Protecting Your Business Against All Possible Threats by Laurence Duarte

Essential Articles On Criminal Risks Cybercrime, Fraud, Harassment, Espionage, Counterfeiting, Theft, Corruption, COVID-19 Crimes, Scandal.

Written by Laurence Duarte and adapted from her Harvard Business Review France articles

Table of Contents

About the Author

Introduction

Criminal Risks Essentials, Deﬁnitions, Need to Know

I . How to Make Security Proﬁtable for Businesses

II. Take Up the Challenge of Cyber Risk and Protect Your Business

III. How To Protect Against Remote Working Cyber Threats

IV. Reinventing Companies Against Workplace Harassment

V. Dealing With Internal Criminal Threats During COVID-19

VI. Internal Fraud: A Bane for Big (and Small) Business

VII. How to Better Combat Counterfeiting

VIII. Intellectual Property, a Crucial Concern for Businesses

IX. A Short Manual of Counter-Espionage Bound For Businesses

X. Three Non-Negotiable Habits to Limit Risks Business Scandals

References

P AGE 3

ABOUT THE AUTHOR Laurence is the founder of Strat & Shield Co., a strategy-driven management consulting firm based in Paris, Shanghai and New York that’s dedicated to building unique strategies for businesses that want to achieve secure long-term growth and serve their customers better. Passionate about crafting clear solutions that unite profit and purpose for her clients, she helps businesses scale profitably and safely. With over 25 years of experience in consumer products and high-tech industries, she works with CEOs, founders and top executives from start-ups to Fortune 500 companies. She thrives when supporting companies through innovation, growth, security, and risk strategy and relishes in transforming a company’s challenges into profitable solutions. She is also a thought leader who writes frequently about uniting profit and purpose while handling criminal risks to help businesses scale successfully and sustainably —

Email: laurence@stratandshield.com Twitter: @LaurenceDuarte stratandshield.com

Laurence Duarte

with heart. Her articles appear frequently in the Harvard Business Review and other places around the internet.

CONTACT LAURENCE

P AGE 4

IN T R ODU CT ION

We can’t craft a proper strategy if we don’t know the risks.

Growth and Protection are two key words in the executive’s mind but they are also a 21st-century business paradox. Without growth, no company can survive, but with growth companies may jeopardize their safety. As businesses expand globally and operate in new and unfamiliar countries and markets, they face increasing volatility, complexity and ambiguity, putting their company at signiﬁcant risk. Some risks are well-known — like political and economic competition — while others, unfortunately, remain poorly known and underestimated amongst businesses of all sizes. Criminal risks are an especially troubling example. Today, companies that have not traditionally been exposed to more than the most rudimentary security risks are entangled in all sorts of criminal events leading to disruption, ﬁnancial losses, and reputation damage.

If most business leaders have a contextual awareness of criminal risk and the threats facing their organizations, this awareness rarely contributes to a clear, consolidated directive that can be applied across their organizations. The reality is that security concerns are often ignored or delayed. They don’t generate proﬁt and, in fact, usually, add costs to the balance sheet. Furthermore, traditional business approaches perceive security as an obstacle. This creates operational friction between those responsible for managing criminal risks and those whose goal is to expand market presence, maintain revenue streams and develop new products and services.

What is needed is an approach that aligns a company’s criminal risks and business strategy in a way that communicates how security and growth protection can enable the business to expand its markets, protect revenue streams and securely develop and deploy new products and services.

P AGE 5

IN T R ODU CT ION

”

To do so, businesses must carefully weigh criminal risks against proﬁts and losses. They must consider the consequences of action vs. inaction. Criminal risk must be quantiﬁed and managed. Even if it is a difficult and uncomfortable topic. Even if it is scary and reveals weaknesses. Even if it is overwhelming due to the range of potential threats facing any company and the tremendous impact they could have.

“The essence of strategy is choosing what not to do”.

Michael Porter

Fortune favors the brave, but with people’s lives and the success of the business at stake, caution cannot simply be thrown to the wind.

The next 10 articles will help executives and board members broaden their knowledge on criminal risks and integrate it in their leadership strategy — from day-to-day operations to preparation for the future of their business.

P AGE 6

Criminal Risks Essentials, Definitions, Need to Know Crime Crime can be understood in various ways. Usually, the four major perspectives most useful in defining crime are the legalistic, the political, the sociological and the psychological. I will address crime as it affects the business world. The legal system exists to criminalize forms of behavior that society agrees to punish. However, legislation takes time. Meanwhile, consumers play an important role in denouncing and condemning abuses to shape more ethical behavior. New forms of pressure and punishment have been created by consumers. These can damage both reputation and profit losses. The people are consumers and they become more and more consumer-citizens, exercising their responsibility and forcing businesses to more ethical, responsible and sustainable ways of behaving.

That’s why even if the legal principle «Nulla poena sine lege» guarantees a criminal punishment by law, it is not enough to address the issue regarding all forms of illegal and criminal behavior in the business world. Companies need to understand even if their behavior is not «illegal», it might be condemnable in the eyes of consumers due to unacceptable consequences (such as harm/pain to people or the planet) of their actions. That’s why I assert that crime from a business perspective is any undesirable behavior or act that’s seen as illegal and/or unethical and/or anti-social.

P AGE 7

RISK

Criminal Risk Criminal Risk is the likelihood of an unwanted event that’s man-made and could adversely affect the mission of an organization. It comprises four elements:

An asset (facility, structure, proprietary information, brand…)

The likelihood of a threat actor with intent

The vulnerability within the protective system of the asset

The consequence of the threat action

P AGE 8

Why Does Crime Occur?

MO TIV E

S AN

By eliminating any one of these elements a crime cannot occur. A successful security strategy concentrates on understanding the motive, limiting the opportunity and obstructing the means in the earliest possible stage of an incident.

The Crime Triangle

In order for a crime to occur all three elements of the crime triangle must exist: Motive (poverty, greed, ideology, harm, sex, etc), Means ( digital, nonviolent, violent ) and Opportunity.

OPPORTUNITY

Type of Threat Actors

Organized perpetrators refer not only to criminal organizations, but to any organized group of career criminals who exercise planned and systematic criminal acts. They have an organizational approach and internal division of responsibilities and tasks, and have sufficient logistics that enable them to target higher volumes and values. Organized criminal groups are mainly motivated by greed.

Individual perpetrators are not career criminals but impulse criminals motivated by immediate needs such as poverty, substance abuse, or gambling debts. Single perpetrators often do not thoroughly plan the action but act based on the impulse to satisfy a relatively immediate need. The focus is mostly on smaller amounts of primary value that can provide immediate proﬁt (such as money, jewelry, electronic gadgets, etc.) and they usually have tunnel vision, which means that they focus on the goal and not the consequences.

P AGE 9

5 Types Of Threat Actors

1 2 3

Terrorists Class I terrorist: government trained professional Class II terrorist: religious extremist professional Class III terrorist: radical revolutionary or quasi religious extremist Class IV terrorist: guerillero, mercenary soldier Class V terrorist: amator (civilian, untrained criminal or militia viligante)

Economic Criminals Economic criminals can be external or internal perpetors. However, Fraud remains the most costly attack against companies.

• Transnational criminal organizations • Employees, ex-employees • Sophisticated economic criminals • Organized crime Type of crimes: external & occupational fraud, equipment thefts, burglaries, break-ins, robberies, information thefts, vehicle crimes.

Non terrorist Violent Criminals Persons other than terrorists who use violence as a means to achieving their goals.

• Workplace violent threat actors • Angry visitors • Angry employees, ex employees • Sexual criminals

• Organized crimes • Deranged people • Employee, ex-employee • Unions

Type of crimes: felonies, assaults, muggings, rapes, murders

Subversive Criminals / Subversive Crimes • Cause oriented subversives • Political and industrial spies • Invasion of privacy threat actors • Cults and dedicated activist groups

• Hackers • Saboteurs • Persistent rules violators

Type of crimes: activist organization activities, civil disorder, riots, protests, intimidation, drugs in the workplace, sabotage, corporate spying

Petty Criminals • Vandals

• Disturbance causers

Type of crimes: purse snatching, desk pilfering, pickpocketing, vandalism, prostitution…

PPAAG GEE 810

Strategic Growth Protection Planning Process

When we think about security and protection, we may think that it is complicated, but it is not. Security is not an invented process but an evolution of one of the oldest natural processes, dating to the beginning of life and the instinct to protect it. These principles at the time of our distant ancestors did not change. The caveman guarded his cave with a spear while another was on the lookout on the edge of the settlement with the mission of spotting the danger at the earliest possible stage and alerting the others. Everyone in the community knew exactly what to do in case of danger and who oversaw making the decisions. We have the cave as the physical element of security, the spear as technology, information about the proximate danger, communication among community members, all members of the community as the human element and procedures, both as a division of tasks in routine as well as emergency procedures, and the community chief as the management. If any of the elements were missing, the system would not work properly.

PPAAG GEE 811

Firstly, know your assets.

Property real property, ﬁxtures, furnishings and equipment, supplies, cash vaults, bank accounts... Property is a primary target of economic crimes.

People management, employees, contractors, vendors, visitors and customers. People are the primarily target of terrorism and violent crimes.

Business reputation including brands, business reputation is self-evident. It represents what your stakeholders think about you. Business reputation is a key asset, that if lost can destroy an entire organization.

Proprietary Information business processes, patents, paper ﬁles, computers ﬁles...

All organizational assets fall into four main categories: property, people, business reputation and proprietary information.

Assets need to be identiﬁed and prioritized to compile a list of the highest value ones. This step is crucial to determine the vulnerability and criticality of each asset and to allocate the appropriate resources to protect them.

PPAAG GEE 812

Secondly, plan your strategic growth protection process.

The strategic planning process can be divided into two parts: the criminal risk assessment addresses all the different human-made attacks that an organization could potentially face. It identiﬁes and analyzes the risk, vulnerabilities and threats that an organization encounters. After thoroughly analyzing external and internal risks that threaten organizations and their impact on the most valuable assets, it is time for the second part of the process.

Criminal risk management provides tools and mindsets to mitigate risks that threaten the tangible and intangible assets of companies in their various parts and during key processes. It sets forth a strategy to protect the value and the growth of a company including the three pillars of value protection: prevention, reaction and recovery.

