rapid response operations depend on the investment on preparation taken previously in the mitigation / prevention and preparedness/ preparation phases including resources, training, and inter-organizational skills.
Recovery / aftermath politics The aftermath of energy- and emotion-consuming event is marked by the desire for a quick return to normalcy. As it is impossible to prevent or foresee each catastrophe, it is assumed that all companies will have to face one sooner or later. Their capacity to absorb these events and to emerge from them with their core business intact is at the core of resilience.
114 -
Laurence Duarte - MBA Edhec
Laurence Duarte - MBA Edhec
- 115
116 -
Laurence Duarte - MBA Edhec
I T IS ALL ABO UT PEOPLE “Tell me and I forget. Teach me and I remember. Involve me and I learn� Benjamin Franklin In criminal risks, the human factor has an immense importance. Criminal attacks and following disruptions come firstly from vulnerabilities, lack of awareness of the threats employees face. People need to be ready and responsive. They need to understand that Yes, It Can Happen Here. And yes, they can be responsible for these disruptions indirectly or directly. People are security. For security and protection to be successful, every employee should be part of the process, motivated to protect his/her company. To do so, training, communication, and governance are essentials. There is an absolute necessity to train and to persuade employees that cautiousness and feedback are vital to protecting the success of their company and thus theirs. For instance, studies show that training employees on how to recognize and avoid cybercrime can reduce business risk of a security breach by anywhere from 45 to 70 percent.
Laurence Duarte - MBA Edhec
- 117
118 -
Laurence Duarte - MBA Edhec
I NTE RNAL CRI M INAL RISKS CO U N T ERME ASURE S
Laurence Duarte - MBA Edhec
- 119
COMPA NY ILL EGA L AC T I O N S ACTORS Executives, board, ethicists, members of civil society
METHODS Mitigation / prevention: Governance, corporate culture, Code of conduct, code of ethics, business practice guidelines Responses / Consequences Management: transparency, crisis communication Recovery / Aftermath politics: Reinforcement of governance, communication
“Virtue lies in our power, and similarly so does vice, because when it is in our power to act, it is also in our power not to act. … So, if it is in our power to do a thing when it is right, it will also be in our power not to do it when it is wrong “Aristotle Company illegal actions are highly dangerous. If companies are accountable to its shareholders and need to maximize their profits; they are also more than ever accountable to civil society for their impact. They need to regulate themselves to stay sustainable in the long run and redefine their cost-benefit approach. Corporate ethics is a recurring topic in today’s news. Some people may think it is cynical because companies are motivated by noble and not so noble desires. I believe there is a way to reconcile the company objective to protect its competitive advantage, its financial interests, its level of business throughout the world, and a vision of services to the greater good. Business is not governed by a morality that is disinterested, but rather by economics that is never disinterested. In many cases, the pursuit of competitive advantage is ethically problematic encouraging unethical or sociopathic firm behavior. Even if there are no such things that a corporate morality or ethic, only objectives and balance sheets, following the idea of André Comte Sponville, this morality
120 -
Laurence Duarte - MBA Edhec
must be embodied in the only components of the company that can be moral, its employees and more importantly its executives, as they have more power and responsibility and thus are more apt to instill such morality. In short, don’t count on the market or on your company to be moral in your stead. As Peter Drucker suggested chief executives must face the fact that they represent power and their power must be accountable. Governance and ethics are key words to avoid illegal company actions. Companies with strong value systems are the most successful in resilience. With strong values employees have a meaning to refer on and ways to conduct, to interpret and to shape their actions. Corporate firms are a collection of individuals who want their firm to go ahead of the competition but are also alert to opportunities for personal gain. Executives can be tempted to have unethical and immoral behavior. But with this reality in mind, the way firms are governed is the responsibility of their directors; their governance should there be proactive and ethical. Companies can instill “the always do what is right spirit” and create a pro-active organization across its entire operation that makes it easier to do the right thing and much harder to do the wrong thing. Firms need to consider every aspect of their operation from sourcing ingredients to marketing policies and lobbying to be judged ethically by their consumers. To do so, companies need to create an organizational control influenced by ethics, to set up of a governance system which works well, with boards members well-informed, fully independent, and who work together in the long-term interests of the business, its owners and so the society in general. They can promote ethical aims, which are often termed the firm’s “charter” or “code of conduct”.
Laurence Duarte - MBA Edhec
- 121
CORRU PTION C RI ME S ACTORS Executives, stakeholders
METHODS Mitigation / Prevention: zero-tolerance policy, code of professional practice, conflict of interest code, code of ethics, code of conduct, integrity training and advice, whistleblowing arrangements, reporting systems Top management oversight, allocation of responsibility, education and training, Regular communications designed to secure compliance, monitoring systems, Responses / Consequences Management: investigations, sanctions, transparent communication Recovery / Aftermath politics: training, communication
“The mistake you make, don’t you see, is in thinking one can live in a corrupt society without being corrupt oneself. After all, what do you achieve by refusing to make money? You’re trying to behave as though one could stand right outside our economic system. But one can’t. One’s got to change the system, or one changes nothing. One can’t put things right in a hole-and-corner way, if you take my meaning” George Orwell
122 -
Laurence Duarte - MBA Edhec
The Oxford English Dictionary defines corruption as “dishonest or fraudulent conduct by those in power, typically involving bribery” and “the action or effect of making someone or something morally depraved.” It is costly and ubiquitous economic crime. The most effective method of combating corruption within an organization involves the intentional design and implementation of a culture that neither facilitates nor tolerates corruption in any form. Thus, to mitigate the risk to be corrupted or to corrupt, a strong integrity culture needs to be built. An anti-corruption culture which includes values of integrity in process and communication, and an intolerance of corrupt behavior in any form. The operating strategy is going to support this, encouraging honest and transparent behavior and communicating clearly about sanctions to misconduct or corruption. A code of ethics with the values of the organization assistemployees to understand what is acceptable and unacceptable. A code of conduct sets out rules of practice and restrictions on behavior. The codes need to be supported by a management environment and leadership that demonstrates morality and strong organizational integrity. Staff needs to understand the real meaning of these values and see them applied in their workplace and their leaders’ behavior. They also need to beneficiate of a feedback mechanism any wrongdoing in the company (preferably anonymously). Finally, a deep corruption risk assessment is required to identify any weak areas where corruption could lie unnoticed. This evaluation should be done at the operational management level to promote the awareness of managers’ responsibility to detect and eliminate corruption if any form within their area of authority.
Laurence Duarte - MBA Edhec
- 123
ďƒź INSIDE R WHI T E CO L LA R CRIMINA L AT TAC KS ACTORS Executives, internal, external and forensics auditors including certified fraud examiners
METHODS Mitigation / Prevention: background check, segregation of duties, adequate supervision, limitations of authority, access control to assets including proprietary information as a corporate asset, fraud risk assessment, use of advanced data analysis techniques, code of business and ethics, compliance program, preventive and detective controls, due diligence, contracts, incident reporting mechanisms, training and promotion policies and procedures. Responses / Consequences Management: investigation, closure of gaps, preparation for potential disciplinary and legal measures, remediation protocol, insurance. Recovery / Aftermath politics: tracing and recovering assets, reviewing and refining the overall process (change the model of control, procedures, improvement of the IT system setup).
