Documente Academic
Documente Profesional
Documente Cultură
raconteur.net
# 0332
01 / 09 / 2015
FIGHTING FRAUD
03
06
Beating fraud
should be
your business
10
Banks broke
the law and
the law won
18
RACONTEUR | 01 / 09 / 2015
FIGHTING FRAUD | 03
raconteur.net
Threat of fraud
is all around us
Despite the pervasive threat of fraud, often by skilled online hackers, too
few organisations are protected by adequate procedures and technology
OVERVIEW
ANTHONY HILTON
RACONTEUR
Distributed in
Head of Production
Natalia Rosek
Production Editor
Benjamin Chiou
Digital and
Social Manager
Rebecca McCormick
Pictures supplied by
Getty Images
BUSINESS
CULTURE
FINANCE
Although this publication is funded through advertising and sponsorship, all editorial
is without bias and sponsored features are clearly labelled. For an upcoming schedule,
partnership inquiries or feedback, please call +44 (0)20 3428 5230 or e-mail
info@raconteur.net
CONTRIBUTORS
Publishing Manager
John Okell
Managing Editor
Peter Archer
Design
Vjay Lad
Grant Chapman
Kellie Jerrard
HEALTHCARE
CATHERINE BAKSI
Former barrister and Law
Society Gazette reporter,
she is a freelance journalist
writing for a broad range of
law titles.
ALISON COLEMAN
Freelance specialising in
business, management and
employment, she contributes
to the Daily Express and
Sunday Express.
BEN HAMMERSLEY
Journalist, author, broadcaster, academic and futurist, he
specialises in internet technology and digital networks.
CHARLES ORTON-JONES
Award-winning journalist, he
was editor-at-large of LondonlovesBusiness.com and editor
of EuroBusiness.
DAN BARNES
Award-winning business
journalist, he specialises in
financial technology, trading
and capital markets.
NIC FILDES
Technology and communications editor at The Times, he was
formerly with The Independent
and Dow Jones Newswires
ANTHONY HILTON
Author, journalist and broadcaster, he is a former City editor
of The Times and managing director of The Evening Standard.
DAVEY WINDER
Award-winning journalist and
author, he specialises in information security, contributing
to Infosecurity magazine.
LIFESTYLE
SUSTAINABILITY
TECHNOLOGY
INFOGRAPHICS
raconteur.net/fighting-fraud-2015
The information contained in this publication has been obtained from sources the
Proprietors believe to be correct. However, no legal liability can be accepted for any
errors. No part of this publication may be reproduced without the prior consent of the
Publisher. Raconteur Media
RACONTEUR | 01 / 09 / 2015
FIGHTING FRAUD | 03
raconteur.net
Threat of fraud
is all around us
Despite the pervasive threat of fraud, often by skilled online hackers, too
few organisations are protected by adequate procedures and technology
OVERVIEW
ANTHONY HILTON
RACONTEUR
Distributed in
Head of Production
Natalia Rosek
Production Editor
Benjamin Chiou
Digital and
Social Manager
Rebecca McCormick
Pictures supplied by
Getty Images
BUSINESS
CULTURE
FINANCE
Although this publication is funded through advertising and sponsorship, all editorial
is without bias and sponsored features are clearly labelled. For an upcoming schedule,
partnership inquiries or feedback, please call +44 (0)20 3428 5230 or e-mail
info@raconteur.net
CONTRIBUTORS
Publishing Manager
John Okell
Managing Editor
Peter Archer
Design
Vjay Lad
Grant Chapman
Kellie Jerrard
HEALTHCARE
CATHERINE BAKSI
Former barrister and Law
Society Gazette reporter,
she is a freelance journalist
writing for a broad range of
law titles.
ALISON COLEMAN
Freelance specialising in
business, management and
employment, she contributes
to the Daily Express and
Sunday Express.
BEN HAMMERSLEY
Journalist, author, broadcaster, academic and futurist, he
specialises in internet technology and digital networks.
CHARLES ORTON-JONES
Award-winning journalist, he
was editor-at-large of LondonlovesBusiness.com and editor
of EuroBusiness.
DAN BARNES
Award-winning business
journalist, he specialises in
financial technology, trading
and capital markets.
NIC FILDES
Technology and communications editor at The Times, he was
formerly with The Independent
and Dow Jones Newswires
ANTHONY HILTON
Author, journalist and broadcaster, he is a former City editor
of The Times and managing director of The Evening Standard.
DAVEY WINDER
Award-winning journalist and
author, he specialises in information security, contributing
to Infosecurity magazine.
LIFESTYLE
SUSTAINABILITY
TECHNOLOGY
INFOGRAPHICS
raconteur.net/fighting-fraud-2015
The information contained in this publication has been obtained from sources the
Proprietors believe to be correct. However, no legal liability can be accepted for any
errors. No part of this publication may be reproduced without the prior consent of the
Publisher. Raconteur Media
04 | FIGHTING FRAUD
01 / 09 / 2015 | RACONTEUR
raconteur.net
RACONTEUR | 01 / 09 / 2015
FIGHTING FRAUD | 05
raconteur.net
COMMERCIAL FEATURE
$13.18
Financial services
$12.97
Technology
$8.51
Industrial
$6.85
Services
$6.52
Transportation
$6.79
Communications
$5.53
$14
2013
2014
$12
$8
$6
Public sector
$5.22
Defence
$5.02
Consumer products
$4.60
$4.52
Hospitality
$3.34
Retail
$3.33
Automotive
$2.25
Media
$2.14
Life sciences
$1.47
Healthcare
$1.38
$4
$2
0
A
US
$11.56
$12.69 E UK
Germany
$7.56
Japan
$6.73
$6.91 G Russia
France
$5.19
$6.38
$8.13 F
Australia
$4.72
$5.93
$3.67
$3.99
$3.33
Source: HP 2014
98%
Viruses, worms,
Trojans
97%
Malware
59%
Botnets
58%
Web-based
attacks
AS FRAUD LANDSCAPE
EVOLVES, SO MUST
YOUR RESPONSE...