Strategy protection program Prevention reaction recovery

Internal criminal risk assessment

External criminal risk assessment

Risks assets impact

CRIMINAL RISK ASSESSMENT

Risks prioritiza tion Performance evaluation Performance evaluation

CRIMINAL RISK MANAGEMENT

PPAAG GEE 813

Two Types of Criminal Risks

Internal Criminal Risks When we think of criminal risks to a corporation, we think of the danger that comes from outside. However, regarding any company, experience shows that the major risks come from internal actors. Companies must devote the same amount of time, level of attention and resources to fighting both internal and external threats. Fraud, deception, distortion of the company’s communication and unethical behaviours can all be traced to decisions made by corporate executives, including corporate negligence, a quest for profits at any cost and wilful violations of health, safety and environmental laws. It can lead to the outright destruction of a company. Corporations primarily exist to generate profit. As such, they consistently seek to gain competitive advantages directed toward maximizing profits. Unfortunately, some of their actions fall outside of the law, violate human rights and harm society. Even if a company desires to have the highest standard of ethics and sustainability, competition pressures from various sources (e.g., shareholders, supervisors), globalization and limited legal responses contribute to the occurrence and perpetuation of corporate crime.

External Criminal Risks Assessment Businesses are threatened by a wide variety of external risks. The larger and more complex they are, the more vulnerable they are to a variety of risks. Until recently, threats associated with companies were mostly traditional types of crime such as fraud, theft and robberies. Technology has not only improved the way companies do business; it has also increased their vulnerability to new threats. Today It is extremely difficult for businesses to maintain business continuity and recovery after an incident due to the development of new business models and to the attention on cost savings. Furthermore, the complexity and interdependency of business processes show that minor incidents can lead to disastrous consequences.

I. How to Make Security Proﬁtable for Businesses.

PPAAG GEE 815

Summary

As businesses expand globally and operate in new and unfamiliar countries and markets, they face increasing volatility, complexity and ambiguity, exposing their company to all sorts of risks. However, criminal risks are not well known. Yet criminal attacks don’t happen by chance. They are the results of a company’s actions (or inactions), which means that the likelihood of suffering the consequences of business crime is determined by the way companies protect their business and by the choices they make on a daily basis. It is imperative to take ownership of the future and to develop awareness around these issues to ensure success. Good leadership reframes potential risks into opportunities. By integrating protection into their business strategy, companies can take on the challenges of operating in an unstable world, ensuring, protecting and enhancing their growth and competitive advantage. Three principles are needed to ensure an effective and proﬁtable growth-protection strategy: awareness of criminal threats, smart investment in people and the establishment of a healthy and safe culture.

P A G E 16

The Defense Dividend: When Security Equals Proﬁts for Businesses

How can you protect your competitive advantage and the value and financial interests of your company? How can you scale and maintain your business globally? As businesses expand globally and operate in new and unfamiliar countries and markets, they face increasing volatility, complexity and ambiguity, exposing their company to all sorts of risks. But how many business executives can understand and mitigate criminal risks? How many organizations implement effective criminal risk oversight and management? If you go by the number of damaging attacks on companies, which are offered up every day in the media, the answer is not many. Internal fraud continues to cost businesses 5 percent of their turnover every year. A full 67 percent of companies in the world have been hacked. And intellectual property theft and nation-state espionage causes some $600 billion per year in damage to the U.S. economy. Indeed, recent scandals abound (Volkswagen, Guess, Nike) and resignations are soaring. Record fines (Google and Monsanto) and criminal attacks (Vinci, Maersk, MGM hotels) have caused disruption of operations, attacks on reputation and financial losses.

From industrial espionage to cybercrime, from fraud to kidnapping, from terrorist attacks to toxic corporate cultures, from corruption to counterfeiting, the scale and complexity of criminal threats in today's interconnected world are immense. However, this risk remains poorly understood and underestimated.

Gaining a Decision Advantage by Understanding Criminal Risks Criminal risk can be seen as a difficult and uncomfortable subject topic for leaders. Discussing loss and disruption or assessing wrongdoings within one’s company is not the most fun of tasks. Additionally, crime in business is hard to deﬁne and even harder to identify. Far from a black-and-white issue, it is deﬁned as any illegal act or form of behavior committed by people inside or outside the company and seen as unethical by consumers and stakeholders. Yet criminal attacks don’t happen by chance. They are the results of a company’s actions (or inactions), which means that the likelihood of suffering the consequences of business crime is determined by the way companies protect themselves and by the choices they make on a daily basis.

P A G E 17

It is imperative to take ownership of the future and to be aware of these issues to ensure success. Good leadership reframes potential risks into opportunities. Good leaders can integrate protection into their business strategy. Good leaders can take on the challenges of operating in an unstable world, thus ensuring, protecting and enhancing their growth and competitive advantages. Three principles are needed to ensure an effective and proﬁtable growth-protection strategy: an awareness of criminal threats, smart investment in people and the establishment of a healthy and safe work culture.

1. Protection as a Strategic Choice: Ensure your Growth Historically, when deﬁning strategy, companies used to treat value creation and value protection as separate entities. Today, that is no longer possible. If companies want to be sustainable without impacting their profits, they have to start thinking about protection in the early stages of what they do. In order to establish a fruitful business strategy, managers and their teams must actively and systematically integrate protection and defense practices at the strategic, tactical and operational levels. First of all, companies need to identify any internal and external criminal threats they face and the steps needed to protect people, their reputation and both physical and intellectual property. Secondly,

companies must utilize a strategic analysis to assess and prioritize their risks. Finally, companies must establish protection plans that incorporate both prevention and mitigation procedures.

2. Build on Resources: Prepare and Empower Your Team People are at the core of both criminal risk and growth protection. It’s people committing the crimes — sometimes even company insiders — but people are also the solution. In order to be successful, a protection strategy that is sustainable, ethical and easy to follow must be put in place for all employees and stakeholders. Historically, protection is managed by the IT or security departments. However, this is no longer sufficient. Today, protection is achieved through the daily actions of all employees. Every employee, regardless of their position, must be informed, responsive and motivated to participate in the process. To do so, training, communication and governance are key. Training informs us of the risks, encouraging caution and feedback. Communication creates a climate of trust where everyone can express themselves freely and propose improvements. Governance promotes a social and ethical vision of the company.

P A G E 18

3. Business Culture Reset: A Good Company Makes You Feel Safe Although there is no foolproof recipe for creating a perfect protection strategy, some elements of the company itself can lead to criminal attacks. The pursuit of proﬁt at all costs combined with a lack of control and ethics often leads to abusive practices. However, in an age of radical transparency, organizational wrongdoing is no longer tolerated. The founder of Uber had to resign following the exposure of a culture of sexism and intimidation. A smartphone video of a United Airlines staff member forcibly dragging a passenger off an airplane has become viral. The #DeleteFacebook movement has been used over 400,000 times on Twitter in protest of the unethical use of personal data of 50 million user accounts. And the list goes on and on. Our connected world has transformed businesses into glass boxes where consumers can easily see inside. Executives, boards, marketing departments and staff managers have to understand that, even if the behavior happening within a company is not “illegal,” it may be condemnable. When the poor social, environmental or ethical practices of a business are exposed, the reaction of consumers and other stakeholders — analysts, journalists, suppliers, activists, ideological hackers — can be vicious and swift, often hurting more than the ensuing legal punishments. Today, every company needs to investigate and eliminate unethical behaviors and any presence of a toxic company culture as a matter of survival. To fail to do so, invites serious consequences in terms of reputation and results. If bad corporate behavior increases the risk of bad employee actions, the reverse is also true.

P A G E 19

Good corporate behaviors, including awareness, transparency, accountability and egalitarianism, are the core values that reduce workplace violence and conﬂict and lead to growth. They work like superpowers, increasing productivity, creating greater success, improving the quality of work and making business safer and more effective. An organizational focus on ethical business practices and a system of checks and balances will prevent any single leader from taking advantage of their position. When you create a proactive culture of ethical and equitable treatment, it is much easier to manage and mitigate these types of risks moving forward. This sort of “always do what is right” spirit makes it easier to do the right thing and much harder to do the wrong thing. Plus, employees will feel like they belong and are protected — and are more likely to protect the company in turn. Organizations with a healthy culture not only gain the trust of their employees, consumers and stakeholders but also strengthen their resilience, minimize their risk of attacks and encourage cooperation and innovation. It’s not a matter of wondering if attacks will occur but when. Start proactively protecting against them. A protection strategy will defend your company, as well as lead to impressive growth, admirable performance and an enviable reputation. Criminal threats will never completely disappear, but when a company and its employees work together to strengthen their protection, they reduce their risk and take ownership of their future for the well-being of themselves and of their consumers.

II. Take Up the Challenge of Cyber Risk and Protect your Business

PPAAG GEE 821

Summary

No matter how small or large your organization is, having a cybersecurity strategy is more crucial than ever. Long entrusted to IT departments, cyber risk has become a strategic issue. To tackle the cyber threat that all organisations face today, decision makers within business must align their cyber risk management initiatives and their organization’s business strategies to ensure a successful integrated cyber security strategy.This will need to assess cyber risks, install a cyber-hygiene routine and train people within the organization to become cyber protectors.

P A G E 22

Take up the Challenge of Cyber Risk and Protect your Business

In early 2019, the World Economic Forum recognized cybercrime as one of the biggest risks facing our world today, alongside things like natural disasters and climate change. It makes sense why they’re taking this threat so seriously. Every day we witness companies from all sizes suffering piracy, digital robberies, and data breaches. A full 25 percent of Fortune 500 Companies were hacked in the last decade. While it is essential for a company of any size to use innovative technologies — such as artiﬁcial intelligence, the Internet of Things, and robotics — they also increase exposure to cyber-attacks. Every time this happens, companies suffer financially, whether by direct loss caused by the theft, business interruption caused while solving the issue, damage to reputation, penalties paid to customers, or legal implications following the new RGPD regulations. And these repercussions aren’t short-lived. The credit union Equifax, for instance, has lost $4 billion since the attack on their customer data in September 2017. Cybercrime-related damages are expected to reach $6 trillion annually by 2021.