Opportunity Often in the form of trust Weak internal controls
Rat iona lis at ion Justification of the act to himself
124 -
Laurence Duarte - MBA Edhec
T HE FRAUD T RI ANGLE
Pressure Non sharable financial Personnal Pressure
“Fraud is like cancer. Most of us know someone who has it. We know people who will eventually have it. It has become common but we can take steps to protect ourselves through healthy choices and regular checkups using the latest tools and technology. But if people ignore the problem and live dangerously, then there’s a much greater chance of becoming a victim” Toby Bishop, CEO, Association of Certified Fraud Examiners
Laurence Duarte - MBA Edhec
- 125
Occupational fraud is one of most common type of economic crime. Why do employees commit an economic crime? The motivating factors are opportunity, rationalization, or need. The removal of any of these factors particularly opportunity will reduce losses. As the risk of being caught increases, the probability of economic crime decreases. Criminal psychologists indicated that 10% of employees would not steal from their company regardless of the circumstances, 10% will steal at any opportunity and 80% can go either way, waiting to see how serious their company is about crime and weighing the risks. Thus, a good defense starts with a comprehensive pre-employment screening (criminal record, credit history). Then, when assessing and reviewing a company’s anti-fraud regime, the company needs to set a strong prevention policy as it plays a key role to avoid occupational fraud. Improving internal control helps to avoid, to detect flaws and incidents in the system, and to implement of appropriate segregation of duties. Multiple controls and security check discourage potential penetrators. A control system includes approvals, authorizations, verifications, reconciliations, and reviews of performance. It will also help to reduce the risk of erroneous and inappropriate actions. When control system mitigates the risks, Red flags help companies to detect fraud at an early stage. Red flags are early warning indicators that something is not right; they can be categorized as pressures sources (i.e., lifestyle exceeding income capacity), change in behavior (i.e., refusing promotion) and general personality traits (i.e., exhibiting a strong desire to display material wealth). Red flags exist as well at the corporate level. They could indicate the presence of a fraud in financial statements. Auditors will have a closer look when they see, reduced cash flow, overstated assets, decreases in corporate earnings or strange entries in the accounts. Fraud is also detected through feedback and tips. Making feedback mechanisms available and known can considerably improve the probability of receiving information early in the fraud process while losses are still controllable. Feedback mechanisms include hotlines, exit interviews, and customer and supplier surveys. The investigation would preferably be done by external auditors, able to obtain evidence, experienced in investigating fraud, taking statements and writing reports. They also can improve the detection and the prevention of fraud system by reviewing and refining the overall process.
126 -
Laurence Duarte - MBA Edhec
“ It is better to drain the swamp that to fight the alligators�
Laurence Duarte - MBA Edhec
- 127
ďƒź
EM PLOY EES ILLEG AL B EHAVI O RS SE XUAL HA RASSM E NT MOBBING ACTORS Management and staff
METHODS Mitigation / Prevention: zero tolerance for any form of harassment, healthy and respectful workplace, company core values include wellness of employees. Responses / Consequences Management: accountability and responsibility for wrongdoing actions without excuses, blames or threats; acknowledgement, apology, reparation, compensation. Recovery / Aftermath politics: training, internal communication improvement, strengthen the code of conduct Workplace violence is a destructive process. Being harassed or mobbed can take away a victim’s sense of safety and security in the world; it frequently leads to depression. Suicide and violence have occurred following this type of aggressions.
128 -
Laurence Duarte - MBA Edhec
Most of the time harassment happens during competitive and economically stressed times where successful organizations do “whatever it takes� to remain productive and profitable, including assigning the well-being of their employees a low priority. Companies that are accountable to their shareholders and boards of directors rather than their employees emphasizing both productivity and profits, experience much more violence and bad reputation. Conversely, companies that demonstrate by their actions that they are accountable to a range of stakeholders, including customers, employees, the wider community, will be seen as safe and great places to work. To avoid these criminal risks, companies should implement healthy workplaces that do not tolerate mobbing or any other form of interpersonal abuse or harassment. Nowadays, employees (including the most talented ones) research workplaces that are respectful, fair, and proactive in preventing mobbing and other forms of workplace abuse.
Laurence Duarte - MBA Edhec
- 129
WO R K PLACE RE VE NG E C RI M I N AL ATTAC KS ACTORS Executives, managers and employees
METHODS Mitigation / Prevention: just workplace, leadership, equitable management, accurate and transparent information policy Responses / Consequences Management: prompt investigation, mediation Recovery / Aftermath politics: restore justice, redesign a good environment, training.
“Revenge is an act of passion; vengeance of justice. Injuries are revenged; crimes are avenged” Samuel Johnson “It is folly to punish your neighbor by fire when you live next door” Publilius Syrus
130 -
Laurence Duarte - MBA Edhec
Workplace revenge is a taboo subject. Management doesn’t talk easily about the human and social reality of revenge in a workplace. However, workplace revenge can be damaging for the company whether because of the little nasty things (harmless or not) staff does to customers or because of sabotage operations or products when they feel offended or mistreated. That’s why revenge can be a valuable warning bell to companies. Paying attention of revenge signals indicates if there is something which might have been a bit off-kilter in the organization or worst that things have gone deeply wrong, system wide. Thomas M Tripp and Robert J Bies have studied during fifteen years of workplace revenge. They discovered that “revenge does not happen in a vacuum. Revenge happens when formal systems break down when an organization’s mechanisms for preventing or correcting injustice don’t work.” Most employees who seek revenge via goal obstruction, breaking the rules and social norms, and damage to reputation, are motivated out of a sense of injustice. Avengers (and often observers) view revenge as a moral and rational act. In short, managers wishing to prevent revenge should not worry so much about what kind of employees they have; they should worry about how those employees are treated. Fairness, sense of justice, transparency of communication, respect are key points to avoid revenge attacks. Preventing workplace revenge means seeing the conflict from the employees’ perspective, and not a managerial perspective. It is a matter of wisdom in leadership, as David Starr Jordan, the first president of Stanford University said:
“Wisdom knows what to do next. Skill is knowing how to do it. Virtue is doing it.”
Laurence Duarte - MBA Edhec
- 131
“It is impossible that the improbable will never happen� Emil Gumbel
132 -
Laurence Duarte - MBA Edhec
EXTE RNAL CR I M INAL RISKS CO U N T ERME ASURE S
Laurence Duarte - MBA Edhec
- 133
C Y B ER CRIME S ACTORS Chief information security officer, board, employees, external cybersecurity experts
METHODS Mitigation / Prevention: Company network security plan: security framework (ISO 27001, NIST800-53, COBIT, PCI-DSS (for credit card acceptance), cybersecurity program, cyber hygiene education & simulation, encryption, IT outsourcing check (cloud), log review Protection and sweeps of technical Penetration Areas like communication infrastructure, faxes, cell phones, VOIP programs, wifi… Encryption, secure VOIP program. Implementation of Internal access limitations and usage monitoring. Dark Web scans. Access control program. Home Network Security for high value employees Responses / Consequences Management: incident response program, response team, crisis management, law enforcement, forensic group. Recovery / Aftermath politics: evidence gathering, apply lessons learned to further strengthen defenses and prevent repeat incidents.
“We are losing data, we are losing money, we are losing ideas and we are losing innovation. Together we must find a way to stop the bleeding.” FBI Director Mueller
“Civilization is a race between education and catastrophe” H.G Wells
134 -
Laurence Duarte - MBA Edhec
the Annual Threat Report from Symantec (2017) shows that - One in 131 Emails Contained a Malicious Link or Attachment – Highest Rate in Five Years - Size of Ransoms Spiked 266 Percent; U.S. Top Targeted Country as 64 Percent of Americans Pay Their Ransom - CIOs have lost track of how many cloud apps are used inside their companies when asked most will say up to 40 when in reality the number nears 1,000. Cybercrime is a stressful and depressive issue. Stressful, because cyber threats are evolving faster than any defensive barriers can keep them out because there are often few or no signs of hacker intrusions into networks and devices. Depressive, because observing the full scale and scope of malicious activities perpetrated by organized criminals, terrorists, hackers, hacktivists, competitors and rogue governments is enough to make anybody feel dispirited, frightened, and depressed. However, if cyber-attacks are inevitable, it is companies’ responsibility not to facilitate the task of hackers. Cyber-attack and Data Breach prevention strategies must be considered as a part of daily business operations with implementation of effective alert, containment and mitigation process.