52%
Phishing
and social
engineering
Source: HP 2014
To differentiate a
genuine customer from
a criminal requires an
overview across the
entire online consumer
life cycle from pre-login
through transactions to
post-login
04 | FIGHTING FRAUD
01 / 09 / 2015 | RACONTEUR
raconteur.net
RACONTEUR | 01 / 09 / 2015
FIGHTING FRAUD | 05
raconteur.net
COMMERCIAL FEATURE
$13.18
Financial services
$12.97
Technology
$8.51
Industrial
$6.85
Services
$6.52
Transportation
$6.79
Communications
$5.53
$14
2013
2014
$12
$8
$6
Public sector
$5.22
Defence
$5.02
Consumer products
$4.60
$4.52
Hospitality
$3.34
Retail
$3.33
Automotive
$2.25
Media
$2.14
Life sciences
$1.47
Healthcare
$1.38
$4
$2
0
A
US
$11.56
$12.69 E UK
Germany
$7.56
Japan
$6.73
$6.91 G Russia
France
$5.19
$6.38
$8.13 F
Australia
$4.72
$5.93
$3.67
$3.99
$3.33
Source: HP 2014
98%
Viruses, worms,
Trojans
97%
Malware
59%
Botnets
58%
Web-based
attacks
AS FRAUD LANDSCAPE
EVOLVES, SO MUST
YOUR RESPONSE...
52%
Phishing
and social
engineering
Source: HP 2014
To differentiate a
genuine customer from
a criminal requires an
overview across the
entire online consumer
life cycle from pre-login
through transactions to
post-login
06 | FIGHTING FRAUD
01 / 09 / 2015 | RACONTEUR
raconteur.net
RACONTEUR | 01 / 09 / 2015
FIGHTING FRAUD | 07
raconteur.net
COMMERCIAL FEATURE
5 TOP TIPS TO PREVENT FRAUD
Follow up on simple
control failures. Seemingly
minor bank account
errors should be treated
as possible red flags not
operational glitches.
Implement an anonymous
whistle-blowing
procedure. Being on the
ground, employees can
see what is going on
better than their bosses.
0k3L!
An anti-fraud company culture, backed by staff training and adequate enforcement procedures,
can give businesses a competitive advantage by avoiding sometimes substantial losses
ALISON COLEMAN
Reactive
FRAUD PREVENTION
Surveillance/monitoring
$49,000
IT controls
$70,000
Account reconciliation
$75,000
Internal audit
$100,000
Management review
$125,000
Tip
$149,000
Confession
$220,000
Document examination
$220,000
By accident
$325,000
External audit
Notified by law enforcement
$360,000
$1,250,000
TACKLING WELLORGANISED
CYBER FRAUD
Have you heard the one about the chief financial
officer who transferred 250,000 to fraudsters
in Hong Kong? Or the imposter chief executive
who convinced a major media company to
send 2 million to his Chinese bank account?
Unfortunately, these are not jokes, but actual
frauds against real companies dont let cyber
criminals have the last laugh
Cyber fraud is a
professional criminal
enterprise that rewards
innovation, intelligence
and aggression
postings, for example information is synthesised and used to craft convincing e-mails
designed to trick someone into clicking a link
or opening an attachment.
That action then results in downloaded
malware that can capture a persons login
and password credentials, or otherwise
provide access to an organisations systems
and network.
As theyve honed their skills, cyber fraudsters have begun hunting bigger game. In
the last few years, cyber criminals have moved
on to targeting payroll systems and treasury
functions at large corporates. Weve seen
social engineering attacks on chief financial
officers and senior accountants, people who
can move 1 million or 100 million at a time,
reports Stroz Friedbergs Mr Huggins.
Stroz Friedberg provides a range of services to battle such fraud, from hack prevention to cyber incident preparedness and
response services, including digital forensics,
tracing money movement and background
checks. Because its professional staff comprises technical experts, former prosecutors
and other litigators, and law enforcement
agents, Stroz Friedberg works effectively
with outside counsel, the C-suite and board
members, as well as IT personnel.
DIGITAL TRANSFORMATION
ENABLES CYBER FRAUD
As digital transformation sweeps through
virtually every industry in the global economy, businesses are digitising all aspects
of their operations, from customer interaction to partner relationships in their supply
chains. This provides transparency and
the target. Money was paid into the fraudsters account and promptly disappeared.
Cyber criminals growing sophistication and perseverance means that areas
historically protected by the complexity of
transactions are no longer safe. Complexity, in and of itself, is no longer an effective
defence, explains Mr Huggins.
Criminal groups are incredibly well
structured with outsourced networks; they
collaborate on a single criminal activity and
then may not work together again. It sounds
odd, but its true. Cyber fraud has evolved
into a trust-based business where nobody
knows anyone elses real identity.
In this dark market there are middlemen who essentially work as brokers and
project managers, and even offer warrantees. If a criminal buys an outsourced
service and it doesnt work, he can get his
money back. Its a very efficient set-up.
These are professionals and there is a lot of
money at stake.
Having conducted their own risk assessments, fraudsters set themselves up to be
near-untouchable. They locate where policing is patchy, legal recourse is limited and
there are no extradition treaties with the
countries they target.