And yet too many businesses aren’t doing nearly enough to protect themselves. It’s not because they don’t know it’s a threat; it’s because protecting against cybercrime is hard. Cyber threats evolve faster than any defensive barrier, capitalizing on emerging technologies to gain access. There are a number of people interested in getting into your systems, from terrorists to hacktivists, competitors to governments — and they often leave little or no evidence. The scale of malicious activity is enough to make even the most proactive business leader feel discouraged and frightened. However, criminal attacks do not happen by chance. They result from the actions of a company, which means that the probability of suffering an attack is determined by the way a company protects itself and by the choices it makes on a daily basis. Companies do not have to facilitate the work of pirates. Here are a few strategies to face the challenges of cyber-attacks and get serious about protecting your business.

P A G E 23

Build Cyber Protection into the Core of Your Strategy

Due to the potential impact on a business, cyber-attacks can no longer be treated as a technical risk only handled by the IT department. Instead, you should start approaching them as a major strategic risk-managed by your top management. So take this threat straight to the top. Your company’s leadership should absolutely be bearing the responsibility of protecting your assets — which in today’s world means dealing with cybercrime. If managed proactively and intelligently, cyber-security ceases to be a constraint and instead becomes a competitive advantage. By addressing cyber risk in your strategy, you strengthen the conﬁdence of investors, partners, employees, and customers who care about their safety. (For reference, 92 percent of internet users are concerned about the security of their data and the protection of their privacy.) Whether your motivations are to follow regulations like GDPR or NIS or to respond to ﬁnancial or societal pressures, companies of all sizes have no choice but to protect the data they hold and set up effective cyber-security operations.

P A G E 24

Understand Where You Most Need Protection Not all businesses are vulnerable in the same way; it is up to every company to know their weak points in order to protect themselves effectively. As business leaders, you must, therefore:

First understand how your most vital assets are connected, everything from information systems and networks to strategic data (like IP, M&A, partner contracts, suppliers, business plans) to even personal data that could have an impact if accessed or stolen.

Once you’ve listed out all your assets, map out the types of risks possible by classifying them according to two axes: the probability of that asset being hacked and the level of impact. This should help you zero in on where to focus your protection efforts ﬁrst.

Then, you’ll need to identify the type of threats your company faces as well as the motivation of potential perpetrators. The most common ways of attacking are phishing, ransomware, malware and taking advantage of security ﬂaws in the cloud. Common motivations for hacking are greed, notoriety, ideology and espionage. Identifying who poses the largest threats to your company can help you build a smarter plan for protecting yourself.

Now that you know what you need to protect your business, it’s time to integrate it into everything you do as a company.

Set up a Cyber-hygiene Routine The scope of many high-proﬁle attacks could have been greatly reduced if the companies concerned had implemented fairly simple “cyber-hygiene” reﬂexes, as Colonel Jean-Dominique Nollet, chief security officer at Total, reminds us. First, there’s the basic layer of “cyber hygiene” — fairly simple steps that, when integrated into operations, greatly reduce the possibility and scope of attacks:

• Systematically back up data and regularly test the backup strategy. • Only give users access to the rights they need.

P A G E 25

• Compartmentalize resources to limit the spread of a threat. • Encrypt data to guarantee conﬁdentiality. • Reinforce authentication by using several criteria and not just a password. • Regularly apply system, network, and application updates to prevent hackers from exploiting known vulnerabilities.

• Deploy security software (anti-virus software and ﬁrewalls) and solutions

for detecting and responding to threats on endpoints (such as the implementation of a response plan to IT security incidents).

• Test your security systems and those of your partners—you might even

want to hire some ethical hackers or threat hunters to stress test your systems.

Create a Culture of Protection However, beyond the low-hanging fruit of basic hygiene, you need to make sure protection is built into your very company culture, starting with your people. Because ignorance of risk is regularly exploited by criminals, every employee — regardless of their position — must be fully aware that they play a key role in protecting against external and internal threats. This means training your employees on simple yet effective tactics for protection in their professional and private lives — but it also means ensuring you have a culture that is clearly open to feedback or information on incidents, anomalies, mistakes or worries. The entire internal culture of a company plays a major role in securing operations. Don’t let a single cog threaten the whole machine. Cyber risk is a reality with devastating consequences for any company. Cybercrime-related damage is expected to reach $6 trillion per year by 2021. Today, a leader must bear responsibility for protecting corporate assets. If managed proactively and intelligently, this becomes a way to strengthen the competitive advantage of an organization. Integrating cyber risk into the strategy builds the confidence of investors, partners, employees, and customers concerned about their safety. Safety is a basic human need, and brands that reduce danger will always be appreciated over their competitors.

III. How to Protect Against Remote Working Cyber Threats

PPAAG GEE 827

Summary

Before the pandemic forced millions of workers into working remotely, cybersecurity risks were already intensifying. Today, some security ﬁrms are citing 800 percent increases in calls regarding cyber-attacks. Your employees and your company need to be protected even more from home. In this post, explore how to manage the cyber risks of remote work.

How to Protect Against Remote-Working Cyber Threats

The COVID-19 health crisis has created many organizational and economic concerns for companies. Those who have opted for remote work due to the pandemic are now facing additional pressure on their networks’ security. Remote employees, who are more exposed than corporate networks, have become prime targets for hackers looking for more accessible entry points to corporate networks.

P A G E 28

Remote Work and Ampliﬁed Cyber Risk

An estimated 16 million U.S. knowledge workers started working remotely due to COVID-19 as of March 27; that number is likely much higher now. The use of personal devices and Internet connections, coupled with anxiety about balancing work with childcare and other home tasks, has created new vulnerabilities. This is because home Wi-Fi networks are generally less secure, shared by different users, and connected devices are more vulnerable to malware. Not to mention that remote working has encouraged the adoption of applications such as teleconferencing tools that have their own security weaknesses such as Zoom bombing (the intrusion of

malicious individuals into group videos). Finally, less vigilant remote employees may be more vulnerable to phishing scams that open access to company networks. According to cybercrime statistics, phishing sites increased 350 percent from January to March 2020. COVID-19 phishing (sending email messages claiming to be from legitimate companies with information about the coronavirus) is on the rise. Cybercriminals take advantage of compromised email systems to obtain sensitive information or commit fraud, capitalizing on the feelings of fear and panic experienced during the pandemic by causing more users than usual to click on infected attachments or links in emails.

Cyber Hygiene Adapted to Remote Work In response to this change, companies must put protective measures in place to adapt to teleworking. First of all, it is generally necessary to remind employees of the security

policies and practices developed to deal with threats and to empower them to become even more vigilant in protecting their data at “home.”

P A G E 29

This involves precautions such as:

• Encryption of data to guarantee their conﬁdentiality. •

Securing connection devices such as choosing a strong password on home Wi-Fi, securing data by strengthening authentication using multiple criteria and not just a password, and the use of complex password management platforms.

• Regularly updating the system, network, and applications to prevent hackers from exploiting known vulnerabilities. •

Deployment of security software (antivirus software and ﬁrewalls).

•

Physically securing your computer equipment to limit theft or loss.

•

Creating several user accounts (family, professional, personal, etc.) if it is necessary to work on the family computer.

Another precaution is increased vigilance of phishing and social engineering techniques and the sharing of personal information such as photos of online meetings and telecommuting tools. Recent research on excessive online sharing has shown that people don't realize how much personal and business information they reveal in their photos, such as pictures of their homes and hobbies or pictures of internal correspondence and sensitive web pages for their business on their screens, which provide clues to their usernames, passwords and other information.

P A G E 30

Set up a Secure Gateway

In order to limit their exposure to risks and strengthen conﬁdentiality, availability and integrity of their critical data and systems, the implementation of appropriate measures and tools is necessary.

Data becomes more vulnerable during exchanges between the remote workstation and the corporate network.

Security professionals recommend three types of actions to limit exposure to cyber risk:

1 2

Review availability of and limit access to sensitive information while using automated tools to scan devices and applications in order to detect abnormal spikes in traffic or unusual requests.

Favor more secure communication through the use of tools such as VPN or the Cloud. A VPN (Virtual Private Network) makes it possible to open a secure tunnel between the workstation and the company network and therefore keeps data private even when shared on public networks. The data transmitted in this way is encrypted, and therefore unusable even if it is intercepted. This is also the case with the Cloud. These platforms, such as the online versions of the Microsoft 365 suite, host business applications on their own servers, relieving pressure on business systems and giving employees more ﬂexibility to access software from home.

P A G E 31

3 4

Ensure a regular backup strategy for critical data, whether through the company server or using specialized applications. Experts predict a resumption of ransomware attacks as soon as businesses reopen. Having operational safeguards will limit the consequences of the incident and ensure business recovery as quickly as possible.

Secure individual employees and their devices — whether it’s by providing secure, fully-identifiable hardware on the corporate network or by prioritizing the verification of user identities and devices at various checkpoints with passwords and other authenticators. For Jean-Dominique Nollet, head of information systems security, the use of strong identification or MFA (multi-factor authentication) is the most effective way to ensure the security of a company's infrastructures when employees work off-site. Multi-factor authentication typically combines passwords with other security measures, such as fingerprints or other biometric identifications.

To face the COVID-19 crisis, companies must use the logic of limitation: Limit the risks means limiting the repercussions of the crisis. While worldwide an increase in cybercrime has been reported during the pandemic, preventing the evolution of cyber risk and its consequences remains one of the essential prerequisites for business continuity. Cybercriminals are on the prowl.

Taking remote work into account, as well as increased online protection of employees, will help companies stay secure during the pandemic and beyond. In fact, working from home seems to have won over many employees. A study from the State of Remote Report shows that a whopping 98 percent of people would like to have the option to work remotely for the rest of their careers.

IV. Reinventing Companies Against Workplace Harassment

PPAAG GEE 833

Summary

Here is the reality: Wherever there is power, there is potential for abuse. But #metoo changed everything. It reminded us how powerfully internal misconduct crises can derail an organization or destroy a brand. While companies so often focus their criminal risk mitigation on things like cyber-attacks, fraud, espionage and counterfeiting, unethical behavior by employees is a strategic issue that needs to be addressed. From #metoo to #weall, solutions exist that can ensure a cooperative and safer business world.

P A G E 34

Reinventing Companies Against Workplace Harassment

In the face of the worldwide outrage that has been expressed through the #MeToo movement, companies have no choice but to become proactive in the fight against workplace harassment. In October 2017, the fall of Harvey Weinstein resulted in the fall of his powerful Hollywood studio The Weinstein Company (valued in 2016 at $700 million). Since then, the #MeToo movement denouncing sexual assault and harassment in the workplace has continued to gain momentum. The list of those accused of "inappropriate sexual behavior" grew longer by the day.

