The results and wider repercussions of a well-aimed scam can be catastrophic – and expensive – for any organisation. Yet, according to an article published in the Harvard Business Review*, directors mostly underinvest in cybersecurity. We take a look at why this might be.
In the 5 June 2017 edition of the Harvard Business Review there is an article that crystallises the sort of behaviour that I have witnessed. The article is entitled “The Behavioural Economics of Why Executives Underinvest in Cybersecurity”.
It looks at what it is that might prompt the sort of psychological gymnastics that could lead a director to conclude that they can get away with inadequate investment in Cybersecurity
The analysis highlights two main reasons for underinvestment:
1. Determining the return on investment “for any cybersecurity investment … can best be described as an enigma shrouded in mystery”.
2. Cybersecurity is treated as a finite problem that can be solved using currently available tools (firewall or antivirus…) rather than as an ongoing process.
According to the article’s author, Alex Blau, cybersecurity efforts have to focus on risk management, not risk mitigation.
Blau’s conclusion is absolutely correct. In my experience, fraud risk management is too fragmented within any organisation. There should be a common vision and strategy in place that applies to all departments. After all, cybersecurity affects all departments – not just the IT guys. In fact, not all cybercrimes involve the IT department. Some are unknown even to them. Here’s an example:
The Fake President fraud or the “bogus boss” fraud
1. The fraudster initiates the contact. This starts as a scam sent by the fraudster, impersonating a group executive, to an employee of an organisation. Usually, the email address is very close to the person the fraudster is pretending to be, so the IT filters do not block the email.
2. The fraudster creates an urgent and exceptional situation.
3. The fraudster requests an emergency bank transfer to a third party to obey an “order” of a leader, under the pretext of debt to pay, a contractual provision or a deposit for instance.
4. The fraudster is very well informed of the facts and figures of the organisation, its stakeholders and the market. The fraudster uses this knowledge to convince the employee to act as requested.
5. In addition, the fraudster will use persuasive terminology involving a combination of authority (“It is an order to do this”), secrecy (“This is highly confidential”), valorisation (“I count on you”) and pressure (“The success of this depends on your action”).
6. As a result, the employee will recognise an emergency, bypass the standard procedure and proceed with the request.
Several companies had been deceived in this way. Ubiquity Network, a US wireless network equipment manufacturer, admitted wiring around $39 million to fraudsters after falling victim to this kind of scam in 2015.
However, not all victims of this kind of fraud have made public announcements. This lack of transparency shows the embarrassment directors feel when it comes to cyberfraud, perhaps due to their recognition that their inappropriate prevention decisions may have contributed to the situation.
For victims of this type, it is unlikely that the fraudster will be found and as the bank transfer has been authorised there is no way to recover the money from the bank itself.
Most banks have now issued information to explain the structure of this fraud and spread the word.
What can be done?
The best prevention for cyber fraud, beside using IT tools, is training your employees.
It is also crucial to enhance communication between your different departments and maintain good communication, from top to bottom and vice versa.
Cybersecurity should be part of your organisation’s Compliance Program. This is where we can help – for further information, contact us now.
Solange Martin, Founder of Corruption Deterrence
*Alex Blau (5 June 2017), “The Behavioral Economics of Why Executives Underinvest in Cybersecurity”, Harvard Business Review.