To meet this growing cyber fraud challenge, organisations are increasingly turning to specialists such as Stroz Friedberg
experts who are capable of detecting
fraudulent activity and helping companies act decisively. Its broad range of
cyber capabilities helps organisations increase their enterprise-wide cyber fraud
resilience and helps executives make quick
decisions on an extensive array of areas to
combat criminals.
And the faster companies act when the
inevitable occurs, the better they can mitigate risks, limit reputational damage, interact with regulators and reduce direct costs.
@strozfriedberg
strozfriedberg.com
FIGHTING FRAUD | 07
raconteur.net
RACONTEUR | 01 / 09 / 2015
COMMERCIAL FEATURE
TACKLING WELLORGANISED
CYBER FRAUD
Have you heard the one about the chief financial
officer who transferred 250,000 to fraudsters
in Hong Kong? Or the imposter chief executive
who convinced a major media company to
send 2 million to his Chinese bank account?
Unfortunately, these are not jokes, but actual
frauds against real companies dont let cyber
criminals have the last laugh
Cyber fraud is a
professional criminal
enterprise that rewards
innovation, intelligence
and aggression
postings, for example information is synthesised and used to craft convincing e-mails
designed to trick someone into clicking a link
or opening an attachment.
That action then results in downloaded
malware that can capture a persons login
and password credentials, or otherwise
provide access to an organisations systems
and network.
As theyve honed their skills, cyber fraudsters have begun hunting bigger game. In
the last few years, cyber criminals have moved
on to targeting payroll systems and treasury
functions at large corporates. Weve seen
social engineering attacks on chief financial
officers and senior accountants, people who
can move 1 million or 100 million at a time,
reports Stroz Friedbergs Mr Huggins.
Stroz Friedberg provides a range of services to battle such fraud, from hack prevention to cyber incident preparedness and
response services, including digital forensics,
tracing money movement and background
checks. Because its professional staff comprises technical experts, former prosecutors
and other litigators, and law enforcement
agents, Stroz Friedberg works effectively
with outside counsel, the C-suite and board
members, as well as IT personnel.
DIGITAL TRANSFORMATION
ENABLES CYBER FRAUD
As digital transformation sweeps through
virtually every industry in the global economy, businesses are digitising all aspects
of their operations, from customer interaction to partner relationships in their supply
chains. This provides transparency and
the target. Money was paid into the fraudsters account and promptly disappeared.
Cyber criminals growing sophistication and perseverance means that areas
historically protected by the complexity of
transactions are no longer safe. Complexity, in and of itself, is no longer an effective
defence, explains Mr Huggins.
Criminal groups are incredibly well
structured with outsourced networks; they
collaborate on a single criminal activity and
then may not work together again. It sounds
odd, but its true. Cyber fraud has evolved
into a trust-based business where nobody
knows anyone elses real identity.
In this dark market there are middlemen who essentially work as brokers and
project managers, and even offer warrantees. If a criminal buys an outsourced
service and it doesnt work, he can get his
money back. Its a very efficient set-up.
These are professionals and there is a lot of
money at stake.
Having conducted their own risk assessments, fraudsters set themselves up to be
near-untouchable. They locate where policing is patchy, legal recourse is limited and
there are no extradition treaties with the
countries they target.
To meet this growing cyber fraud challenge, organisations are increasingly turning to specialists such as Stroz Friedberg
experts who are capable of detecting
fraudulent activity and helping companies act decisively. Its broad range of
cyber capabilities helps organisations increase their enterprise-wide cyber fraud
resilience and helps executives make quick
decisions on an extensive array of areas to
combat criminals.
And the faster companies act when the
inevitable occurs, the better they can mitigate risks, limit reputational damage, interact with regulators and reduce direct costs.
@strozfriedberg
strozfriedberg.com
08 | FIGHTING FRAUD
01 / 09 / 2015 | RACONTEUR
raconteur.net
E-COMMERCE FRAUD
DAN BARNES
UK RETAIL
FRAUD
12.4p
250m
200m
178.3
181.7
153.2
154.5
150m
117
135.1
117.1
100m
50m
0
2004
2005
2006
2007
2008
2009
2010
Forty million target customers had their credit and debit card details stolen in 2013
331.5m
5%
33%
81%
Source: Financial Fraud Action UK 2015; UK Card Association 2015; Sophos 2014; BRC 2015
08 | FIGHTING FRAUD
01 / 09 / 2015 | RACONTEUR
raconteur.net
E-COMMERCE FRAUD
DAN BARNES
UK RETAIL
FRAUD
12.4p
250m
200m
178.3
181.7
153.2
154.5
150m
117
135.1
117.1
100m
50m
0
2004
2005
2006
2007
2008
2009
2010
Forty million target customers had their credit and debit card details stolen in 2013
331.5m
5%
33%
81%
Source: Financial Fraud Action UK 2015; UK Card Association 2015; Sophos 2014; BRC 2015
10 | FIGHTING FRAUD
01 / 09 / 2015 | RACONTEUR
raconteur.net
RACONTEUR | 01 / 09 / 2015