In the fashion world, revelations of sexual abuse have tarnished photographers Mario Testino, Bruce Weber and Patrick Demarchelier. At Lululemon, Stuart Weitzman, Nike, Guess, CBS, Uber and Google, several senior officials have been forced to resign due to inappropriate behavior. This is only the beginning. Around the world, it is estimated that one in three women will be a victim of sexual violence in her life, regardless of her socio-professional category.

Companies Look Away Yet despite the significant risk associated with this type of behavior, whether in terms of reputation or financial loss, most companies remain defensive against harassment, as if it only happens to others. Some of them hide behind their responsibility to their shareholders and their board of directors. In times of economic crisis or stress, companies often feel they have to do “whatever it takes” to remain productive and profitable, including placing a low priority on the well-being of their employees. These com-

panies are characterized by high tension at work, high turnover, low motivation and frequent work stoppages. In this type of business environment, abusive behavior is considered acceptable and excusable. Since the transgressor does not "see the harm,” the victim is instead advised to "toughen up.” Other companies prefer to hide behind their policies and codes of conduct against harassment and other types of abuse in the workplace. Unfortunately, these policies are often misunderstood and inconsistently applied.

P A G E 35

The last type of companies see harassment as a “personality conﬂict” between two or more employees. Both parties are believed to be responsible for the conﬂict. By deny-

ing any "organizational problem,” leaders fail to implement the changes necessary to safeguard the values they claim.

It Is Probably Happening in Your Organization Just because you haven’t heard about it, doesn’t mean that it hasn’t happened. CEOs, boards of directors, executives, entrepreneurs and other business leaders need to come to terms with the fact that sexual harassment is likely happening in their organization. Consider the data: While it is hard to nail down exact numbers, it’s estimated that at least one in four people experience sexual harassment at work and that 75 percent of those who experience harassment don’t report it. In fact, the Equal Employment Opportunity Commission (EEOC) found that most victims deny

or downplay the gravity of their experience and try to ignore, forget or endure their colleague’s inappropriate behavior — likely for fear of retaliation if they do bring these allegations to the table. If you stick your head in the sand and pretend these things aren’t happening, it won’t make them go away — it will just make the consequences worse when they do come to light. Come to terms with the fact that sexual harassment is probably happening or will happen in your organization — and start being proactive about preventing it.

Harassment Undermines Results It is obvious that violence at work — characterized by situations of harassment, but also situations of exacerbated conflict between employees or even acts of aggressive management — demotivate employees and harm the bottom lines of companies. When victimized employees conclude that their organization is unlikely to actively support them, they open up on social media, talk to the press, band together and take legal action.

When it becomes public, this violence and abuse can derail an organization, destroy a brand and lead to legal proceedings against a company or its managers. Moral or sexual harassment is not only condemned by law with possible prison time, but also by consumers who need their values to be aligned with their purchasing decisions. They can’t tolerate unethical, insensitive or harmful companies or brands.

P A G E 36

Don’t Ask How Much it Will Cost — Ask How Much You Have to Lose Brands spend millions to get consumers to love them but, more often than not, they misunderstand that consumers care about ethics, too. Even if the behavior happening within a company is not “illegal,” it may be condemnable. When the poor social, environmental or ethical practices of a brand are exposed, the reaction of consumers can be vicious and the downfall rapid, often hurting more than legal punishments.

Every company needs to investigate and fight unethical behaviors and toxic culture as a matter of survival because of the serious consequences for their business in terms of reputation and results. Of course, executives don’t have control over all the events that impact their company, but it is their responsibility to prevent, mitigate and prepare for these risks.

Taking Responsibility Alleviates the Crisis It is wrong to think that “blind” businesses are more secure as they become vulnerable and powerless in times of crisis. On the contrary, companies that have the courage to face the facts take power over their future and unleash their capacity for transformation and innovation. Studies show, for example, that doctors who assume their responsibilities and express their regret for having caused harm, manage to reduce the sanction, the anger of victims and restore conﬁdence. The same is true for leaders who, by apologizing, promote the well-being of their employees and are more respected. The two founders of Vice Media (valued at $5.7 billion) have

thus publicly apologized following revelations of harassment within their group. While they ﬁred the offenders, they also launched a training campaign for all their employees and pledged to achieve equal pay by the end of 2018. An organization that recognizes and repairs the damage caused to a victim as a result of workplace harassment may not avoid the courts, but it will be recognized as an ally of its employees and appreciated for its respect and responsibility. Because, far from seeking excuses, blaming, or threatening its employees, it will protect them by putting into practice what it preaches, in line with its stated values.

P A G E 37

Cut to the Core for Long-Lasting Solutions While there is no magical formula to creating a perfect strategy to protect employees against internal workplace violence, a company with a culture of deviant behavior is more likely to have these sorts of attacks. Bad corporate behavior increases the risk of bad employee actions. But this can be controlled with the help of an organizational focus on ethical business practices and a system of checks and balances to prevent any single leader from taking advantage of his position.

Additionally, instead of having a reactive response to sexual harassment risks with “quick patch” solutions, leaders need to get to the core and engage in a cultural reset. By creating a proactive culture of ethical and equitable treatment, it is much easier to manage and mitigate these sorts of risks moving forward. This sort of “always do what is right” spirit makes it easier to do the right thing and much harder to do the wrong thing.

Clearly, no abusive and disrespectful behavior should be tolerated in the company.

To do so companies must make the necessary changes to their mission, vision and values, as well as to the structure and leadership of their organization. Everything in the company should reﬂect the support given to employees. The ﬁrst step in building a culture against harassment is a clear recognition that it is inappropriate and harmful, regardless of the hierarchical level. Clearly, no abusive and disrespectful behavior should be tolerated in the company.

Companies must also demonstrate by their actions that their scope of responsibility extends far beyond their shareholders and their board of directors to their customers, their employees and the community at large. Their commitment to a harassment-free workplace will be reﬂected in a strategy to keep it respectful and safe for all. This includes concrete and effective anti-harassment actions such as awareness-raising and training initiatives for managers, executives and employees. It also includes qualitative management, global performance management and objective monitoring.

P A G E 38

Help Everyone Feel Safer Together

Transparency, responsibility and egalitarianism are core values that reduce workplace violence and conﬂicts. By creating a culture where everyone feels safe together, companies will not only win trust (from their employees, consumers and stakeholders) but also build resilience, minimize the risk of disruption and encourage cooperation and innovation. And companies capable of being productive and profitable while maintaining high ethical standards are real talent magnets. New generations want to work in work environments that are respectful, fair and engaged in the prevention of harassment and other forms of abuse in the workplace. More leaders are recognizing that, in order to sustain and grow their business, the only path is via human progress and meaning, which brings

more economic rewards than quantitative growth. Today, bosses like François-Henri Pinault, CEO of the luxury group Kering, assume their social responsibility towards their employees and towards the environment. Pinault pleads for a "generous capitalism” that combines performance and ethics, promoting a culture of accountability and doing what is right for the good of the company, each employee and society at large. In a hyper-connected world where each consumer wants their values to coincide with the products and services they consume, the success of companies relies on their ability to set up strong and ethical core values that protect human beings as a whole and in all circumstances. There is no room for error. Don’t wait for wake-up calls — be willing to change now. Even if it's hard, it's worthwhile.

V. Dealing With Internal Criminal Threats During COVID-19

Summary

The COVID-19 crisis has outpaced the resiliency mechanisms of most global businesses. In a context of stress and ambiguity, with limited information and little history, how can business leaders protect their company from internal risks and scandals?

PPAAG GEE 841

Dealing With Internal Criminal Threats During COVID-19

The COVID-19 crisis has outpaced the resiliency mechanisms of most global businesses. It is in this context of stress and ambiguity, with limited information and little history, that business leaders must rethink their strategy and make decisions. In situations of extreme stress, research has shown that managers tend to make bad decisions for their businesses, using binary choices, limiting options and focusing on short-term solutions. Situations of great fear often lead to a decrease in conﬁdence in others, an increased dependence on habits and an increase in negative interpretations of events. From an ethical perspective, prolonged anxiety can be problematic. It can interfere with judgment, cause business leaders to focus on the wrong things, distort the facts or justify wrongdoing. This condition can worsen, especially when it is reinforced by:

• • • • •

An economic slowdown due to the COVID-19 pandemic Stress linked to the isolation of working remotely Massive layoffs The pressure of results These can all lead to an increase in wrongdoing and unethical behavior as employees become more isolated and less encouraged to think of others.

P A G E 42

Internal Risks on the Rise The ethics and compliance departments, which monitor and report on compliance with laws, national and international regulations, professional and ethical standards, as well as internal procedures, are on high alert. As Ann Tenbrunsel, a professor of business ethics at the University of Notre Dame’s Mendoza College of Business, explains: “Because of the stress, we’re in a frame of loss, we’re going to engage in more risk-taking behaviors which could be unethical.” Not to mention that remote work does not prevent the continuity of a toxic culture and harassment. In a decentralized online environment with fewer witnesses, harassers and toxic managers can more easily pursue threats or sexist comments.

Anti-corruption organizations like the ACFE (Association of Certified Fraud Examiners) have warned that the economic upheavals caused by the pandemic will create an environment conducive to corruption and fraud (increased risk of misappropriated assets or fraudulent financial data) as well as the denunciation of existing fraud. In two months (from mid-March to mid-May), the American federal body regulating and controlling the financial markets (SEC) registered an increase in the number of denunciations and complaints concerning possible wrongdoings in the workplace of 35 percent compared to the previous year.

Protecting Your Reputation In addition to the legal risks, we must consider possible damage to reputation. In times of intense pressure, it can be tempting to justify illegal behavior and to circumvent social rules or ethical principles. However, if a decision made from a rational and logical point of view was previously sufficient, that may no longer be true. In today’s age of social networks and whistleblowers, decisions must also be made from a moral point of view with consideration for risk of scandal and damage to reputation. If some companies think they can “cover” their bad actions because of a pandemic, the current demonstration of support

for the anti-racist movement #blacklivesmatter has forced many companies like Adidas, Mars Food and PepsiCo to reconsider their communication and their strategy. We can all expect scrutiny of corporate behavior by stakeholders (media, investors, consumers) when the virus disappears. Whether or not we are facing another wave of pandemics, the increase in criminal threats linked to internal behavior requires special attention from the boards of directors and the management committees of companies in order to avoid a greater crisis.