Laurence Duarte - MBA Edhec
- 135
Seven protection and defensive strategy recommendations MANAGEMENT Management including top executives, CEO, and board play a vital part on the security system. It is imperative to continuously acquire, assess, and act on new information to identify vulnerabilities, remediate and apply effective defensive actions.
EDUCATION Cyber security is a people problem, not just a technical one. No matter how strong computer passwords are if your employees write it down on a yellow sticky and attach it to the front of their computer screen so that they can remember it, all walking by will have access to their and the company digital life. If employees visit suspect websites via their business network, if they click on scam coupons, the problem is not a technical one but the ever-present human characteristics of hope, avarice, and curiosity. It makes no difference how many firewalls, encryption technologies, and antivirus scanners a company uses, if the human being behind the computer falls for a con, the company is toast. According to a 2014 in-depth study by IBM Security Services, up to 95 percent of security incidents involved human error. The human factor can surpass all other technological security measures, and thus the need for both workforce and personal education is essential. Companies need to provide employees with proven methods of cyber hygiene and vigilance to protect themselves and the company network. They also need to test their abilities to recognize cyber risks by cyber-attack simulations.
136 -
Laurence Duarte - MBA Edhec
NETWORK SEGMENTATION Segmentation and isolation are critical to limit points of entry and proliferation to others systems. Segmenting the network into distinct security zones, implementing layers of protection to isolate critical parts of the network and monitoring system activity (intrusion detection) minimize the window of entrance for attackers and consequences of attacks.
ACCESS CONTROL It is important to implement effective control access to networks, critical assets, devices and to limit the employees access based on an approval classification.
ENCRYPTION Without encryption, anybody who gains access to a computer system can steal, read, use any of the data contained in that system. It is high time to encrypt all the data (at least the most sensitive ones) in company.
BACKUP Database backups should be performed on a regular basis. It will limit the effects of attacks shutdowns and ransomware.
INCIDENT PLANNING AND RESPONSE Because it happens, being prepared is essential. Pro actives measures prevent incidents and help organizations to respond better when an incident occurs, whereas, reactive measures detect and manage incidents once they occur.
Laurence Duarte - MBA Edhec
- 137
T ERRO RI SM ATTACKS
DI RECT O R COLLATE RAL V I CTI M ACTORS Chef officer of security, security firm, intelligence firms
METHODS Mitigation / prevention: Intelligence program, counter surveillance program, Physical protection of assets (facility, employees…) electronic security measures, employee training Responses / Consequences Management: Emergency Planning, back up facilities, crisis management plan. Recovery / Aftermath politics: insurance.
“Most leaders viscerally know that the terrorism age has altered the way things now get done. Surprisingly few know how to effectively manage the newly acquired friction”. Andrew R. Thomas
138 -
Laurence Duarte - MBA Edhec
ďƒź T ERRO RI SM
T HREATS Terrorism was once an issue associated solely with national security, but the development of different types of terrorism and the development of global companies led to companies becoming exposed and extremely vulnerable to a various type of terrorism. Organizations are affected by all forms of terrorism like cyber-terrorism, physical attacks, illegal use of financial transactions and illegal use of supply chain. Managing threats of terrorism is a daunting task. However, an appropriate threat Identification and asset Assessment will help to understand the type, source, and probability associated with different threats. Many organizations have some understanding of the diverse threats facing their operations, buildings and employees, but they have some difficulties to recognize the vulnerability of their assets. Assessing the risks will allow implementing tailored solutions to mitigate the risks and manage the attacks.
Laurence Duarte - MBA Edhec
- 139
The Ackerman principles (from the book counterterrorism strategies for corporations) 1. Expect Global Jihad to confront us for decades and to target Western economic interests, especially those related to oil. Other terrorist groups will also attack commercial interests. Terrorists will be the skunk at the globalization lawn party. 2. Do your best to acquire a solid grasp of the risks that pertain in areas in which you are doing business or intend to do business-ideally from several sources. Corporations in general undervalue risk analysis. The informed manager has a distinct advantage over competitors. 3. Don’t be intimidated by those risks. In most cases, you can bolster your defenses and go about your business. Remember the Jim Flannery dictum: «Perfect security means doing nothing in a vacuum.» 4. On the other hand, always weigh the risks against the potential rewards of a given project. Devise strategies for curtailing risks. Certainly, avoid unnecessary risks. 5. Investigate thoroughly key employees, distributors, vendors, joint-venture venture partners, and domestics. You will have your hands full with external forces and you don’t need problems inside your tent. 6. Train personnel bound for high-risk areas in protective tactics. Training is the most cost-effective means of enhancing their safety. Even senior managers should develop a thorough understanding of their security arrangements.
140 -
Laurence Duarte - MBA Edhec
7. Don’t fall in love with security technology. It is an aide, not an answer. Armored cars, for example, though a useful part of a security program, should not be considered impenetrable cocoons. 8. Well-trained bodyguards also have a role to play in protecting senior personnel, but their value lies more in deterring attacks and forestalling them by spotting early-warning signs than in responding with lethal force. 9. If confronted by assailants, choose reason over heroism. If unarmed, follow the assailants’ instructions. If armed, consider that you might be outgunned. 10. Prepare diligently for crises. Expect the unexpected, and when emergencies arise, respond thoughtfully, and not by rote or reflex. For example, it is often best to stay put instead of heading for the exits in the immediate aftermath of a coup or an uprising.
Laurence Duarte - MBA Edhec
- 141
Z O O M
ES PI O N AG E ACTORS Computer security firms, counter intelligence firms
METHODS Mitigation / prevention: Company network security plan: pre-employment screening, executives training and screening, technical and physical security including strong corporate Network Security. Protection and sweeps of technical Penetration Areas like communication infrastructure, faxes, cell phones, VOIP programs, wifi… Encryption, secure VOIP program, open source checkup. Implementation of Internal access limitations and usage monitoring Home Network Security for high value employees Responses / Consequences Management: pro-active defense, retaliation. Recovery / Aftermath politics: police and legal actions, defense after the fact, mole hunts (by external intelligent services)
“The aspect of counterintelligence designed to detect, destroy, neutralize, exploit, or prevent espionage activities through identification, penetration, manipulation, deception, and repression of individuals, groups, or organizations conducting or suspected of conducting espionage activities.” U.S. Department of Defense Dictionary of Military and Associated Terms
142 -
Laurence Duarte - MBA Edhec
“Once is happenstance, twice is coincidence, three times is enemy action.” Ian Fleming Most companies don’t see espionage as a significant threat. It’s a mistake. Every company has secrets. These secrets, proprietary information, and technology can be worth a great deal to a company’s rivals if they can be uncovered. Be sure that if a company holds any information or secrets that would be of use to its competitors, it is a target, period. Targeted by competitors (via intelligent group or freelancers) and nations at home and abroad, companies must protect their secrets proactively and defensively. Prevention is the first task to avoid espionage. It starts by monitoring employees and corporate operations looking for leaks, vulnerabilities, and pattern of loss. The second task is to implement an active defensive strategy focusing on setting out traps for corporate spies and skilled hackers. Experts in counter-espionage whether as internal or external resources are the appropriate people to set up an efficient protection against espionage. Finally, it is interesting to see that numerous international companies create discret in-house intelligence capabilities. Specifically tailored to the requirements and targets of their parent company, they can in the long term provide extra value through experience targeting a select group of rival firms. They guarantee also security, minimizing the number of persons in the loop, loyalty among company operatives and can more easily keep them in line, which is always a good thing when it comes to keeping secrets.
