Let’s expand a little on my three categories above, but also take a few diversions to see what can happen when things go seriously wrong.
Shame, or schadenfreude? Hilarity, or hubris? How we react to “epic fails” like those mentioned below will likely depend on how close we are to the epicentre of the disaster. Customer or shareholder, employee or executive, our perspectives will be very different. For those of us who run our own business, or are responsible for the security of someone else’s, a more appropriate response might be “There, but for the grace of God, go I.”.
What we can be certain of is that for every disaster that makes the international headlines, there are countless others that fly beneath the media radar, but have just as devastating an effect on those directly involved. It might serve us all well to take a step back and ensure we have our own houses in order.
- Access: Do you know exactly who has access to your premises? Are you able to control, monitor and review all comings and goings? Are you sure that ex-employees or contractors who no longer need access no longer have access? Is it ‘access all areas’, or do you need to control not just ‘who goes there’, but ‘who goes where’?
Epic Fail 1: Buckingham Palace break-in, 1982. An oldie, but a goodie. Michael Fagan makes a mockery of palace security, on two separate occasions. He rests on the throne, gets a maid to bring a cigarette, and ends up visiting Queen Elizabeth in her bedroom.
- Inventory: How certain are you of what inventory you hold, and its exact location? How tight is the control you exercise over all movements in and out, or relocations of stock?
- Other Assets: Do you have a register of all your computer hardware and other valuable business assets? Do you know where they are at any time? Do you have a policy on who can take what on and off the premises? If so, how do you monitor and enforce it?
- Documents: Do you store physical copies of documents? How do you locate, secure and control access to them? Do you have processes to securely dispose of them when no longer needed? Is the solution to move out of the physical realm, with all key documents digitized and securely stored, perhaps within the cloud?
Epic Fail 2: Cabinet Files scandal. Australia, 2018. A man buys 2 locked filing cabinets for $10 each at an ex-government furniture auction. They turn out to be packed with highly classified documents showing the internal deliberations at the highest level of successive Australian governments.
- Network Security: There are new external threats almost daily from malware etc. What about basic security steps, like password protection for PCs and critical applications, or virus protection on incoming emails? When’s the last time you had the experts in for a security audit?
- Data Security & Privacy: An extension of the above, but your obligations take on a new dimension when protecting the personal data of your customers, suppliers or employees. And remember that not all security threats are external! Is personal data encrypted? Do only trusted individuals have access to it? What controls are in place?
Epic Fail 3: Coincheck theft, Japan, 2018: Coincheck, one of Japan’s largest digital currency exchanges, recently admitted to being hacked out of $534 million worth of the cryptocurrency, NEM, in the world’s biggest digital currency theft.
- Data Integrity & Backups: Not all data losses have sinister root causes. Hardware failures and human error are just as likely, or more so. Do you have a well-considered and rigidly enforced backup, restoration, and disaster recovery plan? Have you tested it lately?
- Fraud Detection: While a healthy security culture may be the best way to protect against internal fraud, clever checks and balances within our business systems can provide additional deterrence, as well as early detection. Read on.
You can argue about whether fraud should be categorised as a security issue, but if the purpose of a business security regime is to mitigate financial or even existential risk, it fits the bill for me.
While we need to protect against external threats, the sad reality is that the main risks when it comes to business fraud are likely to be found inside the tent. Have a look at these sobering findings from the 2014 Global Fraud Study by the Association of Certified Fraud Examiners:
- The typical organization loses 5% of revenues each year to fraud.
- The smallest organizations tend to suffer disproportionately large losses from occupational fraud.
- Perpetrators were most commonly working in accounting departments, followed by operations, sales, and executive/upper management.
Leadership by example and zero tolerance for dishonesty are taken as givens if you want to confront this head on, but there is also much that can be done in terms of policies and procedures to minimize risk. This Fraud Fact Sheet from the Australian Federal Police might be a useful checklist to start with.
For larger companies, the fact that senior executives figure disproportionately in the perpetrator rankings suggests that external or board oversight also has an important role to play.
Epic Fail 4: Enron Scandal, US, 2001: Texas giant Enron Corporation lived up to its “America’s Most Innovative Company” tag when the CEO and CFO found creative ways to keep huge debts off the balance sheet. It came unravelled big time, with Enron bankrupt, shareholders losing a cool $74 billion, Authur Andersen going down with the ship, and lots of other collateral damage.