FIGHTING FRAUD | 11
raconteur.net
DEC
20
09
NEUTRAL
DISAGREE
STRONGLY DISAGREE
14%
11%
21%
7%
1%
14%
11%
33%
50%
54%
45%
33%
5%
2%
6%
2%
Credit
institutions
28%
20%
17%
8%
47%
46%
64%
AGREE
6%
80%
Accountants
Tax advisers
A
North America
Insolvency
practioners
2014
JUL
MAY 2010
STRONGLY AGREE
Asia-Pacific
Western Europe
Casinos
Violated US sanctions on
money transfers in Sudan,
Iran and Cuba
$1.92bn
4
01
$8.97bn
$1.70bn
TYPICAL MONEY
LAUNDERING SCHEME
40%
20%
10%
$667m
Violated US sanctions on
money transfers in Iran, Sudan,
Libya, Myanmar
$619m
Violated US sanctions on
money transfers in Cuba, Iran
$536m
$500m
$350m
Violated US sanctions on
money transfers in Iran, Sudan
$300m
$298m
Violated US sanctions on
money transfers in Sudan,
Iran, Myanmar, Cuba
PLACEMENT
Funds are integrated into the financial system
through bank deposits or asset purchases
30%
Automotive
dealers
Charted
surveyors
Financial
institutions
Decrease
25% to 50%
10% to 25%
50% to 100%
G Over 100%
Trust service
providers
LAYERING
Money is then layered by using legitimate
mechanisms, such as currency exchanges,
wire transfers or the purchase and sale of
luxury assets; funds are often transferred
between people and companies, and to
different countries
INTEGRATION
Money re-enters the economy, often through
the purchase of luxury assets and financial
investments, or through fictitious contracts
or winnings
Estate agents
Solicitors
Jewellers
Offshore
locations
12
20
009
N2
JA
42%
ANTI-MONEY
LAUNDERING
(AML) ANALYSIS
8%
DAN BARNES
25%
MONEY LAUNDERING
60%
59%
Recruitment
42%
Provision of training
35%
35%
Procedural updates
25%
23%
Increasing internal
reporting requirements
Anti-bribery and
corruption activities
12%
11%
8%
Other
4%
Source: KPMG 2014
AUG 20
10
AU
G
10 | FIGHTING FRAUD
01 / 09 / 2015 | RACONTEUR
raconteur.net
RACONTEUR | 01 / 09 / 2015
FIGHTING FRAUD | 11
raconteur.net
DEC
20
09
NEUTRAL
DISAGREE
STRONGLY DISAGREE
14%
11%
21%
7%
1%
14%
11%
33%
50%
54%
45%
33%
5%
2%
6%
2%
Credit
institutions
28%
20%
17%
8%
47%
46%
64%
AGREE
6%
80%
Accountants
Tax advisers
A
North America
Insolvency
practioners
2014
JUL
MAY 2010
STRONGLY AGREE
Asia-Pacific
Western Europe
Casinos
Violated US sanctions on
money transfers in Sudan,
Iran and Cuba
$1.92bn
4
01
$8.97bn
$1.70bn
TYPICAL MONEY
LAUNDERING SCHEME
40%
20%
10%
$667m
Violated US sanctions on
money transfers in Iran, Sudan,
Libya, Myanmar
$619m
Violated US sanctions on
money transfers in Cuba, Iran
$536m
$500m
$350m
Violated US sanctions on
money transfers in Iran, Sudan
$300m
$298m
Violated US sanctions on
money transfers in Sudan,
Iran, Myanmar, Cuba
PLACEMENT
Funds are integrated into the financial system
through bank deposits or asset purchases
30%
Automotive
dealers
Charted
surveyors
Financial
institutions
Decrease
25% to 50%
10% to 25%
50% to 100%
G Over 100%
Trust service
providers
LAYERING
Money is then layered by using legitimate
mechanisms, such as currency exchanges,
wire transfers or the purchase and sale of
luxury assets; funds are often transferred
between people and companies, and to
different countries
INTEGRATION
Money re-enters the economy, often through
the purchase of luxury assets and financial
investments, or through fictitious contracts
or winnings
Estate agents
Solicitors
Jewellers
Offshore
locations
12
20
009
N2
JA
42%
ANTI-MONEY
LAUNDERING
(AML) ANALYSIS
8%
DAN BARNES
25%
MONEY LAUNDERING
60%
59%
Recruitment
42%
Provision of training
35%
35%
Procedural updates
25%
23%
Increasing internal
reporting requirements
Anti-bribery and
corruption activities
12%
11%
8%
Other
4%
Source: KPMG 2014
AUG 20
10
AU
G
12 | FIGHTING FRAUD
01 / 09 / 2015 | RACONTEUR
raconteur.net
RACONTEUR | 01 / 09 / 2015
FIGHTING FRAUD | 13
raconteur.net
COMMERCIAL FEATURE
VALUE OF
INFORMATION SOLD
ON BLACK MARKET
ernment employees with security clearances that were breached last year will be
checked by those who have them against
the Ashley Madison database to ease the
blackmail. Two sets of bad IT security
combine with a lack of the understanding
among the general public that databases
will be cracked and choices made in private will not remain so. In an era where
most choices are made via weakly secured
digital systems, privacy cannot be taken
for granted.
We need, as a society, to not only
demand and utilise better security
practices in the companies and organisations which are large in our lives, but
to develop a cultural understanding that
without those practices, we risk whole
new ways of bringing damage to ourselves and each other.
This is only going to get worse before
society learns to deal with it. Technology evolves at a pace that far outstrips
the evolution of etiquette. Im wearing a
constant heart-rate monitor, yes, but Ive
also inadvertently installed video cameras and microphones in most rooms of
my house, not least by my bed, where our
phones rest at night. My car downloads
firmware updates from the internet and
my groceries are delivered because of the
choices sent from my phone. The lights
in my front room, the stereo on the bookshelf and the robot that feeds the cat are
all connected and vulnerable, and liable
to betray me in a new and unforeseen
way. It wont be a surprise that they do,
Details of more than 33 million accounts were stolen from the website Ashley Madison
only how they do it.