P A G E 43

Maintaining Effective Surveillance If in the current context, operational decisions are privileged, executives must be careful not to affect the anti-fraud and ethical measures of a company as a whole. Supervisory, investigative and disclosure responsibilities must be in place to continue to detect errors and misconduct. Organizations must also guarantee safe and healthy telework for everyone. Respecting and enforcing fair and ethical standards in all aspects of business life will allow employees

to reﬂect on these values before deciding whether or not to resist wrongdoing. If they feel that fair and respectful treatment continues to be valued and supported by the company, despite working remotely, employees can be more conﬁdent, motivated and attentive to possible abuses. Fair values and standards allow employees to express themselves and limit internal attacks.

Balancing Leadership A company’s ability to recover from a crisis is determined by the response of its leaders. Each employee, customer and consumer will scrutinize the decisions and behavior of companies. The pandemic has shown the success of a pragmatic, honest, empathetic and humble leadership based on increasing the group's well-being and common good.

If the current crisis can tip business leaders and managers toward a problem/solution analytical model, they must remain in empathetic contact with their teams. Being open, dialoguing and communicating in a transparent and authentic way are major assets for companies, as they reduce anxieties and increase conﬁdence.

P A G E 44

Strengthening Your Company's Mission

Most companies have had to make extremely hard decisions to guarantee their survival, including cutting wages, laying off workers, canceling future orders and borrowing in order to strengthen their balance sheets. However, for many of them, such as the multinational computer company Microsoft, the jeans manufacturer Levi Strauss, or the software editor Salesforce, the approach is more global and focused on the mission. In other words, they have weathered the pandemic without losing their deeper identity. By reconnecting to the mission of the company, it becomes

easier to make decisions and maintain corporate social responsibility objectives at the heart of their strategy and business model. The COVID-19 crisis puts everyone in unexpected and unfamiliar situations. Our instincts might force us to panic and make decisions that are dangerous for the business, but there is another option: Keep calm and carry on doing what is right for the business in the long term.

VI. Internal Fraud: A Bane for Big (and Small) Business

PPAAG GEE 846

Summary

It’s proven that corruption and bribery are bad for business. They cost at least 5 percent of a company’s revenues each year, hurt reputation, decrease employee morale — and can even be the single biggest detriment determinant to investment to investment growth. growth. Solutions Solutions exist exist to deal to with deal with fraudulent behavior. Developing both preventive and corrective anti-corruption systems can help stop corruption and boost business. business

Internal Fraud: A Bane for Big (and Small) Business

To deal with fraudulent behavior, companies must set forth both preventive and corrective measures. Internal fraud costs companies at least 5 percent of their revenues each year, regardless of their sector or size. Present at all levels, it’s an act that is committed by one or more employees and is deﬁned as illegal and intentional deception or concealment with the intent of obtaining ﬁnancial gain. Fraud includes misappropriation of goods and services, corruption, unethical behavior behavior, and andthe the commucommunication of fraudulent financial or non-financial information. This includes inaccurate information with the aim of deceiving the shareholder, banker banker, or orbuyer. buyer.

Not a month goes by without the press reporting fraud involving companies — whether they’re victims or perpetrators. Here are but a few examples: The collapse of Germany's company Wirecard, after disclosing a gaping hole ($1,9 Billion) in its books, due to a sophisticated global fraud Amazon stealing $61 million in tips from its Amazon Flex delivery drivers The scandal of the ghost accounts of Wells Fargo, which opened millions of fictitious accounts to artificially increase agency revenues Embezzlement charges and money laundering at Goldman Sachs Volkswagen’s “Dieselgate” — the cost of which has been estimated at 35 billion euros Accusations of price deception against the e-commerce site vente-privée.com Conviction in France of Swiss bank UBS to a record fine of 3.7 billion euros for “illegal bank canvassing” and “money laundering aggravated by tax fraud” The conviction for “bribery of foreign public officials” by French petroleum giant Total

P A G E 48

Small and Medium Organizations on the Front Line These are all scandals that cost large companies a lot of money. However, the media coverage should not make us forget that, in fact, it’s small- and medium-sized companies that suffer the most. Their losses, in case of fraud, are twice as high ($200,000) as those suffered by large companies ($104,000). The lack of dedicated internal control structures, the lack of segregation of duties (critical transactions are performed by a single person), and less formalization of transactions increase the likelihood of fraud and the risk of error. Beyond the shock generated by its discovery, fraud inevitably has a negative impact on companies’ ﬁnancial health — be it the victim or the perpetrator. The Association of Certiﬁed Fraud Examiners (ACFE) estimates that in Europe, the median loss following a fraud attack is €178,000 ($217,000). Beyond the financial aspect, companies’ reputations are also damaged. They must deal with mistrust both from their partners and the public, negative comments on social media and, sometimes, even opportunistic reactions from competitors. Finally, fraud creates a feeling of insecurity internally, which can then decrease employee motivation and cause a drop in productivity. Professional fraud is one of the most widespread types of economic crime. What often happens is that our competitive economy puts pressure on managers (shareholder lobbying, short-term dictatorship, investments in risky emerging markets) and employees (high-performance objectives, competitive culture, toxic management, and feelings of unfairness in compensation policy). These socio-economic tensions encourage deviant behavior, including intentional manipulation of company accounts, circumvention of legal rules and procedures, failure to respect ethical principles and theft of goods, money, services and information. The digitalization of all activities also makes IT systems more sensitive to “techno-fraudsters.”

P A G E 49

[Explanation] The “Fraud Triangle”

Invented by the American criminologist Donald Cressey, the “Fraud Triangle” highlights three conditions that lead an individual to commit fraud. Pressure (financial problems that the fraudster is trying to solve, a lifestyle too high for his income, the need to pay off debts, addictions...) Opportunity (flaws in the company’s organization) Rationalization (why the criminal thinks it is acceptable to commit the crime) By analyzing the studies of the ACFE and the auditing firm PwC, we can sketch a portrait of the typical fraudster: most often male, a college graduate and between the ages of 35 and 45 years old. He’s friendly and generally appreciated within the company. Because of his seniority and hierarchical position, he enjoys the confidence of his management and works in areas such as accounting, operations, sales, general management, customer service or purchasing. However, certain signs and behaviors clearly indicate that something is wrong: a lifestyle that exceeds his or her income capacity, financial difficulties, addictions (gambling, drugs) or a change in behavior (refusal of a promotion, a vacation, a checkup or a sharing of responsibilities). The higher the hierarchical status, the greater the damage: Fraud that directors commit is typically three times more costly than fraud committed by low-level managers, and nine times more costly than those committed by typical salaried employees.

”

The higher the hierarchical status, the greater the damage.

P A G E 50

An Anti-Fraud Policy Focused on Prevention The ﬁrst of the preventive measures is to understand and assess the threats related to internal fraud, prioritize actions based on ﬁnancial and ethical issues, and disseminate the protection policy to employees. For an anti-fraud policy to be successful, it must be based on a positive, cooperative management style and a healthy corporate culture, with management setting a real example.

As Léon Jankowski, vice president of security and operational resilience for the MEA/Turkey Region of DHL’s Transportation and Logistics Group, points out, the anti-fraud program must be supported by a multi-disciplinary committee consisting of representatives from ﬁnance, operations, legal and human resources, as well as internal auditors and fraud consultants. The program should be organized around two objectives: stopping fraud through prevention and limiting the impact of fraud through effective protection.

Prevention makes it possible to act on the frequency of fraud. It requires the following elements:

Establishing a culture that does not facilitate or tolerate internal fraud in any form

The creation of a code of ethics and professional conduct, with clear sanctions (including criminal sanctions), to reduce the likelihood of a bad decision

Raising awareness and training managers and employees on the risks of fraud

P A G E 51

The protection acts on the seriousness of each case of fraud, including: Alert systems that allow incidents to be easily and quickly escalated (incentive to communicate, establishment of channels guaranteeing conﬁdentiality, effective follow-up when there has been a report, protection of the informant) Implementation of appropriate segregation of duties based on the model “the authorizing officer is not the payer” and a rotation of individuals serving in the same position Resource and system controls: internal and external audits, multiple controls that include security controls (approvals, authorizations, audits, and performance reviews) When an incident is discovered, the implementation of a crisis management plan that makes it possible to thoroughly analyze the suspected or proven fraud (tracing the source of the fraud, identifying fraudulent transactions, weaknesses, controls to be created or strengthened) and to remedy the situation from an operational point of view, legal, ﬁnancial, organizational, social and regulatory with the support of a team of anti-fraud investigators, internal consultants (communication, legal, human resources), and consultants specialized in fraud and crisis management.

Long a taboo subject, fraud today has both direct and indirect consequences far too important not to be taken seriously and anticipated. Every employee — from manager to CEO — will potentially encounter difficult situations in his or her career where the right course of action will not be clear.

Putting in place a risk reduction policy — as well as sound governance that promotes social responsibility, ethics, and honesty — will not only effectively prevent fraudulent behavior but also support sustainable creation of value, a necessary condition for companies’ long-term survival.

VII. How to Better Combat Counterfeiting

PPAAG GEE 853

Summary

Counterfeiting hurts society. Counterfeiting has a damaging effect on business, the economy and the general population. But solutions exist. Companies can protect themselves and their customers.

P A G E 54

How to Better Combat Counterfeiting

To cope with this massive phenomenon, companies have to compete on both sides — supply and demand.

Medicine, electronics, shoes, clothing, car parts ... consumer goods in almost every sector are counterfeited these days in all types of businesses, including SMEs. Trade in counterfeit and pirated goods has risen steadily in the last few years — even as overall trade volumes stagnated — and now stands at 3.3 percent of global trade, according to the OECD and the EU's Intellectual Property Office. The emergence of e-commerce and major retailers such as Amazon and Alibaba have only made it easier to buy and sell counterfeit goods: 70 percent of all counterfeit products are now sold online. Encouraged by new technologies that speed up the process of manufacturing fake products at lower costs, many organized crime players have reoriented themselves into these highly proﬁtable markets. This is even more alluring when the

imposed penalties are often weak and do not serve to deter. As an example, for every $1,000 invested, a criminal can generate between $200,000 and $500,000 from trafficking in fake drugs, whereas for the same investment, heroin trafficking brings in just $20,000. According to the INPI the French National Institute of industrial property, counterfeiting is defined as “the reproduction, imitation, or total or partial use of an intellectual property right without the authorization of its owner.” Counterfeit products range from quality counterfeits (which resemble the original and illegally use the legitimate brand name) to look-alikes (imitations that duplicate the original product with a different brand name) to poor-quality, unconvincing imitations. Therefore, depending on the quality of the copy, the counterfeit may or may not be misleading.

