Posts

Fraud Training (Not Technology) is the Achilles Heel of Cyber Security

Ignoring fraud training as the foundation of your cyber security strategy is like counting on Google to educate your kids. Technology is a critical tool in the fight, but without well educated users, guided by knowledgeable teachers, the tools are a waste of your money.   

Thanks to President Obama’s state-of-the-union plug for increased cyber security, the Chinese hacking of the New York Times and Wall Street Journal, and the hacking of a prominent celebrities, America is waking up to the tangible value of virtual data. Awareness is definitely the first step, but it is only the tip of the privacy iceberg. Just as in the age before the internet, the only thing keeping employees from selling secrets or participating in fraudulent activity are the human controls that discourage the practice. But it’s all the more hair-raising to think of the amount of digital secrets an employee has access to at any given time. The new tale of a Reuters journalist gone cyber-rogue adds a chilling wrinkle to the perils of protecting the data that keeps corporate profits ticking.  

Last Thursday, Matthew Keys, a Reuters social media editor, was indicted on charges of conspiracy, among others. Keys had previously worked for a TV station owned by the Tribune company, and according to the allegations, he leaked server login information of his former employer to a hacker group known as Anonymous. Apparently Keys began exploring Anonymous chatrooms as “just a reporter”, but eventually progressed to exposing sensitive passwords and promoting the idea of targeting the Tribune. Using this information, the hackers were able to enter Reuters’ otherwise secure systems and alter the existing text of a Los Angeles Times story from 2010, inserting out-of place colloquialisms and hacker-speak. Now, Mr. Keys is looking at the potential of over a decade in prison and up to three-quarters of a million dollars in fines. So what does this have to do with fraud training? We’re getting there…

Here’s the rub: the illegal access all happened after Keys had been FIRED by Reuters.  In other words, a former employee who was never very high on the corporate food chain in the first place and was actually fired (not laid off), retained access that, in the right hands, allowed criminals to change the course of the news. Although this particular case doesn’t appear to have involved any financial transactions, don’t think for a second that there aren’t buyers out there willing to pay good money for a chance to break into your supposed “stronghold.”

Cyber Security is Less About Technology, More about Employee Fraud Training

No matter how tight your cyber security, the weakest link is always the human beings responsible for implementation. The lapse here wasn’t in the technology – Reuters used user-level logins and passwords to protect their network. The mistake here was the employee who failed to shut down Keys access the minute he was fired (or in the moments before), or the executive who failed to prepare for this common scenario. The lesson here is this: when employees leave your company under any terms, someone must be responsible and held accountable for disabling their computer access from all devices.  This is a basic principle of successful fraud training that makes all of your investments worthwhile.

A large-scale enterprise can institute all the security barriers it wants, but without trust, responsibility, and knowledge, the corporation is only as strong as its Achilles heel. How are you addressing this type of exposure?

John Sileo is CEO of The Sileo Group and a fraud training expert. His recent clients include the Department of Defense, Visa, and Homeland Security. See his recent media appearances on 60 Minutes, Anderson Cooper and Fox Business.

Without fraud training, companies are guaranteed to go down for the count

Insider fraud struck again yesterday, this time resulting in charges being filed by the U.S. Securities and Exchange Commission (SEC).

According to the SEC, a former executive in the Stamford, Connecticut offices of a New York-based broker-dealer deceived clients when selling them mortgage-backed securities (MBS). He allegedly told them that his firm paid more for the MBS than it actually did, or made up a fictional seller and arranged supposed trades, when in reality he was selling out of his company’s own inventory at higher prices to bank a better profit.

In the SEC filing, the former exec was said to have swindled his clients and brought in nearly $3 million in additional profits. While the duplicitous activity went unnoticed for a time, his star rose within the company and so did his bonuses.

When news like this breaks, how long do you think it takes before other clients start to question the trustworthiness of the entire company? If one person was ripping people off, who is to say there aren’t more? Fraud awareness training is meant to prevent these situations from giving companies black eyes in very public ways.

And once that bell is rung, good luck trying to unring it. Now, rather than focusing on doing their jobs, everyone at that firm has to work double time to assure clients that they aren’t just like the guy who could be eating three squares a day behind bars for the next few decades.

Think of it like a bad food experience. If you got really sick after eating say, shrimp, you may end up feeling queasy every time you see or smell shrimp again. The same works in the business world, and the last thing you want is for people to get queasy when they hear your company’s name because of the actions of a deceptive employee – someone you thought you could trust.

John Sileo is a fraud detection and prevention expert and will be hosting a FREE Fraud Webinar on Thursday, January 31 at 2 p.m. EST.

 

Corporate Espionage at Dyson: Looking Inside an Inside Job

Is there a chance that someone could be stealing your most profitable business secrets? Competitive intelligence isn’t new, but it certainly has gotten easier with the introduction of ubiquitous high resolution cameras (smartphones), miniature storage devices that hold massive amounts of data (USB drives) and advanced tools of human manipulation (social networking).

Dyson, the British engineering firm behind the popular bagless vacuum cleaners and Airblade hand dryers, accused their German counterpart, Bosch, of planting a mole, or corporate spy, inside their headquarters for two years to steal vital research and development information. Bosch has denied any wrongdoing and refuses to return the technology or intellectual property. In an odd twist, Bosch hasn’t publicly denied planting an inside spy to siphon competitive intelligence from their rival.

In a world of highly competitive and rapid technological advancements, this sort of news brings to mind three crucial questions for businesses wanting to protect their intellectual property:

Does corporate espionage happen frequently?