Being paranoid about the security risk
Once data has been created and released,
TOP 10 MOST FREQUENTLY EXPLOITED CATEGORIES OF WEBSITES IN 2014
it freezes that moment in time. The and jettisoning modern technology enperson you were when the data was cre- tirely would be foolish. You would be
ated is the person you will always be as secure from new and baroque securiEntertainment
Technology
2.6% far as systems which
21.5%
ty threats, yes, but
act on that data are
you would also be
removing
yourself
Shopping
Hosting
2.5% concerned. A foolish
7.3%
decision entombed
from modern socieOnce data has been
in data can and will
ty. Instead, we need
created
and released, it
to live within a new
Illegal
Blogging
2.4% mark you for life.
7.1%
Indeed, that is one
metaphor. Cyber sefreezes that moment in
of the more subtle
curity shouldnt be
time a foolish decision
Placeholder
Business
2.2% arguments against
6.0%
thought of in terms
entombed in data can
government
interof walls, fortresses
and will mark you for life
and weaponry to use
net surveillance it
Virtual community
Anonymiser
1.8% makes it impossible
5.0%
against an invader.
Instead, it should be
for people to change
considered more in the terms of hygiene
their minds.
The point here isnt that law enforce- and health.
Source: Symantec 2014
Were going to get sick every so often
ment agencies shouldnt be allowed
these tools at all almost everything and sometimes it will be very unpleasdata together, alongside the same data With a lack of walls between databases has its specific and limited place, given ant. But if we eat well, wash our hands
from other smartwatch wearers, we can and some published results appearing proper oversight and a democratic con- and dont eat food off the floor, well be
start to build inferences on how annoy- in the Google index, and we could be versation beforehand but that without mostly alright. And when were not, it
those limitations and oversight, we end is societys responsibility to help us get
ing someone is by the physiological ef- destroying reputations.
And destroying them forever, as the up with databases that are, because they over it and not carry the mark of sickfects they trigger.
Useful data; a free idea for an app Ashley Madison user-base will find when are all, not only fundamentally insecure, ness forever more.
for anyone who wants to build it and someone turns that illegally released but liable to produce, with that insecurinot one that requires any new mag- database into a Google-indexable web- ty, deeper problems than they solve.
Share this article on social media
It is, for example, highly likely that the
ical technology, merely connections site (something that might already have
via raconteur.net
made between stuff already out there. happened by the time you read this). millions of personnel records of US gov-
10
$0.50 - $10
1,000 stolen
e-mail addresses
$0.50 - $20
Credit card details
$1 - $2
Scans of passports
$2 - $12
1,000 social
network followers
$7 - $8
$10 - $15
DEFEND YOUR
ORGANISATION
AGAINST
CYBER CRIME
Threats from cyber criminals are more
sophisticated than ever and as they become
faster and smarter, stronger solutions are
required for organisations of all sizes in both
the public and private sectors
CASE STUDY
Protection Group International (PGI)
is an intelligence-led risk management
provider that brings together unique capabilities in the vast field of information
security for the commercial, institutional
and government sectors.
The in-house security team at PGI
faced the same problem that many companies in the UK and around the world
are up against how can we optimise the
team we have to be more efficient, yet
still improve the security of our systems?
With the shortage of cyber-security
professionals only expected to grow over
the next five years, PGI decided to take
a look at Hexis Cyber Solutions flagship
product HawkEye G.
Hexis is an established,
global business
comprised of a team
of highly skilled and
experienced cyber
security specialists
We would be foolish to say its not happening in the UK too. Financial services organisations are seeing growing numbers
of attacks and, in some cases, full-fledged
breaches. It could be denial of service
attacks, preventing access to business
services or it might be a breach where data
is actually compromised.
According to Mr Hardy, part of the problem is that organisations fail to keep up
with threats that are changing all the time.
Often, he says, Hexis is called in to help
companies in the midst of an attack even
though the targeted company thought
they were covered by their existing security systems.
The threat is progressing at such a
rate that old solutions simply dont work.
Organisations are deploying the same
technologies that were around 20 years
ago, while threats are often automated
and designed to change instantly and on
their own, he says.
HEAVYWEIGHTS DEPLOY CONTINUOUS
DETECTION AND RESPONSE
Hexis is an established, global business
comprised of a team of highly skilled and
experienced cyber-security specialists. The
company recruits people with extensive experience in actively defending commercial
and government organisations.
What makes our company unique is
that we solve three key problems that security professionals have communicated to us which include lack of complete
enterprise visibility, false positives and
lack of security professionals. We feel
were ahead of the game and able to offer
85%
82%
61%
229
days on average of dwell time for hackers
lurking within your environment to steal
data before being detected
Source: Mandiant 2014 Threat Report
12 | FIGHTING FRAUD
01 / 09 / 2015 | RACONTEUR
raconteur.net
RACONTEUR | 01 / 09 / 2015
FIGHTING FRAUD | 13
raconteur.net
COMMERCIAL FEATURE
VALUE OF
INFORMATION SOLD
ON BLACK MARKET
ernment employees with security clearances that were breached last year will be
checked by those who have them against
the Ashley Madison database to ease the
blackmail. Two sets of bad IT security
combine with a lack of the understanding
among the general public that databases
will be cracked and choices made in private will not remain so. In an era where
most choices are made via weakly secured
digital systems, privacy cannot be taken
for granted.
We need, as a society, to not only
demand and utilise better security
practices in the companies and organisations which are large in our lives, but
to develop a cultural understanding that
without those practices, we risk whole
new ways of bringing damage to ourselves and each other.