Laurence Duarte - MBA Edhec
- 143
Top Ten Steps to Secure Corporate and Home Systems from Andrew Brown (Corporate Intelligent Business Specialist) 1. Mandate regular password changes and use random long string passwords 2. Use biometrics for access to secure information 3. Limit access to secure information internally (compartmentalize internal systems) 4. Install and use corporate grade antivirus programs on all systems 5. Passively monitor access to secure information and run pattern recognition to detect suspicious usage 6. Use Digital Rights Management, copy restriction programs and encryption to limit data vulnerabilities
144 -
Laurence Duarte - MBA Edhec
7. Conduct periodic security checks and mock penetrations on the systems to test for weaknesses and address problems as they are found 8. Never forget the human element in information security and focus on hardening the employee base 9. Educate all employees about confidentiality, data security and basic precautions 10. Make sure that systems security is always up to date and geared to protecting against the latest threat vectors
Laurence Duarte - MBA Edhec
- 145
ďƒź ECO N O M I C C RIME S ACTORS Executives, internal, external and forensics auditors including certified fraud examiners, professional assistance
METHODS Mitigation / prevention: threat assessment, segregation of duties, adequate supervision, limitations of authority, fraud risk assessment, preventive and detective controls, due diligence, incident reporting mechanisms, training and promotion policies and procedures. Responses / Consequences Management: investigation, remediation protocol, police Recovery / Aftermath politics: tracing and recovering assets, reviewing and refining the overall process. Corporations are often confronted with external fraud including the famous CEO fraud and extortions. This crime can have bad effects on a company’s finance results as well as the company’s reputation.
146 -
Laurence Duarte - MBA Edhec
Fraud and Extortions appear everywhere, and they take many forms: • Terrorist / Guerrilla groups or terrorist groups («war taxes,» protection money) Note that a company can be accused to finance terrorism because of this type of extortion. • Organized crime gangs also demand payments to «protect» personnel and property. • Singletons and smaller gangs (war taxes or protection payments, contamination extortions, cyber extortion)
If the nature of the extortion dictates the specific nature of the response, the consensus is more to take a harder line which no negotiation. The emphasis is on: • Strengthening controls and training (centralization of the Financial assets, security procedures double signature, …) • Keeping a low profile (“flying under the radar”) • Protection of the assets being threatened. • The pursuit of the extortionists with law-enforcement agencies. • Bolstering defenses.
Laurence Duarte - MBA Edhec
- 147
ďƒź
PETTY CR IME S ACTORS Security staff
METHODS Mitigation / prevention: hi-tech and no-tech elements, prevention education. Responses / Consequences Management: Law enforcement Recovery / Aftermath politics: insurance, law enforcement liaison program Physical security limits petty crimes against property. A visible security system including digital video system, security alarm system, patrols and guard discourage these crimes. Considering nonviolent crime, such as pocket picking and snatch-and-grab theft, caution is necessary especially amid heavy crowds, and danger areas include tourist attractions and train stations. Furthermore, it should be understood to adopt in dangerous countries or areas a low profile, avoiding fanny pack, purse, attachĂŠ or laptop case, which are magnets for thieves.
148 -
Laurence Duarte - MBA Edhec
ďƒź
SUBVER SIVE C RIMINAL ATTACKS ACTORS Board, top executives, communication management, reputation management companies, private intelligence companies
METHODS Mitigation / prevention: reputation scanning, effectiveness communication Responses / Consequences Management: crisis management, law enforcement. Recovery / Aftermath politics: communication, counter reputation attack program Activists strategies and tactics can be aggressive and potentially dangerous for many assets including business reputation; companies need to have a knowledge of their vulnerabilities and of how various activists tend to operate. To mitigate the risks of civil disorder, riots, protests, it is important to recognize and monitor company’s reputation (online and offline) as well as activists’ activities. Reputation management businesses and private intelligence companies will help to keep a close watch on online forums, websites, social media, newspapers. Ethics, governance, collaboration with activists, will contribute to reduce the risks of attacks.
Laurence Duarte - MBA Edhec
- 149
CO M PET I TION CRIMINAL ATTACKS INCLUDING SABOTAGE ACTORS Management, communication team, counter intelligence companies
METHODS Mitigation / prevention: Reputation monitoring, physical security Responses / Consequences Management: crisis management, law enforcement
“We have no future because our present is too volatile. We have only risk management. The spinning of a given moment’s scenarios. Pattern recognition.” William Gibson
150 -
Laurence Duarte - MBA Edhec
Companies can be targeted by competitors because they possess information, knowledge and products they want to acquire. To do so, they will use corporate spying, risk I already presented. Unfortunately, Competition can be much more aggressive, trying to destroy the reputation of their competitors via, sabotage, bad mouth, fakes news‌
Sabotage from competitors needs to be prevented in various ways: • Using tools to monitor reputation and to remediate in case of attacks in case of fake news, hoaxes, badmouthing the company online: • In case of products contamination, operations sabotage, to avoid these attacks, the attention is required during the entire production and supply chains processes. Having this service in place will allow to alert the management if any abnormal activity is detected.
Laurence Duarte - MBA Edhec
- 151
ďƒź
CO UN T ERF E ITING, FO R GERY, AND CO PY RI GH T ATTACKS ACTORS Companies, anti-counterfeiting agency, industries coalition, laws firms, police/customs, IP agencies, supranational organizations, policy makers
METHODS Mitigation / prevention: protection policy, IP Protection, tractability, advertising campaign Responses / Consequences Management: anti-counterfeiting team, law, communication Recovery / Aftermath politics: destruction of fake products, prosecution Counterfeiting and forgery and copyright attacks are persistent, widespread, global phenomena that have challenged managers for a long time. No company is immune. Infringers focus not only on the most lucrative markets (consumer electronics, luxury products, apparel and accessories, optical media and pharmaceuticals) but in virtually every industry (fake foods, beverages, books, mobile phone batteries, toys, etc.). We often think that counterfeiting is a concern for luxury brands or the pharmaceutical industry. However Industrial companies can suffer using without noticing counterfeiting pieces for their operations. In this case a careful quality review with a tracking system, identification number and control is needed.
152 -
Laurence Duarte - MBA Edhec
To mitigate these type of risks, companies should 1) protect all their tangible and intangible assets, meaning products, brands and intellectual property rights (IPRs); - To protect their tangible assets, three kinds of solutions are possible: track-andtrace technologies, covert technologies, third parties or surveillance agencies and overt solutions (perceptible by customers). - To protect their intangible assets, companies must register all intellectual property widely as possible to gain maximum coverage. Trademarks should be deposited at customs to make border agents aware of the original’s characteristics and peculiarities and thus able to detect counterfeits.
Laurence Duarte - MBA Edhec
- 153
2) collaborate with political and market authorities; - Join efforts with governments, judicial and political institutions, police forces and customs agencies to have a higher safeguard of their rights, greater law enforcement and notification of the blocking of incoming and outgoing goods. Companies should also participate in those associations and organizations set up to safeguard IPRs or to fight counterfeiting on a global scale, to have greater lobbying power. - From a market perspective, collaboration with both supply and demand actors. - Careful choice of supply and distribution chain members. 3) prosecute off- and online infringers of IPRs; - Defense both legally and administratively of IPRs against anyone who violates them, whether they are counterfeiters, ISPs, auction websites, discount department stores or any other type of infringer.
4) inform employees, enforcement officials, supply, and distribution chain members and final consumers, through awareness-building campaigns and education programs. - Increase of awareness about counterfeiting and its damaging effects on countries, economies, firms, and consumers. - Education of employees, suppliers, distributors and customs’ agents on how to act against counterfeiting. - Inform customs officials and police forces about the specific details and characteristics of legitimate products.