P A G E 55

Dangers to the Consumer With deceptive counterfeiting, buyers often do not even know they are buying counterfeit products, resulting in health risks that could even be life-threatening. In the case of non-deceptive consumption, the consumer voluntarily and knowingly purchases the counterfeit product, thereby becoming an accomplice to the counterfeiting. This behavior is far from fringe; in France, 37 percent of the population (15 years old and over) declare having voluntarily purchased counterfeit goods, in particular clothing, leather goods and perfumes. In the United States, 71 percent of Gen-Zers are buying counterfeits. Despite the risk, many consumers do not hesitate to buy fakes. Most often, they justify their purchase by reasoning that the original is unjustly excessive and an imitation offers better value. This justification becomes even easier if the original product is not available in their market. Whether for luxury brands or companies in general, counterfeiting is a

major threat. It weakens their reputation, reduces the demand for legitimate products, leads to additional costs to protect themselves and lower revenues and proﬁtability. Counterfeiting is a complex problem that requires a mixed approach. However, in order to define an effective anti-counterfeiting strategy, it is essential that all areas of the company (from upper management to manufacturing lines and sales teams) are aware of the risks and consequences of counterfeiting. This will enable the company to mobilize the right skills and put an organizational structure in place that is dedicated to the protection of its brands and products. By investing in the necessary human, ﬁnancial and technological resources, the company can keep a step ahead of the criminals. An anti-counterfeiting policy is only effective if it consists of strategies and actions aimed at defending both legitimate businesses and end consumers.

P A G E 56 54

Acting on the Offer

The objective is to implement anti-counterfeiting measures with better protection of the product, making it more difficult to copy.

Protect First, it’s essential to protect all tangible and intangible assets through registered trademarks, patents, models, and internet domain names. This sends a strong signal to counterfeiters that companies will not stand idly by in the event of an attack. Secondly, companies must adopt new technologies that allow them to secure, guarantee and protect, including: The blockchain: this technology allows owners and brands to link to their physical goods through a unique digital certiﬁcate. The Internet of Things (IoT) and connected objects: For example, Pernod Ricard puts a QR code on its bottles in China, enabling consumers with smartphones to quickly check the authenticity of the product. Chemical tracers: the integration of a chemical substance in the product or its packaging also makes it possible to verify the authenticity. Holograms: The Canada Goose brand parka uses holographic labels that are difficult for counterfeiters to reproduce.

Increasingly complex supply chains and the multiplication of players in a globalized market have made consumer goods even more vulnerable to counterfeiting. Suppliers and distributors should, therefore, be carefully selected and promoted as partners, as they are in direct contact with products and can better monitor sourcing, distribution and delivery to prevent counterfeits from entering legitimate channels.

Some large companies have a department dedicated to the fight against counterfeiting. However, it is possible to implement an active defense to identify the type and source of threats and assess them, regardless of the company’s size. A vigilant internet watch must be maintained to monitor search engines, social networks, auctions and classified ad sites. It is also necessary to be vigilant in the field and analyze customer feedback or a suspicious drop in sales.

P A G E 57

Collaborate Individual companies cannot win the battle against counterfeiters alone. Inspections are too costly and too slow in relation to their production and distribution systems, so cooperation between all legitimate players is essential. Companies must work together at the national and international level with appropriate organizations — government agencies, judicial and political institutions, police forces, and customs services — in order to strengthen the protection of their rights, to implement means of surveillance of real and virtual markets and to strengthen law enforcement.

They must also unite and participate in the functioning of associations set up to protect intellectual property rights and ﬁght against counterfeiting on a global scale to achieve greater lobbying power. Additionally, partnerships with other brands, payment service companies, social networks, auction sites, and consumers are necessary to achieve stronger authentication and protection.

Defend In order to defend themselves against counterfeiters, some companies have set up monitoring systems and investigative means, both internally and through external legal agencies. This is the case, for example, of the pharmaceutical company Sanoﬁ, which created the Central Laboratory for Counterfeit Analysis (LCAC) in 2008 to analyze counterfeit medicines and disseminate its detection techniques in

developing countries. In the event of proven counterfeiting, companies must react and have their rights recognized by prosecuting the perpetrators, whether they are counterfeiters, internet service providers (blocking websites) or auction platforms. In 2007, for example, L'Oréal took Ebay to court for allowing the sale of counterfeit perfumes and obtained a ﬁnancial settlement in its favor.

P A G E 58

Acting on Demand

Demand is one of the main causes of the scale of counterfeiting. Businesses, therefore, need to raise consumer awareness of the negative effects of buying these products, help them identify counterfeiters and counterfeit products, and emphasize the beneﬁts of genuine products (including guarantees). Information on the dangers of counterfeiting is crucial to the success of any anti-counterfeiting strategy. Only then can the demand be curbed and consumers transformed into "ambassadors of authenticity.”

Inform the General Public The perception of counterfeiting varies by country and type of product. In the case of non-misleading counterfeiting, consumers tend to underestimate the differences between originals and copies. It behooves companies to reveal the hidden face of fakes (sweatshops and child labor, criminal organizations, trafficking in human beings) and to warn consumers of the risks involved, whether legal or safe. Studies show that awareness of these negative externalities can delay the purchase of a counterfeit product by the consumer. The documentary "The Fake Trade," the Lebanese integrated campaign "Fake It All" and poster campaigns such as "Don't go on a fake holiday" are all initiatives that have proven effective.

The same goes for event marketing: the Diesel jeans brand opened a DEISEL pop-up store in 2018 in New York to protest against copies. In the case of deceptive counterfeiting, studies by the pharmaceutical company Sanoﬁ have shown that consumers on all continents feel inadequately informed. It is, therefore, necessary to focus on risk awareness, vigilance training, and recognition of fakes at the same time. For example, the #fakemed awareness campaign in the United Kingdom was a great success despite its limited budget, and, in France, the Institute for Research into Anti-Counterfeit Medicines (IRACM) launched an educational and training game aimed at young consumers in 2017.

P A G E 59

Educating Stakeholders

Finally, companies need to raise awareness among their employees, sales staff and distributors. The ﬁght against counterfeiting is an ongoing effort. Brands need to be more inventive and innovative. In the past, these products entered Europe via containers in the main ports and were, thus, easily identiﬁable. Nowadays, e-commerce is leading to fragmentation of shipments, and this has caused confusion. Faced with this new situation, companies will need to reorganize internally to protect and defend themselves and collaborate externally with the relevant bodies and consumers. Counterfeiting is a problem that is not going to go away overnight. This is because — as in all competitive markets — supply will always become available as long as demand is strong. This does not mean that companies cannot act to defend their rights and protect their products. Inversely, it calls for an even greater joint effort by all to protect legitimate products from fake ones.

Educating Stakeholders

VIII. Intellectual Property, A Crucial Concern For Businesses

PPAAG GEE 861

Summary

Today, intangible assets are becoming more critical to the lifeblood of any company. They represent innovation and creativity, which in turn generates jobs and improves competitiveness. Vital assets should be recognized as such and strongly protected.

Small businesses must set-up a real culture of intellectual property just like large companies.

Today, intellectual property is one of the most discussed topics in the business world but it remains one of the less understood ones. Immaterial assets have become main assets of many businesses and one of the prerequisites for any valuation. These represented 84 percent of the total value of the S&P 500 stock market index in 2018 (The S&P 500 representing 80 percent of the U.S. stock market in capitalization). However, if we recognize intangible economic value, they are still too often neglected, underestimated and underreported. Only 9 percent of European SMEs register intellectual property rights, compared to 40 percent of large companies. Unfortunately, it is when companies face attacks such as piracy, counterfeiting and “theft” of intellectual property and trade secrets (cost estimated at 500 billion per year), or when looking for investors, that 'they become aware of the vital nature and the extent of their intangible heritage. Today, all businesses, from VSEs / SMEs to large groups, have intangible assets which, if they are protected, allow them to gain credibility, perpetuate activity, acquire market power or even create collaboration opportunities if they are protected.

PPAAG GEE 862

Assessing Intangible Assets

Intellectual property includes industrial, literary and artistic properties. Industrial property more speciﬁcally aims at the protection of inventions and industrial or commercial creations. As for literary and artistic property, it concerns the creation of original works such as advertising

videos, websites, commercial documents or software. It is in the interest of companies to identify the intellectual assets to be protected and convert them into intellectual property in order to make them an effective strategic tool. The way to remedy this lack of knowledge is an intellectual property audit in order to:

Identify and document all the valuable intangible assets that a business may possess, into four categories: brand, inventions, literary, artistic or computer creations, trade secrets, and then use the appropriate protection tools. Choose the appropriate protection: In fact, copyright covers intellectual works as soon as they present an original character without formalities being imposed. The same is true for trade secrets if the company guarantees their conﬁdentiality. Other intellectual property rights require the implementation of procedures to be able to beneﬁt from it. This is the case of trademark registration, patents and aesthetic innovations Examine the intellectual property of competitors with the aim of obtaining a great deal of information on its developments, projects, products — and to be alerted in the event of infringement of patents or other rights.

P A G E 63

Protect Your Brand Using Legal Tools The brand represents the company, its products or its services with its customers and makes it possible to distinguish itself from its competitors. It can be a name, logo, distinctive packaging or speciﬁc advertising slogans. A major asset, the brand is most often the ﬁrst good to protect as it increases the value of a business and contributes to building a solid reputation with its customers. It also makes it possible to create and reinforce a "corporate identity" among employees and job applicants. By way of illustration, Apple has built its sales and marketing

strategy around its brand, which today is worth $205 billion (value based on the ﬁnancial performance of products, the role of the brand in purchasing decisions and its ability to build loyalty). By protecting its brand, a company will be able to grow in the countries where it is registered, while protecting itself from third parties and defending itself in the event of counterfeiting.

Developing Trust Through Patents Given the volume of new products, new technologies and new forms of competition, innovation is at the heart of business economic growth today. If a businesses creates original inventions that can be manufactured or used — such as machines, tools, instruments, methods, systems, processes, compounds, formulations or medicines — they must be protected. In order to recoup the cost of research and development and succeed in a globalized competitive environment, it is vital for companies to protect their inventions. In addition, patents add credibility and give investors conﬁdence.

