Get familiar with the risk: Awareness
The introductory phase and thus the sensitization aims to increase the knowledge in the organization about the current situation and is considered the first step in prevention.
The basic questions to be answered are
– are all responsible persons aware of what can happen?
– where is the organisation or company most vulnerable (risk exposure and vulnerability)?
Depending on the risk landscape and its assessment, different measures must be considered about the following modules. The best “emergency recipe” is of no use to those affected if the following key data are not known:
It is necessary to determine how the tools and instruments can be made available to the responsible decision-makers to preserve their ability to act – in each of the defined emergencies in its manifestations. The analyses of the emergencies to be defined and their treatment when they occur are based on the various relevant factors from the risk analysis of the respective organisation.
Due to the fact that good and malicious social engineering has established itself as probably the most important and effective success factor along the life cycle of white-collar crime, non-compliance and cybercrime of the ability to act, it is also of particular importance within the framework of the FraudAidKit™.
Within the framework of the sensitization, the potential victims experience and learn the different aspects of the Social Engineer by means of practical examples and are accordingly prepared for possible situations in professional and private everyday life. This sensitization already massively reduces the individual and the entrepreneurial risk in the context of risk and reputation management.
One of the main findings for the participants is that there are no technical protective measures that can fully protect individuals, companies, and organizations from social engineering. The reason is clear: here too, the human factor is involved. Installing software or upgrading hardware alone does not protect against malicious social engineering.
It is primarily a matter of understanding where individuals at different hierarchical levels and roles are vulnerable in connection with the methods of social engineering. This analysis is done by means of specific questions, which are adapted to the respective functional level. The insights gained from this determine the next steps within the organisation or in relation to the individual, to be able to intercept as wide a spectrum of threats as possible at an early stage.
The protective measures are defined depending on the company and organisation in question, depending on the processes already implemented and their control mechanisms. These can be the following examples:
– regular comprehensive training of employees in various formats
– visual reminders through notices, posters, stickers, warnings (these can also be placed on the monthly salary letters, for example, as they are often read by the addressees)
– Limitation of authorizations
– increased focus on the handling of data (electronic, physical, old, new, external, internal)
“Increasing security awareness is the most important goal in the context of raising awareness of white-collar crime, non-compliance, cybercrime, and social engineering.”
The well-known phrase that the most important thing is often also the most difficult thing brings the topic of social engineering and the sensitization to it to the point. The topic belongs on the top level of a company. The basic understanding of the sensitivity of data and the fact that it is worth protecting must be created among individuals, in companies, organizations and in society.
Make it working for your organization: Implementation
Sensitization makes the individual entry points and thus weaknesses of the organization visible. In close coordination with all risk topics, a holistic concept is developed that meets the needs in the event of an incident and guarantees the exponents’ ability to act. The existing organisation is burdened as little as possible and as much as necessary. The motto is that the organisational effort for operations should not be increased.
The implementation of the defined preventive as well as reactive measures is carried out under consideration of the interfaces to (existing) crisis management, internal control system and risk management. Depending on the organisation or company, further interface issues that are not yet covered by the above-mentioned ones (human resources, communication, etc.) must be considered. The aim is not to build up redundancies, but to be able to fall back on existing resources and processes.
Events resulting from white-collar crime, non-compliance or cyber-attacks must be considered as an integral part of risk and crisis management and treated accordingly.
“Run the firm”: Maintenance
Maintenance is the maintenance of the implemented tools and instruments in the form of the process. Spoken in metaphors: What good is a drug that has been expired for years if it’s no longer needed? In the worst case, those affected do not dare to use it. The same applies to the implemented tools of the FraudAidKit™. The aim is to ensure that the organization can react correctly in an emergency. With the “stress tests”, the implemented procedures and measures are periodically checked, and any existing weaknesses are identified. The never hoped-for emergency occurs at the worst possible time. By implementing the methods and tools of the FraudAidKit™, those affected know who is to be informed with what, when and how and what immediate measures are to be taken. This is done depending on the previously evaluated and defined patterns (Fraud Pattern), which are derived from the risk assessment of the organisation. In this way, those responsible ensure, for example, that in the first moments of vague or confirmed knowledge of white-collar crime, important evidence is secured through professional reaction.
Incident Readiness: Alerting and processing
Up to this phase, the organisation or company was active in the field of prevention and, if necessary, detection of possible irregularities. The maintenance phase enabled conspicuous early warning indicators, missing controls, or non-functioning processes to be identified. However, an event had not yet occurred, and day-to-day business was able to follow its usual process.
No company wants to be in a situation where an emergency occurs, and the alarm must be raised. Even if the possibility was practiced in advance, this meant a state of emergency for those responsible. Because now it becomes necessary to fall back on the implemented processes and follow them.
The alarm is raised by the experts defined in advance (internal and external, depending on the initial situation and definition by the responsible persons within the framework of the FraudAidKit™) and the situation is processed by them in the course of determining the facts.
In this phase, it is vital for the organization that the experts are closely coordinated and can therefore act effectively and efficiently in the sense of solving the problem. It is advantageous if teams (internal and/or external) that are already well-rehearsed take care of the facts and leave the responsible persons free to take care of the daily business. It is not uncommon for little importance to be attached to this in such phases of acute events due to the shifted focus, which is counterproductive for the entire company. By delegating certain tasks – but not the responsibility – the ability to act can be maintained for the company. In practice, it has proven to be best to keep the investigation teams as small as possible (and as large as necessary) to achieve the greatest possible efficiency.
Homework: Spotting areas of improvement
By having the above framework in place, the organizations’ ability to identify the individual areas of potential is given. What we see when we introduce the process to our client is, that by applying this streamlined and straightforward approach, all involved team members can contribute. And this is one of the reasons, why prevention as such and Corporate Compliance Programs succeed or fail.
Feel free to use the five key elements of the FraudAidKit™ and let us know if you wish more information.
Last but not least: How do you prepare your team to strengthen the organizations resistance and resilience regarding non-compliance, economic and cyber-crime?