154 -
Laurence Duarte - MBA Edhec
ďƒźV I O L ENT CRIME S ACTORS Internal security and security experts, Intelligence firms, Insurance companies
METHODS Mitigation / prevention: safe and secure environment creation (security equipment, guards), employee education, risk analysis services, emergency plan. Responses / Consequences Management: insurance, law enforcement, crisis management Violent crimes are any violent crime that occurs to employees in a workplace or during business travel. It can range from threats, verbal abuse to physical assaults and homicide. Workplace violence is a leading cause of job-related deaths globally. It is not reserved for robberies and can occur anywhere. The key to defending employees from workplace violence is first to acknowledge that it happens. The strategy includes risk assessments and should provide workplace violence prevention programs including training for employees such as awareness, reaction to threats, keeping a low profile, breaking routine whenever possible, and so forth. However, in certain cases, global positioning system, panic buttons, and other electronic safety devices can be considered as well as, for instance, procedures that obligate endangered employees to work in pairs, and special measures for working at night or in high-crime areas. In any case, wisdom starts with knowledge of the local scene. Knowing which districts are safe and which are unsafe and staying strictly within the safe ones will help employees to avoid physical danger. Kidnapping is an issue in countries where law enforcement is weak. It is becoming prevalent in many parts of the world. To mitigate the risks of kidnapping knowing that most kidnap gangs carefully study prospective targets, allows the adaptation of an effective protection plan. Employees can reduce their risks by lowering their profiles, by being as unpredictable as possible, and by learning to read surveillances and other indicators of an attack. Furthermore, higher-profile managers (and their families) and those who must be predictable may be obliged to hire security guards. Every global company needs to have a kidnapping emergency plan (for head office+local management) to be ready to act wisely in case of kidnapping, whether to deal with the insurance company, families, law enforcement, journalists, abductors or after the hostage release. Laurence Duarte - MBA Edhec
- 155
156 -
Laurence Duarte - MBA Edhec
R EA DY FOR TH E WORST “In preparing for battle I have always found that plans are useless, but planning is indispensable” General Dwight Eisenhower Shocks and disruptions happen, the ability to endure them and to be able to continue to operate has become imperative. A strategy value and growth protection plan include a business continuity program that will help to gain the resiliency to experience potential interruptions to company’s normal flow of business and to recover quickly after a crisis strikes. Every business should work to address business recovery and emergency response management. As we have seen in the process, after knowing the company’s potential risks and assets, after carefully deciding the assets to protect and actions to reduce the likelihood and impact of threats, it is time to work on the worst-case scenario providing a framework for building organizational resilience and capability for an effective response to adverse or abnormal conditions that cannot be controlled or mitigated. While it is not possible to prepare for every conceivable criminal risk, efforts should be made to think about: the critical operations including the IT system (supply side), the key management, the reputational side (the demand side).
Laurence Duarte - MBA Edhec
- 157
158 -
Laurence Duarte - MBA Edhec
CR I S I S MANAG E ME NT A crisis is a change—sudden or evolving—that results in an urgent problem that must be addressed immediately. The impact of a crisis depends on many things: the depth of the problem, the length of media coverage, management (or lack of management) of the media, the damage incurred, and the communities or populations affected.
A crisis can occur in many forms: • Malicious contamination products. • Listed company major Financial fraud. • Company’s system shut down by hackers. • Lives and property destruction by terrorist attack. • Kidnapping of a key manager with no immediate replacement. The larger the crisis, the longer the public remembers. That’s why crisis communication should be viewed as a proactive function rather than as primarily reactive. In doing so, crisis communication can be anticipated, its likelihood reduces. It will help companies to be more able to manage and resolve a crisis when it happens, prepare key stakeholders, and build company credibility before the crisis occurs. Open, timely, and trustworthy reporting as well as regular dialogue and communication with all stakeholders should be ensured before, during, and after the crisis. The company should be transparent about what it knows and does not know, which gives it more credibility.
Laurence Duarte - MBA Edhec
- 159
Crisis management consists, to a large degree, of managing the communication process effectively with a strong direct human engagement Basic steps in crisis communications: • Readiness - Anticipate crises: They will happen, so be prepared - Identify your crisis communications team: specialist on staff or efficient third party - Identify and train spokespersons - Establish notification and monitoring systems: a key point to be effective - Know your stakeholders: choose the key players you want to communicate with and identify in advance the best means of doing so • Responsiveness - Assess the crisis: the quickest you understand the scope of the crisis the more efficient you will - Have key messages ready (Keep messages simples) • Revitalization - Post-crisis analysis: Take a hard look at what could have been done differently and better, next time - Continuation of the communication
160 -
Laurence Duarte - MBA Edhec
“A crisis is an event that can affect or destroy an entire organization.� Ian Mitroff
Laurence Duarte - MBA Edhec
- 161
162 -
Laurence Duarte - MBA Edhec
T HE I M PORTANCE OF BUS I NE SS E TH ICS “Common sense is not so common” Voltaire While there is no magical formula or engraved recipe to create a perfect strategy protection program, there are some factors that attract criminal attacks. These come from the company itself. Illegal corporate acts and deviant (i.e., harmful or distasteful, yet not illegal) corporate behavior will increase the risks of illegal company actions, insider white collar criminal attacks, employee’s Illegal behaviors, workplace revenge criminal attacks, petty crimes, subversive crimes, sabotage and so on. There is no mystery that the roots of illicit corporate crime are organizational behaviors focusing on the maximization of profitability with a corresponding lack of attention to ethical business practices that could prevent abusive practices. As I have already discussed in the countermeasures, abusive corporate behavior can be controlled by business ethics with a strong individual, organizational focus upon ethical business practices. Businesses have a responsibility to a wide range of stakeholders (e.g., consumers, employees, citizens in communities where their products are manufactured or sold, etc.) Reading this report, managers and executives need to understand that their financial performance is linked to their ethical acumen. Creating and encouraging ethical decision-making and socially responsible behavior in companies will prevent company’s criminalization and stigmatization. Transparency, responsibility and higher standards along supply chains in areas such as worker rights and environmental sustainability, collaboration with citizens including activists and creation of a more inclusive and stable environment, will help businesses to win trust, build resilience and minimize the risk of disruption.
Laurence Duarte - MBA Edhec
- 163
164 -
Laurence Duarte - MBA Edhec
A N O NGOING LE ARNING AN D I MPROVE ME NT PROCE SS “More people are killed every year by pigs than by sharks, which shows you how good we are at evaluating risk� Bruce Scheir
Finally, regarding the strategic growth protection planning process, performance evaluation is needed. With training and exercises. It is essential to conduct training, drills, tests, and exercises (simulation, scenario) on a regular basis to make sure that every employee in the organization is doing his part to prevent an incident, to react to it and mitigate its impact. With performance analysis. The criminal risks faced by companies is a complicated topic. The strategy to counter these risks is complex, with a multidisciplinary combination of technical and non-technical processes. Establishing security metrics will help to evaluate trends and patterns, identify performance gaps, and above all, identify opportunities to increase the quality of the strategy
Laurence Duarte - MBA Edhec
- 165
“Shallow men believe in luck. Strong men believe in cause and effect” R.W Emerson
166 -
Laurence Duarte - MBA Edhec
A WO RLD OF CAUTION Criminal risks faced by businesses is a complicated subject. Risks are constantly evolving; To achieve a successful strategy, organizations need to concentrate on understanding the motive, limiting the opportunity and obstructing the means in the earliest stage of an incident by incorporating all the security and protection elements that were previously discussed. They need to understand the nature of what they are protecting and its value; they also need to know the type of threat faced as well as the type of perpetrators they can expect. If it is impossible to list all the criminal risks and their countermeasures, acquiring the mindset to fight on these risks and attacks is the duty of any manager and business executive.