The short answer?  YES!  When you combine competitive pressures to outshine the competition with easy-to-use espionage tools (smartphones, Wi-Fi hacking apps, Facebook), it’s easier than ever for a spy to walk out your door with the proverbial recipe for the secret sauce.

Can the inside job be stopped?

Remember, Bosch could go buy a Dyson, take it apart, and reverse engineer it. When this happens (as with Apple and Samsung), the victim’s recourse is to sue.  But here’s the reality: Once intellectual property starts to leak, regaining it is like trying to collect raindrops with cupped hands; you go to an awful lot of work to quench a tiny portion of your thirst. Occasionally the results of taking it to court justify the fight. If you have a war chest like Apple, it can be profitable to fight for your intellectual property. For most companies, however, the prudent strategy is to prevent or minimize the damage of competitive espionage in the first place. In other words, yes, the inside job can be stopped, or at least marginalized to a point where damage is minimal.

How can companies prevent corporate espionage?

Every form of competitive espionage has one thing in common — a spy. There is always a human element to data theft.  Businesses tend to fixate on gadgets and the software that protects them. In the meantime, a human being walks out the door with the information in his pocket.  The best solutions to prevent competitive espionage then, focus on the human side of the equation:

  • Properly vet new hires utilizing appropriate and legal background checks.The EEOC has essentially made it illegal to NOT hire someone based solely on their criminal record, so be cautious with your process
  • Train staff  on inside theft and warning signs of corporate espionage (particularly those positions key to fraud detection). With the right training and a supportive culture, most spies are caught red handed by loyal employees before the data leaves the building. But your honest employees need to be properly trained to detect possible spying and must operate within an environment that encourages anonymous reporting of suspicious behavior.
  • Create aggressive non-disclosure agreements (NDAs) with tight legalese that covers your intellectual property when it falls into the wrong hands. More importantly, aggressive NDAs send a message to potential spies that you are serious about protecting your intellectual property.
  • Implement technical tools that log and alert you when intellectual property is being copied to an unapproved device
  • Utilize IP Compartmentalization of confidential information. This should address  all three realms of exposure: physical, digital, and human. In the spy world, this known as giving access on a “need-to-know basis”. Examples include implementing user-level permission settings on your network and creating a classification system (public, confidential, top secret) throughout your digital and physical filing structure.

John Sileo is an award-winning author and keynote speaker on data privacy and reputation protection. His clients include the Department of Defense, Pfizer, the FDIC, and Homeland Security. Sample his Keynote Presentation or watch him on Anderson Cooper, 60 Minutes or Fox Business.

Identity Thieves Score Billions from the IRS and Taxpayers

Every dollar counts, now more than ever, as the government searches for ways to wisely spend our money. It’s dismaying to learn that an audit report from the Treasury Inspector General for Tax Administration (TIGTA) has found that the impact of identity theft on tax administration is significantly greater than the amount the IRS detects and prevents. Even worse, the “IRS uses little of the data from identity theft cases…to detect and prevent future tax refund fraud” according to Mike Godfrey, Tax-News.

  • The IRS is detecting far fewer fake tax returns than are actually falsely filed. 938,700 were detected in 2011. On the other hand, TIGTA identified 1.5M additional undetected tax returns in 2011 with potentially fraudulent tax refunds totaling in excess of $5.2B.
  • The study predicted that the IRS stands to lose $21B in revenue over the next 5 years with new fraud controls, or $26B without the new controls.
  • Key victims include the deceased, children, or someone who would not normally file a return such as lower income individuals that are not legally required to file.
  • A Postal Inspector in Florida uncovered a tax refund scheme whereby refunds were going into debit-card accounts via thieves using the social security numbers (SSN) of dead people. Direct deposit is preferred as it doesn’t require a mailing address, photo ID, name or a trip to the bank.
  • The IRS allows multiple direct deposits to the same bank account. A key finding in the report showed hundreds of tax returns were filed from a single address. In one case, 2,137 returns resulted in $3.3M in refunds to a home in Lansing, Michigan, and 518 returns resulted in $1.8M in refunds to a home in Tampa, Florida.
  • The IRS lacks access to 3rd party information to verify returns and root out fraud. It is issuing refunds in January before it can verify data from employers and financial institutions in March. This gap provides a huge window of opportunity for thieves.
  • The IRS is not gathering enough information to prevent fraud; i.e., how the return is filed, income information on the W-2, the amount of the refund and where the refund is sent.
  • New screening filters that can identify false tax returns before they are processed have the potential to diminish the number of fraud cases as well as other ongoing anti-fraud procedures employed by the IRS. It is placing a unique identity theft indicator on the accounts of the deceased. As of March, 2012, 164,000 accounts were locked, possibly preventing $1.8M in fraud.

Charles Boustany, the US House of Representatives Oversight Subcommitte Chairman, who sent a letter to the IRS demanding a full accounting for the agency’s continued inability to stop tax fraud related to identity theft, declared that “this report raises serious questions regarding the IRS’s ability to detect tax fraud…”. The lost federal money is extremely troubling but there’s another loss to consider – the potential to erode taxpayer confidence in our system of tax administration.


John Sileo is an award-winning author and international speaker on the dark art of deception (identity theft, data privacy, social media manipulation) and its polar opposite, the powerful use of trust, to achieve success. He is CEO of The Sileo Group, which advises teams on how to multiply performance by building a culture of deep trust. His clients include the Department of Defense, Pfizer, the FDIC, and Homeland Security. Sample his Keynote Presentation or watch him on Anderson Cooper, 60 Minutes or Fox Business. 1.800.258.8076.