By *Prof. Colin Coulson-Thomas
As well as building and governing companies, directors and boards should also seek to protect them from malevolent intensions. Many companies are under attack 24/7 from hackers and fraudsters. Some criminals aim to steals money or information that can be monetised. Others look for ways of laundering the proceeds of crime. Some use tried and tested methods that often succeed. Other push the boundaries. Old scams reappears in new guises. Criminals can be inventive and innovative.
Directors and boards cannot afford to be naïve in the face of multiple threats. Not all of them may be external. People within a company might attempt to profit by sharing insider information with associates and friends.
Criminal activity can include price fixing and collusion in the setting of interest rates. Directors should not assume that existing anti-fraud and risk management practices are effective. Unauthorised activities can implicate a company in changes of fraudulent conduct.
Exposure to be risk of fraud is a consequence of contemporary operation. It is ever present in many situations, contexts and locations. It is also being perpetrated on an industrial basis, as criminals and others take advantage of technological and other developments. For example, the internet of things and large numbers of connected devices create new opportunities for criminals. Innovation and entrepreneurships can increase risks for the unwary, particularly during transaction and change.
The Counter-Fraud Challenge
Fraud is a form of theft by lying. It is also a crime that is significantly under reported. Many who suffer losses feel ashamed and embarrassed. They hide that they are victims. If they believe the prospect of recovering stolen money is low, they may quietly take a hit. Criminal often feed on large numbers of small strikes. The losses suffered by many people can add up to a large amount. In some countries, the majority of businesses have suffered effective malware attacks of some form.
A higher proportion of small businesses man be victims of malware and other cyber-attacks. The cost of preventive and protective measures can represent a bigger proportionate burden for a smaller enterprise. They may lack the critical mass of qualified staff needed for greater resistance and resilience. In an arms race between criminals and their targets, many companies do not have the resources, discipline or focus to win. Cherished openness and informality can increase vulnerability.
Governance structures and corporate practices tend to follow a patter. They are often rule and logic based, and designed to cope with defined categories and particular situations. To a fraudster or hacker they may be predictable. To reduce cost and variation, corporate processes and systems often rely upon classification, standardisation and automation. People operating them may be given little discretion to respond to the particular requirements of individual callers or customers.
Criminals can be more flexible. While corporate staff are busy, distracted and under pressure to complete all transactions, fraudsters can plot and scheme. They can try different options. They can modify their approaches to exploit loopholes or home onto a perceived vulnerability. If they smell blood the can persist.
They just need to succeed at enough attempted frauds to deliver an acceptable return of their efforts. Like gamblers, they operate in a world of probabilities. To combat them one needs to understand their motivations and how criminal minds operate.
Recognizing Patterns of Fraud
Although new approaches to enticing desired response and overcoming defences are continually being tried, some attempts at fraud follow certain patterns. For example, different phishing attacks may have features in common. Making people aware of these might alert them to suspect emails. Many fraudsters can over their costs if a very small proportion of recipients click upon an attachment, or respond with password information.
Cyber criminals are becoming more focused and determined. They devote more effort to learning about a target business prior to launching a planned attacks to steal larger amounts of money or data.
Once entry is secured via a business email account, sometime may be spent ‘casing the joint’. Criminal possibilities are assessed without alerting a potential victim. Stolen data, code and entry and other tools can all be purchased and exchanged on dark forums. Many criminals have built well quipped operations that are either as sophisticated as those of most of their target, or more so.
As cyber and other threats mutate, obtaining and developing the skills required to operate adequate defences is not easy. There is also a risk that some of those who are trained might themselves decide to become hackers. Defences may need to be continually changed and updated if they are to remain secure. When doing this, many companies play catch up in response to new forms of attack.
Companies should continually scan for threats and monitor trends and developments in the threat landscape, in order to quickly distinguished between problems they feel can be dealt with internally, and those which will require external assistance and/or collaboration if they are to be addressed or guarded against. Criteria may need to be set for determining which risks or instructions would warrant disclosure and collaboration with law enforcement agencies.
(*Prof Colin Coulson-Thomas is IOD India’s Director General, for UK and Europe Operations, also holds a portfolio of board academic and international roles, and has advised directors and boards in over 40 countries.)
(Article first published in Director Today, May 2017)
Copy Right: Director Today.