To do so, security experts have valuable advice: THINK LIKE A CRIMINAL With global instability, the rise of technology and the pressure of terrorists, we may believe that we live in an unpredictable world. But as the idiom says, we need to put ourselves in criminals’ place: even if it is uncomfortable, it is the only way to assess risk and to create the best solutions to fight back the criminal.
BE LUCID Reading this report, you have noticed that criminal risk always has a human origin, involving many interactions with people, and most of the time with employees. If any employee of an organization can be a target, he/she (they) can also be an insider threat.
Laurence Duarte - MBA Edhec
- 167
“Risks comes from not knowing what you are doing” Warren Buffett
168 -
Laurence Duarte - MBA Edhec
BECOME A PRUDENT PARANOID COMPANY Prudent paranoia is a form of active doubt regarding the intentions and actions of people and businesses. Served as an early warning system, it pushes people to search out and appraise more information about their situations. The objective is to create a healthy defense against a genuine outside threat.
PROTECTION IS A HOLISTIC PROCESS Management needs to ensure the holistic treatment of criminal risks issues. Physical, personnel, and electronic security are all linked today. The question is less how to teach people to act ethically but how the organization should lead with the strong point of view that doing the right things is the path of least resistance to growth, admirable performance, and enviable reputation.
UNDERSTAND THE COMPLEXITY OF THE GLOBAL CRIMINAL RISKS Criminal risks are not only about cyber risks; it is about knowledge of the political world and knowledge of the major trends in crime as well as in legal, economic, social, technological and in consumer’s behavior. It is about education to help employees and managers to avoid any criminal risks as a participant or as a victim. Finally, it is about integrating resilience into the core of their strategic plan. Because unfortunately, in a world when disruption is a fact of life and uncertainty is guaranteed, every company needs to be prepared for the unexpected and by doing so make their company stronger. Bill Watterson said “the problem with the future is that it keeps turning into the present” it is time to be prepared.
Laurence Duarte - MBA Edhec
- 169
170 -
Laurence Duarte - MBA Edhec
ACK NOWLE DG E ME NTS During my MBA, I was very lucky to meet passionate professors at EDHEC Business School. Without them, this document would not have been possible. For this project, I especially want to thank Bertrand Monnet for his introduction on Economic Criminal Risks, Professor Christophe Roquilly for his expertise on IP rights, Professor Björn Fasterling for his expertise on Data Breach issues and his insights on a «business crime definition,» Professor Geert Demuijnck for his in-depth knowledge on Ethics and finally Professor Philippe Very for his constant care and advice. I also want to thank the many security experts and business executives who generously gave me their time to provide data and point me in new directions. To Jame Bourie (Nisos), Colonel Benoit Kandel, Nicolas Krmic (Subsea7), Clément Tetu (Iremos), Jerôme Schang (NXP), Cedric Moriggi (Rio Tinto), David Gagaille (CACEIS Bank), Damien Martinez (Thomson Reuters), Arnaud Daubigney (Erst & young), Pierre Gobinet (Sanofi) Jason Gonzalez (Nixon Peabody LLP). Nikesh Kalra, Keith Taylor, Brian Lillie, Mary Anne Wellman from Equinix; thank you for the organization of this very insightful seminar. Finally, I want to give thanks to Franck Moison Vice Chairman at Colgate Palmolive who devoted a part of his precious time to review my first assignment on Criminal Risks and his encouragement. And un grand MERCI to my dearest friend Nathan Neblett who spent hours to correct my document.
Laurence Duarte - MBA Edhec
- 171
GLOSSARY OF CORPORATE SECURITY TERMS AND ABBREVIATIONS A ABCP: Associate Business Continuity Planner. Account takeover: a fraudster changes the personal identification number or address so that the account owner can no longer access the account. Advance fee fraud: a victim is promised a large sum of money as reward for a small investment. Affinity fraud: targeting victims who share the same race/ religion/ culture/ politics as the fraudster. Akwukwo: a fake check used by Nigerian letter scammers. ALF: Animal Liberation Front. Altered card: a payment card whose genuine magnetic stripe is removed and replaced with fraudulently obtained information. Anti–money laundering: The legal controls requiring regulated or financial institutions to prevent, detect, or report transactions or activities suspected of being used to launder money. Arbitrator: an independent person or body officially appointed to settle a dispute. Arson: malicious burning to destroy property. ASP: Accredited Security Professional. ATM attachments: numerous attachments that are mounted on automatic teller machines for fraudulent purposes. Audit trail: the path or series of procedures and records by which any single transaction or inquiry can be traced through a system, computer, or other facility.
172 -
Laurence Duarte - MBA Edhec
AV: Antivirus, a common abbreviation referring to virus protection software or services for computer and Internet use. AVS: address Verification System. The system used to determine whether the billing address on an account matches the mailing address on a credit card.
B Back door: An unauthorized entry point to a computer system. Background screening: an inquiry into the history and behaviors of an individual who is considered for employment, credit, or access to sensitive assets or for other reasons. Bait and switch: advertising a low-cost item and then steering the customer to a higher-priced item, claiming the low-priced item was sold out. BCCE: Business Continuity Certified Expert. BCCP: Business Continuity Certified Planner. BCCS: Business Continuity Certified Specialist. Bid rigging: a scheme that gives the appearance of competitive bids but is actually not competitive, because the participants decide on the winner before the bids are submitted and other bids are placed with higher rates or unacceptable conditions to give the “winner” the best opportunity. Big store: a fake shop, betting house, office, or similar environment set up by the con artist. Bribery: corrupt payment, receipt, or solicitation of a private favor for official action.
Business continuity: organizational effort to plan and execute mitigation strategies to ensure effective and efficient organizational response to the challenges that threaten its processes during and after a crisis. Business continuity plan:Â an ongoing process aimed at ensuring that the necessary steps are taken to identify the impact of potential losses and ensure recovery. Business impact analysis: process of analyzing all operational functions and the effect that an operational interruption might have on them. Bust-out fraud: amount of available credit fraudulently raised on otherwise legitimate credit cards.
C Cackle bladder: death faked for the purposes of a scam. Card-not-present (CNP): a transaction in which the credit card is not physically present at the time of purchase, such as for Internet, mail, or telephone orders. CBCP: Certified Business Continuity Professional. CCFP: Certified Cyber Forensics Professional. CCSK: Certificate of Cloud Security Knowledge. CEH: Certified Ethical Hacker. CFE: Certified Fraud Examiner. CFID: Certified Forensic Interviewer Designation. Chain letter: a pyramid scheme in which new recipients of a letter pay old recipients. Chain of custody: the record of possession of evidence from original discovery until its production at trial. Chargeback: the reversal of the currency value, in whole or in part, of a particular transaction by the card issuer to the acquirer. Check fraud: a term used to describe fraud related to checks, including counterfeiting, forgery, kiting, and paperhanging. CIA: Certified Internal Auditor. CISM: Certified Information Security Manager. CISO: Chief Information Security Officer. CISSP: Certified Information Systems Professional.
Civil law: a system under which legislation is seen as the primary source of law with the laws laid out in codifications and with judgments made both on fact and on interpretation of the law. Clean desk policy: a standard corporate directive that arranges how employees should leave their working space, especially valuable office equipment, items, and documents, before they leave the office. CLSD: Certified Lodging Security Director. CM:Crisis management. Common law: the system under which courts rule based on precedents and customs interpreted by courts and other judicial tribunals. Conflict of interest: a factor in which an organization, group, or individual is subject to incompatible demands, opportunities, incentives, or responsibilities. Contraband: goods prohibited by law from being exported or imported. Smuggling. Copyright: exclusive legal rights to make copies, publish, broadcast, or sell a piece of work such as a book, a film, music, or a picture. Corporate fraud: the dishonest abuse of position, usually by senior members of staff. Corporate identity theft: misappropriation of the identity of a company or business without that entity’s knowledge or consent. Corruption: illegal behavior, such as bribery, by people in positions of authority, e.g., politicians. Counterfeiting: the forging, copying, or imitating of something (usually money) without the right to do so and with the purpose of deceiving or defrauding. CPISM: Certified Professional in Information Security Management. CPO: Certified Protection Officer. CPP: Certified Protection Professional. Credit card fraud: fraud committed using or involving a payment credit or debit card. Crisis management: management process that identifies potential impacts that threaten an organization and provides a framework for building resilience.
