3 Security Threats That Could Damage Your Business (And How to Guard Against Them)
published on December 22, 2016 by Jon Ecker
How to deal with fraud, extortion, and corporate espionage in an ever-changing world
When creating a security plan for a business or educational institution, many individuals think of stopping obvious risks like break-ins, theft, and vandalism. However, some of the most dangerous threats are those that imperil the integrity of the organization – and they often come from within. Issues like fraud, extortion, and corporate espionage have always existed in some form or another, but new technologies make it easier than ever for individuals to threaten, blackmail, harass, or steal intellectual property – sometimes without anyone even fully knowing what or how it happened.
Since these types of threats can be complex and difficult to detect, many companies ignore them and hope for the best. However, they can cause significant long-term harm to an organization, making it all the more important to detect and deflect them as soon as they occur.
According to some estimates, employee and executive fraud cost companies $3.7 trillion a year worldwide, with a median cost of $145,000 per company. Research suggests that 80% of employee fraud is committed by individuals who have worked at a company for years, and most fraud is committed by employees in the accounting, executive/upper management, operations, sales, purchasing, customer service, and finance departments.
In one notable case, the IT director of a Kansas City construction company purchased more than $300,000 of expensive computer equipment and cell phones on company accounts and resold them for personal profit. The perpetrator had worked at the company for over 20 years – and had been its IT director for half that time – and management did not suspect anything until an executive received an anonymous tip.
To catch fraud before it becomes a serious issue, there are several policies your company can implement. First, make sure you are using effective accounting software and keep in mind that different size companies often have different software needs. Next, set up a fraud hotline, as almost 50% of fraud investigations originate from anonymous employee tips. Finally, conduct independent audits on a random basis – if an employee committing fraud knows to expect an audit, he or she can take steps to cover their footsteps, making the audit useless.
Additionally, make sure to look for any suspicious employee behavior. You can easily research psychological signs of employee fraud, including suspicious statements, actions, and body language, which may help you identify a perpetrator if money goes missing or company financial records appear oddly incomplete. Security technology can also play a role; video surveillance of the premises – especially when workers are notified of its presence – can help deter suspicious activity of many varieties. And combining surveillance with access control will help guard against fraud involving theft or misappropriation of physical assets.
In the old days, kidnapping, traditional blackmail, or various types of physical threats were the preferred extortion methods for criminals. But today, it’s often easier and faster for perpetrators to commit digital extortion by taking your data hostage, threatening to release personal information or private corporate information, or engaging in various other forms of cyberattacks against a company.
In many cases, criminals threaten to publicly air private corporate data or to contact customers using a company account or an executive's name, or even to create a smear campaign unless given a certain amount of money by a certain date. In 2010, a disgruntled New York Life customer threatened to spam millions of New York Life’s customers, claiming to be the insurance company, unless he was given $200,000. Fortunately, in this case, the perpetrator (a US citizen) was arrested before he could carry out the attack; but in many cases, criminals are located in countries without serious cybercrime laws. This makes them nearly impossible to catch, meaning that it’s often easiest for a threatened company to simply pay a ransom and hope for the best.
In other situations, criminals will hack into company networks, changing passwords and access codes and effectively locking out employees and customers from websites and other information systems. Like in other situations, they will usually hold the passwords for ransom, withholding them until the victim pays.
Another potentially damaging method that criminals use to extort businesses is a distributed denial of service (DDoS) attack. During a DDoS attack, a large number of compromised computers all attempt to access or communicate with a company’s website at once, usually resulting in a massive crash of the website. Even huge organizations are at risk; the CIA was recently a victim of a DDoS attack, allegedly perpetrated by a hacking group that infiltrated an FBI affiliate and released hacked information regarding the US Senate’s web servers.
To avoid digital extortion, it’s essential to have an effective IT security plan and stringent security policies. Make sure employees know not to conduct company business or check corporate email addresses on unknown devices or on public or otherwise unsecured wireless networks, never use unknown USB/flash drives or SD cards, and make sure to conduct regular security scans to check for viruses or other network intrusions.
Access control policies and technologies also play a vital role: sequestering sensitive data or hardware – such as servers – to only personnel who must access them can deter a range of malicious insider attacks and inadvertent security risks caused by employees.
Instead of simply threatening a company when they gain access to private company information, many criminals find it far more profitable to sell corporate secrets to the highest bidder, which can often be one of the victim’s major competitors. However, attempts at corporate espionage can also come from more traditional sources such as interns, consultants, vendors, or even your own full-time employees. And if a company is in some type of retail or other customer focused business, corporate espionage efforts could even originate from a customer.
This is why it’s smart to have a comprehensive plan to thwart corporate espionage at different levels of your business. First, you’ll need to work to identify your company’ most important secrets; you can’t effectively protect yourself if you don’t know what you’re protecting. Then, you’ll need to examine potential threats (digital and otherwise), and identify specific information vulnerabilities And you’ll want to train employees rigorously about how to deal with sensitive company data and encourage them to report any suspicious behavior as soon as possible.
Physical security also plays a role in stopping corporate espionage. Access control utilizing electronic IDs or biometric scanning will keep unauthorized visitors or outside contractors from getting to sensitive files or data on premises – and remote monitoring can quickly spot intruders or employees who venture into protected areas.
Stay vigilant to make sure your company doesn’t become a victim
Fraud, extortion and corporate espionage have existed in some form since the origin of commerce itself. But as the economy and technology change, so does crime and the methods criminals use to carry it out. While technology may offer new threats, it also points the way to appropriate security methods: accounting software, firewalls, surveillance cameras augmented by remote monitoring and intelligent analytics software, an encrypted Wi-Fi network, and good employee security training. These measures, along with smart security policies can go a long way to make sure your company stays safe.
To learn more about how to protect your company from a range of threats, contact POM technologies today at 212.688.2767 or through our online form for a free consultation.