This is only going to get worse before
society learns to deal with it. Technology evolves at a pace that far outstrips
the evolution of etiquette. Im wearing a
constant heart-rate monitor, yes, but Ive
also inadvertently installed video cameras and microphones in most rooms of
my house, not least by my bed, where our
phones rest at night. My car downloads
firmware updates from the internet and
my groceries are delivered because of the
choices sent from my phone. The lights
in my front room, the stereo on the bookshelf and the robot that feeds the cat are
all connected and vulnerable, and liable
to betray me in a new and unforeseen
way. It wont be a surprise that they do,
Details of more than 33 million accounts were stolen from the website Ashley Madison
only how they do it.
Being paranoid about the security risk
Once data has been created and released,
TOP 10 MOST FREQUENTLY EXPLOITED CATEGORIES OF WEBSITES IN 2014
it freezes that moment in time. The and jettisoning modern technology enperson you were when the data was cre- tirely would be foolish. You would be
ated is the person you will always be as secure from new and baroque securiEntertainment
Technology
2.6% far as systems which
21.5%
ty threats, yes, but
act on that data are
you would also be
removing
yourself
Shopping
Hosting
2.5% concerned. A foolish
7.3%
decision entombed
from modern socieOnce data has been
in data can and will
ty. Instead, we need
created
and released, it
to live within a new
Illegal
Blogging
2.4% mark you for life.
7.1%
Indeed, that is one
metaphor. Cyber sefreezes that moment in
of the more subtle
curity shouldnt be
time a foolish decision
Placeholder
Business
2.2% arguments against
6.0%
thought of in terms
entombed in data can
government
interof walls, fortresses
and will mark you for life
and weaponry to use
net surveillance it
Virtual community
Anonymiser
1.8% makes it impossible
5.0%
against an invader.
Instead, it should be
for people to change
considered more in the terms of hygiene
their minds.
The point here isnt that law enforce- and health.
Source: Symantec 2014
Were going to get sick every so often
ment agencies shouldnt be allowed
these tools at all almost everything and sometimes it will be very unpleasdata together, alongside the same data With a lack of walls between databases has its specific and limited place, given ant. But if we eat well, wash our hands
from other smartwatch wearers, we can and some published results appearing proper oversight and a democratic con- and dont eat food off the floor, well be
start to build inferences on how annoy- in the Google index, and we could be versation beforehand but that without mostly alright. And when were not, it
those limitations and oversight, we end is societys responsibility to help us get
ing someone is by the physiological ef- destroying reputations.
And destroying them forever, as the up with databases that are, because they over it and not carry the mark of sickfects they trigger.
Useful data; a free idea for an app Ashley Madison user-base will find when are all, not only fundamentally insecure, ness forever more.
for anyone who wants to build it and someone turns that illegally released but liable to produce, with that insecurinot one that requires any new mag- database into a Google-indexable web- ty, deeper problems than they solve.
Share this article on social media
It is, for example, highly likely that the
ical technology, merely connections site (something that might already have
via raconteur.net
made between stuff already out there. happened by the time you read this). millions of personnel records of US gov-
10
$0.50 - $10
1,000 stolen
e-mail addresses
$0.50 - $20
Credit card details
$1 - $2
Scans of passports
$2 - $12
1,000 social
network followers
$7 - $8
$10 - $15
DEFEND YOUR
ORGANISATION
AGAINST
CYBER CRIME
Threats from cyber criminals are more
sophisticated than ever and as they become
faster and smarter, stronger solutions are
required for organisations of all sizes in both
the public and private sectors
CASE STUDY
Protection Group International (PGI)
is an intelligence-led risk management
provider that brings together unique capabilities in the vast field of information
security for the commercial, institutional
and government sectors.
The in-house security team at PGI
faced the same problem that many companies in the UK and around the world
are up against how can we optimise the
team we have to be more efficient, yet
still improve the security of our systems?
With the shortage of cyber-security
professionals only expected to grow over
the next five years, PGI decided to take
a look at Hexis Cyber Solutions flagship
product HawkEye G.
Hexis is an established,
global business
comprised of a team
of highly skilled and
experienced cyber
security specialists
We would be foolish to say its not happening in the UK too. Financial services organisations are seeing growing numbers
of attacks and, in some cases, full-fledged
breaches. It could be denial of service
attacks, preventing access to business
services or it might be a breach where data
is actually compromised.
According to Mr Hardy, part of the problem is that organisations fail to keep up
with threats that are changing all the time.
Often, he says, Hexis is called in to help
companies in the midst of an attack even
though the targeted company thought
they were covered by their existing security systems.
The threat is progressing at such a
rate that old solutions simply dont work.
Organisations are deploying the same
technologies that were around 20 years
ago, while threats are often automated
and designed to change instantly and on
their own, he says.
HEAVYWEIGHTS DEPLOY CONTINUOUS
DETECTION AND RESPONSE
Hexis is an established, global business
comprised of a team of highly skilled and
experienced cyber-security specialists. The
company recruits people with extensive experience in actively defending commercial
and government organisations.
What makes our company unique is
that we solve three key problems that security professionals have communicated to us which include lack of complete
enterprise visibility, false positives and
lack of security professionals. We feel
were ahead of the game and able to offer
85%
82%
61%
229
days on average of dwell time for hackers
lurking within your environment to steal
data before being detected
Source: Mandiant 2014 Threat Report
14 | FIGHTING FRAUD
01 / 09 / 2015 | RACONTEUR
raconteur.net
RACONTEUR | 01 / 09 / 2015
raconteur.net
FIGHTING FRAUD | 15
CHARLES ORTON-JONES
LIBOR RIGGER
TOM HAYES
ROGUE TRADER
KWEKU ABODOLI
BLACKMAILER
LEWYS MARTIN
DARK-WEB HOST
NICHOLAS WEBBER
PROFILE OF A FRAUDSTER
Is there such a thing as a typical
fraudster? It would be convenient
if there were. Security agencies
and the police would be able to
focus their efforts more sharply.