Laurence Duarte - MBA Edhec
- 173
Crisis management team: a management-level group responsible for managing the development and execution of the response to a crisis and leading the organization during the recovery phase. CSO: Chief Security Officer. CSP: Certified Surveillance Professional. CSPM: Certified Security Project Manager. CSSLP: Certified Secure Software Lifecycle Professional. CST: Certified Security Trainer. C-TPAT: Customs Trade Partnership Against Terrorism. Cybercrime: criminal activities carried out by means of computers or the Internet. Cyber squatting: the illegal activity of buying and registering a domain name that is a well-known brand or someone’s name, with the intent of selling it. Cyber stalking: the act of threatening, harassing, or annoying someone through multiple e-mail messages. Cyber theft: the act of using an online computer service, such as one on the Internet, to steal someone else’s property.
Due diligence: the attention and care exercised to avoid foreseeable harm to other persons or their property. Lack of due diligence may be considered negligence. Dumpster diving: the act of rummaging through someone’s trash to obtain personal information used to commit identity theft.
D
F
Damage limitation: the process of trying to limit the amount of damage, bad results, or loss caused by a particular situation or event. Deadbeat: a person or company that tries to avoid paying debts. Disaster recovery: action taken by an organization to minimize further damage after a disaster and to begin the process of recovery. Disaster recovery site: secondary location that contains backup systems and applications that are critical for the business. Double-dipping: the practice, usually regarded as unethical, of receiving two incomes or benefits from the same source: for example, receiving a pension and consultancy income from the same employer. DRCE: Disaster Recovery Certificate Expert. DRCS: Disaster Recovery Certified Specialist.
Financial fraud: fraud that involves a financial account or transaction such as a bank account including a consumer loan or a credit card account. Firewall: a system in a computer that prevents unwanted or unauthorized access but allows the authorized user to receive information. Flash mob: a secretly planned, quickly formed, organized group of people. Forensic accounting: the use of accounting, corporate, and criminal investigation techniques in legal proceedings. Fourrée: fake currency. Front: a legitimate business or person used to cover illegal dealings. Fraud ring: a group of individuals who scheme together to commit fraud.
174 -
Laurence Duarte - MBA Edhec
E ECSA: Certified Security Analyst. ELF: Earth Liberation Front. E-mail interception: the act of reading, storing, or intercepting e-mail intended for another person without that person’s permission. Embezzlement: dishonestly appropriating goods or money from one’s employer, thus abusing a position. Encryption: method of making information secret by transforming plain text into ciphered text. Estoppel: an impediment preventing one party from asserting a fact inconsistent with facts previously presented by that party, particularly if the original assertion has been acted on by others.
G Ghost terminal: a skimming device involving a fake automated teller machine (ATM) touchpad and reader, placed over a legitimate ATM, in order to obtain card information and personal identification number GIAC: Global Information Assurance Certification. Gray market: supply of official goods through unofficial channels.
H High-tech crime: generally understood to mean the use of high technology to facilitate criminal activity.
I Identity theft: a crime in which someone obtains another person’s personal information. Insider trading: use of business information not released to the public in order to reap profits by trading in financial markets. Insurance claims fraud: the making of a claim( s) under one or more insurance policies with one or more material falsehoods or by presenting a false or forged document. Intangible assets: includes such assets as reputation, customer confidence, client confidence, trade secrets, intellectual property, and goodwill. Internal audit: systematic, independent, and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the management system audit criteria set by the organization are fulfilled. ISO 28000: a supply chain security management system.
K Kickback: a payment by a vendor to an employee in order for the vendor to receive favorable treatment.
Kiting: using multiple bank accounts in multiple banks, by making deposits and writing checks against the accounts before the deposit checks clear the banking system, thus using the lag in time while checks clear to create a “float” of money.
L Lapping: a fraud technique that involves theft of a customer’s payment and then using a subsequent customer payment to cover the previous customer’s account. Lebanese loop: the piece of equipment inserted into automatic teller machines to steal cards or cash. Loss event: an occurrence that produces a financial loss or negative impact on assets. Lowballing: placing an abnormally low bid in order to win the contract, with the intent to inflate the price later by means of extras or change orders. LPC: Loss Prevention Certified. LPQ: Loss Prevention Qualified. LPT: Licensed Penetration Tester.
M Mail redirect: post can be fraudulently redirected to another address. The fraudster then receives any important documents intended for the victim, possibly to facilitate identity fraud. Malware: any software or computer program that is designed to intentionally damage or disable computers or computer systems. Malware examples are computer viruses, Trojan horses, and spyware. Man in the middle attack: an attack in which a third party is able to read and change computer messages between two parties without either party knowing that the link between them has been compromised. MBCP: Master Business Continuity Professional. Medical fraud: a fraudster steals someone’s personal information to obtain medical care, buy prescription drugs, or submit fake billings.
Laurence Duarte - MBA Edhec
- 175
Mobbing: workplace emotional assaults or bullying. Money laundering: the process by which criminals attempt to conceal the true origin of the financial proceeds of crime. Money mule: a fraud in which individuals are offered payment in exchange for allowing their accounts to be used to “launder” the proceeds of crime. Mortgage fraud: any attempt by an applicant to obtain a mortgage by deliberately providing false details.
N Negative invoicing: exploiting weaknesses in a computer system that may allow an invoice to be processed for a negative amount in order to cover a theft of a customer payment, since negative invoices normally are subject to less stringent controls than credit memoranda. Negligent hiring: the failure to use reasonable care in the employee selection process. Noncompliance: failure or refusal to obey or comply with a rule, regulation, or standard, which can commonly result in serious action by an inspector or ombudsman. Nonconformity: nonfulfillment of a requirement. Nondisclosure agreement (NDA): a legal contract between at least two parties that outlines confidential materials or knowledge.
O Occupational hazard: aspects of a job that can be dangerous or pose a high risk of injury. Organizational resilience: an ongoing management and governance process supported by top management; resourced to ensure that necessary steps are taken to identify and mitigate the impact of potential losses. OSSTMM: Professional Security Analyst certification.
176 -
Laurence Duarte - MBA Edhec
P Paper hanging: Presenting fake or bad checks. PCI: Professional Certified Investigator. PCIP : Professional in Critical Infrastructure Protection. PCISAG: Professional Certificate in Information Systems Security, Auditing, and Governance. Penetration testing: a method of evaluating computer and network security by simulating an attack on a computer system or network from external and internal threats. PFSO: Port Facility Security Officer. Pharming: stealing a victim’s personal information via spyware. Phishing: a fraudulent attempt to acquire sensitive information through e-mail in which the fraudster sends out a legitimate-looking e-mail in an attempt to gather personal and financial information from recipients. Phreaking: hacking into or exploiting telephone systems to obtain communications services at no cost. PIN: Personal Identification Number. A number given by a bank to a customer so the customer can access a bank account using an automatic teller machine or point of sale terminal in retail outlets. PIP: Partners in Protection. Ponzi scheme: named after Charles Ponzi; a fraudulent investment scheme similar to a pyramid scheme. Professional liability: the legal liability of a professional such as a doctor, accountant, or lawyer, who causes loss, harm, or injury to clients while performing professional duties. PSP: Physical Security Professional. Q/ ISP: Qualified Information Security Professional.