Finally, patents are growth accelerators. They give a competitive advantage and can also be the subject of license contracts, be sold or be put on standby for possible future uses while preventing competitors from using them — even if this tactic is time-limited. In France, a patent confers on its holder a right of exclusivity valid for a maximum duration of 20 years. Before ﬁling, the company must be vigilant in the drafting of employment contracts or services to ensure that the inventions belong to them.

PPAAG GEE 864

Using Trade Secrets

Even if a company does not have a formula like Coca-Cola (kept in a safe and known only to a few people), it needs to keep certain critical information from its competitors. This can include early-stage innovation, customer and/or supplier lists, ﬁnancial data, product formulas, manufacturing processes, marketing strategies, computer source codes and information on prices. For a business secret to exist, the information must be conﬁdential, have commercial value and be subject to reasonable provisions designed to keep it secret (for example, through non-disclosure agreements). In these circumstances, the unlawful appropriation of this information by a competitor or by a third party will be considered a violation of the business secrets of a company and may be penalized through injunctions and the payment of damages, even if this can be complicated in practice.

P A G E 65

Exploiting Copyright

Copyright protects everything that is formatted in literary or artistic terms. It can be a source of income for a company as it can be sold or granted through a license agreement. It covers the creative expression of literary, musical, dramatic, pictorial, graphic, sculptural, cinematographic and architectural works written or otherwise ﬁxed on a medium. In a business setting, copyright includes elements as diverse as emails, letters, legal documents, articles, computer programs, spreadsheets, scientiﬁc models, drawings, plans of architects, photographs and software. The Berne Convention for the Protection of Literary and Artistic Works (176 signatory countries) lays down the principle that an intellectual creation is protected by the mere fact of its existence. The right is granted to the author of an original work automatically and free of charge. On the other hand, this protection is limited in the event of a dispute because the author will then have to prove his prior art. In the case of unpublished works, for example, it will be necessary during a dispute to establish proof of creation using a Soleau envelope, by depositing them with a ministerial officer (notary or bailiff) or using a society of authors. Easy to use and almost free, copyrights should be part of any intellectual property strategy. Again, the company must ensure through adequate contracts that copyright is

transmitted to it by its employees or any external service provider behind the creation. Intellectual property is now the main engine of wealth creation and economic growth worldwide. And intellectual property assets increase the value and the competitive advantage of companies. However, as pointed out by Christophe Roquilly, professor of law at the Edhec Business School, director of the legalEdhec center, and dean of the faculty and research:

“In order to make the preservation of the intangible heritage of the company an economic and strategic ﬁrst-rate, each company will have to establish a true culture of intellectual property. This involves raising awareness and training its leaders and proactive management of its intellectual property, which will no longer be seen as an expense but as an investment.” Today, no company can take the risk of not protecting its intangible assets. Combining creation, innovation and protection is the sine qua non for guaranteeing sustainable growth for any company.

IX. A Short Manual of Counter-Espionage Bound for Businesses

PPAAG GEE 867

Summary

The Spy Business is booming, becoming a lethal risk for companies. For many competitors, industrial espionage is more effective than R&D. Companies should start worrying and protecting their business.

A Short Manual of Counter-Espionage Bound for Businesses

How to protect and defend your organization’s sensitive information Espionage has always been around. During the 6th century BC, the philosopher Sun Tzu found it very useful for gaining an advantage over his adversaries. Traditionally, spying (as well as other intelligence assessments) has been of service to countries, their secret services, and their armies. Its ﬁrst objective was to protect and improve the security of the country by discovering information that its strategic competitors and allies wanted to keep hidden. Many countries, including the United States, Russia and China, also have secret espionage programs for the beneﬁt of their businesses.

P A G E 68

Espionage in the Headlines Today, more and more businesses adopt private information practices, which were previously the privilege of sovereign countries. In the United States, cybercrime targeting intellectual property costs between $10 and $12 billion annually, and the theft of trade secrets costs between 1 percent and 3 percent of GDP.

That being said, spy affairs regularly make the headlines. The Chinese telecommunication business, Huawei, was banned in the American market following accusations of espionage. The rideshare company, Uber, was also accused by Google via its affiliate Waymo of theft of industrial secrets. The CEO of Credit Suisse bank also had to resign following accusations of spying on one of his leaders.

Information is Power In business, the more a company has access to quality information with high added value, the more it has chances of success. This collection of information, acquired legally or not, has become the vital essence of small and large businesses. In the context of espionage, information has become the knowledge held and valued by one, but not available to another. Whether the reasons are offensive (a race for innovation, strong competition for resources or intrinsically-limited market share) or defensive, it’s now mandatory to have advanced capabilities of secret intelligence gathering. Stealing data and taking direct action against a competitor is illegal almost everywhere in the world and

exposes the attacker to convictions for theft, fraud, corruption or breach of contract. But the sanctions are rather nominal in the short-term and, therefore, not a real deterrent. The beneﬁt-risk calculation of industrial espionage (by companies) and economic espionage (by states) remains in favor of those who practice it. Some of the biggest spenders are in the pharmaceutical business: More than a quarter of pharmaceutical companies spy on the competition, spending no less than two million dollars a year. Companies must immediately adopt a more proactive approach against corporate espionage, as the costs for being unprepared are enormous.

P A G E 69

The Information Cycle The first step in secret intelligence gathering is to clearly identify the type of information being sought. Once the intelligence is targeted, the next step is to determine where and by whom that information is kept and then decide on the most efficient and secure way to extract it. Obtaining information within the targeted organization is done through open-source research (trade fairs, congresses, media, internet), technical means (cyber-attack, listening devices, intrusion) and human sources (blackmail, corruption, extortion) — or a combination of all of them. Access to information has become simpler and more discrete with the advent of the internet. While cybersecurity is one of the areas in which companies have invested heavily, the weakest link in any security system is still the human element. Using a human source within an organization to bypass countermeasures is one of the spies' favorite tactics. Everyone from the mainte-

nance worker to the manager has weaknesses and needs. Identifying them allows spies to easily manipulate the target with direct access to the information needed. To run an effective and efficient business, information needs to be exchanged within companies and with partners, customers, and suppliers. However, this does not mean that all of the company’s data should be shared equally. Every business has its secrets. Proprietary information or exclusive technology can be of great value to competitors if discovered. All business sectors could be negatively impacted. Stolen information is primarily R&D data, customer information, and ﬁnancial information. In order to determine the level of protection of any business’ information, as well as its cost, the company must assess its value and classify it according to four categories related to the degree of danger of its activities:

Non-conﬁdential information: Publicly-available information. No impact in the event of theft.

Conﬁdential information: Low-business impact in the event of theft. This type of information requires only minimal checks.

Secret Information: Theft of vital information that would be harmful, even if the business survives. This type of information requires a higher level of protection.

Top-Secret Information: Critical information. The success and future of the business is directly linked to it. This type of information requires the highest levels of protection.

P A G E 70

From Counter-Espionage to the Culture of Protection To be effective, employees should understand that the senior leadership of the company strongly supports counterintelligence programs and expects them to do the same. The countermeasures break down into two main components: protection and defense. Protection consists of monitoring the company's

operations and stakeholders, searching for possible leaks and vulnerabilities, and ﬁlling the gaps in internal security. Defense focuses on establishing active measures to trap, deter or at least increase the costs of espionage for those who seek to harm the business.

Training Involves educating and raising awareness of espionage among employees with access to sensitive information. The program explains the different types of threats, the variety of methods used in spying on businesses, the value of sensitive information and the damage that could be caused. The objective is to also train employees to identify suspicious people or abnormal

behavior, detect potential threats and to react appropriately by reporting attempts or suspicions of spying. It is extremely common for executives to carry large amounts of sensitive data while traveling. It is, therefore, necessary to train them to be protected against any illicit appropriation by adopting the appropriate behavior.

Internal and External Monitoring The weakest component of any security program, especially in the technology-intensive business era, is the human element. It’s essential to conduct background checks of employees in charge of sensitive information, set up a monitoring process and have precautionary measures. Conﬁdentiality agreements, non-competition agreements, in-depth interviews and

removal of access in the event of resignation, for example, will limit the loss of information. The company must also exercise due diligence with its partners, suppliers and customers. Finally, it should review ﬁnancial and performance data, legal status, reputation and potential links with competing companies or companies under foreign control, as well as their compliance.

P A G E 71

Technical Measures The security of sensitive information and assets includes technical, electronic and IT measures. It is important to reinforce access controls in zones where sensitive information is stored, processed, and discussed. This includes barriers between sensitive information and those who

are not authorized to access it, secure storage of sensitive data and secure destruction protocol for secret documents. It is also necessary to detect spying devices through electronic scanning to remove microphones and cameras and to protect cell phones, computer systems, etc.

Offensive Counterintelligence When an attack is discovered, companies whose jobs and reputation are at stake, must use internal and external investigative resources to detect the leak and establish an active defense. The company may also consider criminal prosecution

or use an "offensive" counterintelligence program. The latter consists of identifying the attackers and transmitting incorrect information via their spy source with the help of security experts and the authorities.

Experts agree that espionage is the second-oldest profession in the world. Although the threat is widespread and growing, businesses should not wait to be the victims. By combining a proactive attitude with a healthy and safe culture, it is possible to protect vital business information. Knowing the value of trade secrets, having a detailed knowledge of espionage threats, protecting sensitive information and implementing effective procedures will limit the scope of attacks. Finally, by making its employees feel appreciated, valued and happy, the company will encourage them to protect their work environment instead of acting in a way that threatens it.

X. Three Non Negotiable Habits To Limit Risks Business Scandals

PPAAG GEE 873

Summary

Today, scandals have a very negative impact on companies’ performance. Two elements explain the atomic effect on companies. First, consider that in the 21st century, if secrets can be protected, they can‘t be hidden for long. Especially the unethical ones. There is a joke in the cybersecurity community that there are two kinds of companies: those that know they’ve been hacked, and those that haven’t found out yet. But if hackers are seen as the most likely threat to steal a company’s information, they are not the most frequent one; the employees denunciate unethical behaviors much more easily. Secondly, brands are a part of consumer’s lives. Consumers are waiting for products that ﬁll their needs. Obviously, they want products that don’t harm them or their loved one but also products which reﬂect their choices and their way of thinking; their concerns include ethics, compassion for people and respect for the planet. That’s why when the poor social, environmental or ethics practices of a brand are exposed, the reaction of consumers is more vicious and the downfall rapid. While any company can suffer an attack on its reputation these days, critical habits limit the spread and repercussions of a scandal. They allow some of them to survive and prosper, whereas others can't.