Victims could be more wary.
Weve discovered there is
an age range at which people
become more susceptible to
committing fraud, says Mark
Kenkre, head of fraud at law
Expenses Fraud:
Does your company have a documented and easy-tounderstand expense policy document?
If youre not sure you can say yes to all the questions,
find out how you can avoid expenses fraud at:
concur.co.uk/visibility
2015_08_27_TimesOfLondon_Concur_Ad_PRESS.indd 1
27/08/2015 10:51
14 | FIGHTING FRAUD
01 / 09 / 2015 | RACONTEUR
raconteur.net
RACONTEUR | 01 / 09 / 2015
raconteur.net
FIGHTING FRAUD | 15
CHARLES ORTON-JONES
LIBOR RIGGER
TOM HAYES
ROGUE TRADER
KWEKU ABODOLI
BLACKMAILER
LEWYS MARTIN
DARK-WEB HOST
NICHOLAS WEBBER
PROFILE OF A FRAUDSTER
Is there such a thing as a typical
fraudster? It would be convenient
if there were. Security agencies
and the police would be able to
focus their efforts more sharply.
Victims could be more wary.
Weve discovered there is
an age range at which people
become more susceptible to
committing fraud, says Mark
Kenkre, head of fraud at law
Expenses Fraud:
Does your company have a documented and easy-tounderstand expense policy document?
If youre not sure you can say yes to all the questions,
find out how you can avoid expenses fraud at:
concur.co.uk/visibility
2015_08_27_TimesOfLondon_Concur_Ad_PRESS.indd 1
27/08/2015 10:51
16 | FIGHTING FRAUD
Perils of third-party
corruption abroad
50%
14%
%
En
erg
y, u
tilit
ies
and
mi
nin
g
35 %
18%
n
ctio
stru
con
and
ring
inee
Eng
42
Professional services
19%
Financial services
es
tri
us
d
r in
he
Ot
Reta
il an
d
24%
24%
25%
28
Communication
con
sum
er
s
ct
du
ro
lp
ria
st
du
In
n
tatio
spor
Tran ogistics
l
and
Hospitality
and leisure
ate-owned
Government/st
enterprises
32
22
ance
Insur
gy
olo
hn
c
e
T
31%
30%
RACONTEUR | 01 / 09 / 2015
raconteur.net
Using agents and partners abroad can open up UK companies to the risk of corruption which
is now punishable under stringent international anti-bribery laws
30%
Ph
an arma
dl
ife ceut
sci ica
en ls
ces
THIRD-PARTY RISK
CATHERINE BAKSI
01 / 09 / 2015 | RACONTEUR
raconteur.net
14%
North America
12%
Western
Europe
39%
Middle East
Eastern
Europe
39%
25%
35%
30%
Asia-Pacific
Africa
Latin America
27%
Global
Source: PwC 2014
from tendering for public sector contracts and disqualification from being
a company director, not to mention
the consequential reputational damage
and loss of business.
A recent report from accountancy firm
Deloitte showed that third-party failure
could cause shareholder losses of up to
ten times any regulatory fine and share
prices to drop by 2.55 per cent.
In recognition of the fact that no anti-bribery regime will be capable of preventing all offences, the act provides a
full defence if a company can show it
had adequate procedures in place to
prevent bribery.
Adequate procedures are not defined
in the act, but are the subject of government guidance centring around six principles: proportional procedures; top-level commitment; risk assessment; due
diligence; communication, including
training; and monitoring and review.
Companies have scrambled to put in
place compliance regimes, which they
hope will afford them protection from
prosecution, if those acting on their
behalf are caught out.
In reality, says Mr McCluskey: It
means having a visible and well-documented anti-bribery policy effectively
disseminated to all staff and agents, a
reporting hotline and procedure, with
whistle-blower protection, and a hospitality register requirement.
Every transaction now, says Jonathan Hitchen, partner at international law firm Allen Overy, contains anti-bribery warranties and
termination clauses.
In some jurisdictions it is impossible
to remove the risk by doing away with
agents as in some countries having a
local partner is required, notes Jeremy
Cole, consultant in the London office
of global law firm Hogan Lovells.
The challenge when entering new
markets is to check them [the local
partners] out to see if they could cause
harm to the company and expose it to
criminal prosecution in the UK, says
Mr Cole.
Dan Hyde, partner at London lawyers
Howard Kennedy, says: Organisations
need to examine the relationship with
any overseas third party carefully and
apply due diligence to ensure, as far as
possible, they are choosing the right
third-party representative and that the
risk is not too great.
Equally as important as looking at new
intermediaries, adds Mr Cole, is the need
to go back and look over historic relationships that may have been put in place
under a less stringent regime.
UK
18%
9%
Organisations that have been
asked to pay a bribe
Companies doing
business in the United
States need to be alert to
the provisions of the US
Foreign Corrupt Practices
Act, which many view as
far more demanding
est risks include energy, mining and
defence. Mr McCluskey comments: Extraction activities tend to take place in
areas where the rule of law is non-existent and natural resource has always been
ripe for bribery.
The due diligence, says Mr Hyde, includes assessing the level of corruption in
a country, the risk associated with the particular sector, the proposed third party,
the level of government involvement, and
a myriad of checks to investigate the reputation and reliability of the third party and
the transaction contemplated.