R Rag: a stock market scam. Risk: the potential for loss, damage, or destruction of an asset as a result of a threat exploiting vulnerability Risk is the intersection of assets, threats, and vulnerabilities. Risk acceptance: informed decision to take a particular risk. Risk management: identifying, assessing, managing, and controlling potential events or situations, and then taking measures to control or reduce them.
S Salami technique: a fraud typically found in high-volume transaction systems involving the theft of low-value items, such as fractions of cents in calculations, and moving them to a single account. Sexting: sending sexually explicit messages and/ or pictures by mobile phone. Sextortion: a form of sexual exploitation that employs nonphysical forms of coercion to extort sexual favors from the victim. Shark: a dishonest businessperson who cheats and swindles others. Shoulder surfing: the act of sneakily looking over the shoulder of someone using a PIN or password to use it to commit a fraud. Skimming: a method that fraudsters use to obtain credit card information illegally. This is done using a small electronic device called a skimmer, to swipe and store hundreds of victims’ credit card numbers. Smishing: a variation on phishing in which the criminal fishes for personal data over a cell phone. Instead of receiving an e-mail, the person receives a text message that tells him or her to call a toll-free number, which is answered by a bogus interactive voice-response system that tries to fool the person into providing his or her account number and password. Social engineering: nontechnical intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures.
Spam: Unsolicited e-mail sent to numerous recipients. Spear phishing: Phishing e-mail that looks as if it came from someone you know. Spoofs: an attempt to harvest personal information direct from potential victims, to facilitate identity fraud. SSCP: Systems Security Certification Practitioner. Strike: Work stoppage caused by a disagreement between employees and management. Spyware: concealed software transmitted, perhaps concealed in an email attachment, to a recipient in order to secretly gather confidential, personal information and pass it on to a third party. Synthetic fraud: a type of identification fraud in which fraudsters combine real and fake identifying information to create new identities.
T TAPA: Transported Assets Protection Agency. Threat: Anything that can exploit a vulnerability, intentionally or accidentally, and obtain, damage, or destroy an asset A threat is what we’re trying to protect against. Trojan virus: a destructive program that masquerades as a benign application.
V Vulnerability: Weaknesses or gaps in a security program that can be exploited by threats to gain unauthorized access to an asset A vulnerability is a weakness or gap in our protection efforts. Virus: a computer program that replicates itself to infect computers. Viruses are typically spread from one computer to another through executable code in an infected file. Vishing: a variation of phishing in which the criminal fishes for personal information or attempts to install malicious software on a computer through a video file.
Laurence Duarte - MBA Edhec
- 177
W Whistle-blower: a person who informs the public and/ or relevant authorities about wrongdoings, failings, corruption, or other illegal activities within an organization. White collar crime: an illegal act such as fraud, embezzlement, or bribery committed by a worker in business or an administrative function. Worm: a worm is similar to a virus but is selfcontained; as such, it does not require a host to spread. A worm may destroy, modify, or copy data for a third party.
178 -
Laurence Duarte - MBA Edhec
REFERENCES BOOKS Ackerman, Mike. Counterterrorism Strategies for Corporations: The Ackerman Principles. Amherst, NY: Prometheus, 2008. Print. Allen, Gregory, and Rachel Derr. Threat Assessment and Risk Analysis: An Applied Approach. Oxford: Butterworth-Heinemann, 2016. Print. Barak, Gregg. Routledge International Handbook of the Crimes of the Powerful. London: Routledge, Taylor & Francis Group, 2015. Print. Bencie, Luke. Among Enemies: Counter-espionage for the Business Traveler. Mountain Lake Park, MD: Mountain Lake, 2013. Print. Berghaus, Benjamin, Sven Reinecke, and Gunter Muller-Stewens. The Management of Luxury: A Practitioner’s Handbook. London: Kogan Page, 2015. Print. Boin, Arjen, Louise K. Comfort, and Chris C. Demchak. Designing Resilience: Preparing for Extreme Events. Pittsburgh (PA): U of Pittsburgh, 2010. Print. Brown, Andrew. The Grey Line: Modern Corporate Espionage & Counter Intelligence. Place of Publication Not Identified: Amur Strategic Research Group, 2011. Print. Burrill, David, and Kevin Green. Value from Security. N.p.: AuthorHouse, 2011. Print.
Laurence Duarte - MBA Edhec
- 179
Cabric, Marko. Corporate Security Management: Challenges, Risks, and Strategies. Oxford: Butterworth-Heinemann, 2015. Print. Cascarino, Richard. Corporate Fraud and Internal Control: A Framework for Prevention. Hoboken, NJ: John Wiley & Sons, 2013. Print. Duffy, Maureen P., and Len Sperry. Overcoming Mobbing: A Recovery Guide for Workplace Aggression and Bullying. New York: Oxford UP, 2014. Print. Goodman, Marc. Future Crimes: Everything Is Connected, Everyone Is Vulnerable and What We Can Do about It. London: Gorgi, 2016. Print. Graycar, Adam, and Tim Prenzler. Understanding and Preventing Corruption. Basingstoke: Palgrave Macmillan, 2013. Print. HYSLOP, MAITLAND. OBSTRUCTIVE MARKETING: Restricting Distribution of Products and Services in the Age of Asymmetric... Warfare. S.l.: ROUTLEDGE, 2016. Print. JURGEN, SCHREIBER. CORPORATE SECURITY MANAGEMENT. S.l.: AV AKADEMIKERVERLAG, 2014. Print. Kaplan, Fred. Dark Territory. Place of Publication Not Identified: Simon & Schuster, 2017. Print. Morana, Marco M., and Tony Uceda VeÃŒlez. Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis. Hoboken, NJ: John Wiley & Sons, 2015. Print. Norman, Thomas L. Risk Analysis and Security Countermeasure Selection. Boca Raton, FL: CRC, 2016. Print.
180 -
Laurence Duarte - MBA Edhec
Rodin, Judith. The Resilience Dividend: Being Strong in a World Where Things Go Wrong. New York: PublicAffairs, 2014. Print. Ross, Ian. Exposing Fraud: Skills, Process and Practicalities. Chichester, West Sussex, United Kingdom: John Wiley & Sons, 2016. Print. Sheffi Yossi. POWER OF RESILIENCE. Place of Publication Not Identified: MIT, 2017. Print. Schmalleger, Frank. Criminology Today. N.p.: Pearson, 2014. Print. Tripp, Thomas M., and Robert J. Bies. Getting Even: The Truth About Workplace Revenge--And How to Stop It. N.p.: John Wiley & Sons, 2009. Print. Wagner, Daniel, and Dante Disparte. Global Risk Agility and Decision Making: Organizational Resilience in the Era of Man-made Risk. London: Palgrave Macmillan, 2016. Print. The glossary: Definitions from Corporate Security Management and Corporate Fraud and internal control books
Laurence Duarte - MBA Edhec
- 181
WEBSITES IT, Corporate Center - Research. «www.dbresearch.com.» www.dbresearch.com «The Global Risks Report 2016.» World Economic Forum. «Global Fraud Survey 2016.» Ipsos MORI. «Risk | Reinsurance | Human Resources | Aon.» Risk | Reinsurance | Human Resources | Aon. «Institute for Economics and Peace | Analysing Peace and Quantifying Its Economic Value.» Institute for Economics and Peace Home Comments. «Everyday Business Travelers Are Easy Targets for Espionage.» Harvard Business Review. «Risk Management | Red24 - Advice - Support - Response.» Risk Management
182 -
Laurence Duarte - MBA Edhec
LAURENCE DUARTE MBA EDHEC
PHONE +33 (0) 614 945 788 E-MAIL laurenceduarte@me.com WEBSITE www.workwithlaurence.com LINKEDIN laurenceduarteusa
Laurence Duarte - MBA Edhec
- 183