P A G E 74

Three Non Negotiable Habits To Limit Risks Business Scandals Today, in a polarized world centered around social media, where consumers want to buy from companies that seem to share their values, it's easier to identify and publicly denounce bad behavior or practices. No company is immune. Individuals and organizations once considered indestructible, are now uniquely fragile in the face of reputational attacks from conventionally weaker adversaries like whistleblowers, watchdog groups, consumers’ organizations, and the media.

Whether self-inﬂicted for shameful or blameworthy acts (fraud, corruption, abuse of power, sale of dangerous products, racism, harassment) or come from external elements (partners with reprehensible practices, criticized collaborations, rumors), scandals seriously impact organizations. A recent study by Deloitte and Forbes Insights found that 300 executives consider the brand's reputation to be the highest area of strategic risk for a company.

No company is immune. Yet still too many companies inaccurately estimate the level of control they have over public opinion. Following scandals in 2018, 17.5% of CEOs of the world's 2,500 largest companies had to leave their positions, largely because they refused to understand how their businesses were perceived and how much power they had lost. Most recently, Dennis Muilenburg, CEO of Boeing, and Lex Wexner, iconic boss of LBrands, owner of Victoria's Secret lingerie brand, had to resign. Gone are the days when company management or their public relations agencies were the only viable sources of information. In a context of companies’ distrust, a poorly managed crisis can quickly spiral into a scandal beyond control.

And for good reasons: in addition to derail management following cascading resignations, reputational damage hurts customer and investor conﬁdence, erodes customers’ base, and prevents sales. A poor reputation also correlates with increased costs for hiring and retention, degrades operating margins and prevents high returns. Besides, business reputation damage increases liquidity risk which impacts stock price and ultimately slashes market capitalization. While any company can suffer an attack on its reputation these days, crucial habits limit the spread and repercussions of a scandal. They allow some of them to survive and prosper, whereas others can't.

P A G E 75

Practice Awareness

The difference between average performers and the true greats isn’t talent or skill, but rather their ability to question whether the status quo is working. The ability of companies to cope with reputational attacks depends largely on relevant knowledge of their internal and external environments. Internally, it means examining how they work as organizations as well as the methods used to create and sell their products, in order to identify where a business is vulnerable. Detecting deﬁciency, weakness, drift and transgression all require a lucid self-examination of the company and implementation of thorough signals’ monitoring of any controversy. Don't hesitate to have uncomfortable internal conversations when necessary. Which messages from the company might be misinterpreted? What do people think of your brand's reputation—especially in a negative way? What unpleasant realities is the company harboring? And what crises would be particularly bad for the company? Meanwhile, companies must carefully monitor incidents such as accidents, attacks, internal complaints or product and brand reviews (criticism, customer complaints, fake or inaccurate news, rumors). These practices allow companies to identify hazards quickly—well before they escalate into a problem—and take necessary steps to protect one's reputation.

Externally, companies need to detect trends and capture changes in the values and ideologies of their consumers. They should also understand their impact on operations and market dynamics. No company can succeed if it doesn't develop its ability to connect deeply with its customers. Today, buyers' expectations go well beyond the price alone. To align with its consumers, companies should grasp their cultural sensitivities. Social movements such as #MeToo, Black Lives Matter, Cultural Appropriation, Boycott Burberry, #dolcegabbanaracist, Radical Transparency, and Nutella Gate.show a profound change in people and long-term consequences for society. Each has denounced the practices of large companies and their leaders. Companies must create internal safeguards (compliance, ethics, inclusion and diversity management) and external alarm systems (independent audit, nonﬁnancial reporting) that will make it easier for companies to skirt unpleasant communications, correct CEO weaknesses, redress reprehensible employee attitudes, and combat a toxic culture. The human factor plays a major role in preventing reputational risk. All employees and stakeholders have to know and stick to the company's core values. No exceptions should be allowed.

P A G E 76

Be Likeable

While no silver bullet exists for developing the perfect strategy to protect against scandals, some companies carry characteristics that themselves attract criticism. The pursuit of profit at all costs, combined with a lack of ethics, transparency, and auditing, leads to all kinds of abusive practices. Embracing business ethics, making quality products, and avoiding bad behavior remain the best protection to combat scandals and reduce the chances of getting mired in controversy. In addition to sustaining and moving the company towards the best it can be, companies that choose the path of quality and purpose benefit from consumer protection. Studies have shown that those who survive controversies tend to have a loyal consumer and fan base. They want the companies to survive and are ready to fight alongside them and/or forgive. Consumer affection and trust in brands such as Apple and Samsung have helped those companies weather the storm of controversies. However, not all companies have bosses as charismatic as Steve Jobs or Warren Buffet. Nor have their products attracted billions of fans. For some companies, avoiding

problems may require a change in strategy, such as divestment in risky areas, putting an end to controversial practices, or setting up discreet negotiations, public relations and/or lobbying. The soft-drink industry, for example, continues to limit controversy by acquiring water and juice brands, offering caffeine/sugar-free alternatives, funding health programs and communicating effectively on cross-cultural values. Total, the oil and gas company, invests between $1.5 billion and $2 billion a year in the development of low-carbon energy to prepare for its future and avoid a massive boycott from its investors. However, when it comes to communication, beware of displaying false values and lack of coherence between actions and words. In the age of social networks, every aspect of companies is visible: every person, every process, every value. Potentially anyone can see anything that happens inside. Companies that lie about the nature of who they are or what they do will have the most difficulty avoiding controversies. Hypocrisy is one of the great catalysts of outrage. If a brand communicates a focus on ecology, a scandal in this area would be even more damaging.

P A G E 77

To remain genuine and stay strong, the company must focus on what makes it valuable, its ability to do what it knows best: create well, produce well, sell well, and serve well. By infusing the effort to behave well at all levels—with every employee, consumer, and partner—organizations can gain the esteem and affection they seek.

Today, more and more leaders such as François-Henri Pinault, CEO of the luxury group Kering, and Yancey Strickler, founder of the Kickstarter platform, assume their social responsibility and promote a culture of accountability to do what is right, for everyone’s beneﬁt.

Practice Awareness Even if all risks of scandal cannot be eliminated, being prepared to lead an agile and effective crisis management team remains crucial. During a scandal, time and response quality become vital elements that will limit the impact on the company's future. Before a crisis strikes, establishing a clear organization and strong leadership is mandatory. Who within the organization will lead the response strategy and what will be its main resources (executive committee, public relations, spokesperson, information technology, legal resources, human resources, and ﬁnance)? Since no scandal management plan can nor should give a false sense of security, it's necessary to be continually vigilant, invested and engaged. It's better to plan certain contingencies (such as public health) and resources (such as easy access to the contact information of all retail and store networks) than to not plan them. That said, modern controversies are difficult to predict and require acute judgment in rapidly

changing circumstances. Because there are no two identical crises, the answers must be adapted to the reality of each moment. Addressing the scandals suffered by other companies (such as Uber and Volkswagen) will help to act with more lucidity. Whether good or bad, it's impossible to predict what the future holds. However, no company can take the risk of being caught off guard when it suffers an attack to its reputation. Even if uncertainties and crises are uncomfortable, they promote questions, stimulate awareness and initiate a search for new solutions. By choosing a growth mindset rather than one of fear, organizations can adapt to the inevitable changes and make the best of them. Staying open-minded, listening, understanding, adapting, evolving, strengthening one's capacity for reaction—these are all attitudes and actions that will help managers confront reputational risks and prepare to succeed in a world full of unknowns

Internal Criminal Risks Assessment

Insider White Collar Criminal Attacks

Employee Illegal Behaviors

Workplace Revenge Criminal Attacks

Corruption Crimes

Company Illegal actions

External Criminal Risks Assessment

Terrorism Threats

Terrorism Attacks

Violent Crimes

Sabotage

Hijacking Crimes

Cyber Crimes

Economic Crimes

Petty Crimes

Competition Attacks

Counterfeiting Attacks

Espionage

Subversive Attacks

References

Laurence Duarte’s Harvard Business Review France articles links I. The Defense Dividend: When Security equals Proﬁts for businesses https://www.hbrfrance.fr/chroniques-experts/2018/10/22678-transformez-le-risque-criminel-en-avantage-competitif/ II. Take up the challenge of cyber risk and protect your business https://www.hbrfrance.fr/chroniques-experts/2019/02/24453-integrer-le-cyber-risque-au-coeur-de-la-strategie-dentreprise/ III. How To Protect Against Remote Working Cyber Threat https://www.hbrfrance.fr/chroniques-experts/2020/09/31440-travail-a-distance-comment-se-proteger-du-risque-cyber/ IV. Reinventing Companies Against Workplace Harassment https://www.hbrfrance.fr/chroniques-experts/2018/11/23263-reinventer-lentreprise-contre-le-harcelement/ V. Dealing With Internal Criminal Threats During COVID-19 https://www.hbrfrance.fr/chroniques-experts/2020/10/31815-face-au-covid-19-la-menace-peut-venir-de-linterieur/ VI. How to Better Combat Counterfeiting https://www.hbrfrance.fr/chroniques-experts/2019/05/26022-comment-mieux-combattre-la-contrefacon/ VII. Internal Fraud: A Bane for Big (and Small) Business https://www.hbrfrance.fr/chroniques-experts/2019/04/25111-la-fraude-interne-un-ﬂeau-pour-les-entreprises/ VIII. Intellectual Property, A Crucial Concern For Businesses https://www.hbrfrance.fr/chroniques-experts/2019/08/27284-la-propriete-intellectuelle-un-enjeu-crucialpour-les-entreprises/ IX. A short Manual of Counter-Espionage Bound For Businesses https://www.hbrfrance.fr/chroniques-experts/2019/11/28354-petit-manuel-de-contre-espionnage-a-destination-des-entreprises/ X. Three Non Negotiable Habits To Limit Risks Business Scandals https://www.hbrfrance.fr/chroniques-experts/2020/03/29495-comment-limiter-les-risques-de-scandale/

Unmistakable Strategies for Sustainable Victories