This, says Ms de Kluyver, can range
from basic verification and ownership
checks to very detailed reports on business and peoples reputations which,
adds Mr McCluskey, may have spawned
22%
10%
Organisations that lost an
opportunity to a competitor who
they believed paid a bribe
29%
15%
FIGHTING FRAUD | 17
16 | FIGHTING FRAUD
Perils of third-party
corruption abroad
50%
14%
%
En
erg
y, u
tilit
ies
and
mi
nin
g
35 %
18%
n
ctio
stru
con
and
ring
inee
Eng
42
Professional services
19%
Financial services
es
tri
us
d
r in
he
Ot
Reta
il an
d
24%
24%
25%
28
Communication
con
sum
er
s
ct
du
ro
lp
ria
st
du
In
n
tatio
spor
Tran ogistics
l
and
Hospitality
and leisure
ate-owned
Government/st
enterprises
32
22
ance
Insur
gy
olo
hn
c
e
T
31%
30%
RACONTEUR | 01 / 09 / 2015
raconteur.net
Using agents and partners abroad can open up UK companies to the risk of corruption which
is now punishable under stringent international anti-bribery laws
30%
Ph
an arma
dl
ife ceut
sci ica
en ls
ces
THIRD-PARTY RISK
CATHERINE BAKSI
01 / 09 / 2015 | RACONTEUR
raconteur.net
14%
North America
12%
Western
Europe
39%
Middle East
Eastern
Europe
39%
25%
35%
30%
Asia-Pacific
Africa
Latin America
27%
Global
Source: PwC 2014
from tendering for public sector contracts and disqualification from being
a company director, not to mention
the consequential reputational damage
and loss of business.
A recent report from accountancy firm
Deloitte showed that third-party failure
could cause shareholder losses of up to
ten times any regulatory fine and share
prices to drop by 2.55 per cent.
In recognition of the fact that no anti-bribery regime will be capable of preventing all offences, the act provides a
full defence if a company can show it
had adequate procedures in place to
prevent bribery.
Adequate procedures are not defined
in the act, but are the subject of government guidance centring around six principles: proportional procedures; top-level commitment; risk assessment; due
diligence; communication, including
training; and monitoring and review.
Companies have scrambled to put in
place compliance regimes, which they
hope will afford them protection from
prosecution, if those acting on their
behalf are caught out.
In reality, says Mr McCluskey: It
means having a visible and well-documented anti-bribery policy effectively
disseminated to all staff and agents, a
reporting hotline and procedure, with
whistle-blower protection, and a hospitality register requirement.
Every transaction now, says Jonathan Hitchen, partner at international law firm Allen Overy, contains anti-bribery warranties and
termination clauses.
In some jurisdictions it is impossible
to remove the risk by doing away with
agents as in some countries having a
local partner is required, notes Jeremy
Cole, consultant in the London office
of global law firm Hogan Lovells.
The challenge when entering new
markets is to check them [the local
partners] out to see if they could cause
harm to the company and expose it to
criminal prosecution in the UK, says
Mr Cole.
Dan Hyde, partner at London lawyers
Howard Kennedy, says: Organisations
need to examine the relationship with
any overseas third party carefully and
apply due diligence to ensure, as far as
possible, they are choosing the right
third-party representative and that the
risk is not too great.
Equally as important as looking at new
intermediaries, adds Mr Cole, is the need
to go back and look over historic relationships that may have been put in place
under a less stringent regime.
UK
18%
9%
Organisations that have been
asked to pay a bribe
Companies doing
business in the United
States need to be alert to
the provisions of the US
Foreign Corrupt Practices
Act, which many view as
far more demanding
est risks include energy, mining and
defence. Mr McCluskey comments: Extraction activities tend to take place in
areas where the rule of law is non-existent and natural resource has always been
ripe for bribery.
The due diligence, says Mr Hyde, includes assessing the level of corruption in
a country, the risk associated with the particular sector, the proposed third party,
the level of government involvement, and
a myriad of checks to investigate the reputation and reliability of the third party and
the transaction contemplated.
This, says Ms de Kluyver, can range
from basic verification and ownership
checks to very detailed reports on business and peoples reputations which,
adds Mr McCluskey, may have spawned
22%
10%
Organisations that lost an
opportunity to a competitor who
they believed paid a bribe
29%
15%
FIGHTING FRAUD | 17
18 | FIGHTING FRAUD
81% of large
UK companies
suffered a
cyber security
breach in 2014*
Are you
prepared?
01 / 09 / 2015 | RACONTEUR
raconteur.net
In late-2014, a Japanese
manufacturing company
covering everything from
automotive production
lines to micro-electronics assembly and with
European operations
centred in the UK was
the target of a suspected
state-sponsored attack.
engineering techniques,
based on company
product information,
to entice the recipients
to open and execute a
malicious attachment.
This contained a remote
administration tool or
RAT which called back
to a Chinese IP address
and had resulted in two
infected systems that
ultimately led to design
schematics and advanced earnings reports
being stolen.
Following the breach,
impacts to the company
were felt in stock price
variations and over
the longer term the
company expects further
lost earnings potential
as design secrets are
incorporated into com-
RACONTEUR | 01 / 09 / 2015
FIGHTING FRAUD | 19
raconteur.net
t business secrets
now aim to steal valuable commercial secrets from the private sector
Stuxnet
Computer worm discovered in June
2010, designed to disrupt machinery,
such as those in nuclear power
plants, by attacking industrial
programmable logic controllers.
DEATH
TAXES
CYBER
ATTACK
Duqu
Thought to related to the Stuxnet
worm and discovered in September
2011, Duqu hunts for information
that could be used in attacking
industrial control systems.
Flame
Discovered in May 2012, Flame
is designed to carry out cyber
espionage by stealing computer
display contents, files, data and even
audio conversations.
Gauss
Discovered in August 2012, Gauss is
designed to monitor onlline banking
accounts by stealing browser
history, cookies, passwords and
system configurations.