Compliance e-learning that turns risk into value Call us now on +44(0)141 225 0987

  • 0 Items |
  • £ 0.00

Four Learning Outcomes to Include in Your Bribery Act Training Programme

July 30th, 2011

The Bribery Act 2010 contains a new and unprecedented offence of failure of a commercial organisation to prevent bribery. Under this law, a commercial organisation will be liable to prosecution if a person associated with it engages in bribery. It is the corporate offence that managers, executives and directors need to address with some immediacy. If it was revealed that a bribe was paid in connection with obtaining or retaining business or a business advantage, a company could be prosecuted for failing to prevent bribery. Penalties include an unlimited fine and custodial sentences of up to 10 years.

A company’s only defence in court would be to prove that it had working “adequate procedures” in place to prevent bribery and that, in the case in question, the paying of the bribe had circumvented those procedures. Turning a blind eye at executive or board room levels (including non-executive directors) is no longer an option and could have grave consequences for the reputation of the company and its individual directors as well as punitive financial costs.

The key question for commercial organisations is: “what are adequate procedures?” The Ministry of Justice has issued guidance on the Bribery Act, based on six principles that are designed to help organisations implement anti-bribery procedures. One of these principles is communication (including training), which states:

“The commercial organisation seeks to ensure that its bribery prevention policies and procedures are embedded and understood throughout the organisation through internal and external communication, including training, that is proportionate to the risks it faces.”

So employees need to be trained in anti-bribery policy and procedures. What should this training include, and how should it be delivered to ensure that it is considered ‘adequate’ in the eyes of the law?

The guidance gives some pointers to an answer. It states that training should be “effective in firmly establishing an anti-bribery culture. It may take the form of education and awareness-raising about the threats posed by bribery in general and in the sector or areas in which the organisation operates in particular, and the various ways it is being addressed.” The guidance goes on to make a distinction between general awareness training about anti-bribery, to be done by all employees, and anti-bribery training for specialist areas, such as s purchasing, contracting, distribution and marketing, and working in high risk countries.

The amount of anti-bribery training a commercial organisation undertakes should be proportionate to the risk of bribery it faces. So for large companies that operate in countries that represent a high corruption risk, a high level of training will be necessary. For a small UK-based company with no international markets, the amount of training required will be less.

To provide a defence, anti-bribery training will need an associated audit trail, that tracks who undertakes the training and when they undertake it. For this reason, e-learning presents the best delivery solution, as it is easy to roll out to everyone in an organisation, and can provide the necessary audit trail.

As a defence against the corporate offence, all companies will require some basic awareness training, ideally in e-learning format, that seeks to promote an anti-bribery culture and explain the threats presented by bribery and corruption. This e-learning will need to communicate effectively to everybody, and not take too long to complete, ideally less than 20 minutes.

What outcomes should this short, general awareness e-learning unit deliver? What should participants in the training be able to do upon completion? To demonstrate commitment to establishing an anti-bribery culture, the outcomes need to be clear and demonstrable. Here are four outcomes, which if delivered, will fulfil the purpose of general awareness anti-bribery training.

1. Explain what is meant by ethical behaviour at work.

Participants will need to explain what ethical behaviour means, and why it is important to them both personally and to the organisation they work in. The training will explain the business benefits of ethical behaviour, and the impact of individuals who engage in unethical conduct. It will need to identify the risks of unethical behaviour to the participant’s job, his or her colleagues and their organisation.

2. Make ethical choices at work
Participants should be able to make better ethical decisions as a result of the training. Ideally the training will include practical scenarios that allow participants to exercise their own judgement on ethical dilemmas.

3. Recognise unethical behaviour
Employees need to be able to recognise unethical behaviour, not only in themselves, but also in others. Ideally, they will be able to identify the warning signs that may precede an unethical act, and take action to prevent it.

4. Get help
Finally participants need to know how to get help if they are faced with an ethical situation. While a 15 minute training unit will not be able to give guidance on all ethical situations that may arise, it can certainly explain the procedures for obtaining relevant advice.

If these outcomes are delivered successfully, an organisation will demonstrate commitment to an anti-bribery and corruption culture, as well as providing some practical guidance on how to minimise the risks of bribery and corruption.

Those in a managerial or supervisory role may require further training on how an anti-bribery policy should be implemented. People working in high-risk areas, such as sales or procurement, may require additional training specific to their function. General awareness anti-bribery training certainly makes a good starting point for an anti-bribery policy.

Four Learning Outcomes to Include in Your Bribery Act Training Programme

June 30th, 2011

The new Bribery Act 2010 contains a new and unprecedented offence of failure of a commercial organisation to prevent bribery. Under this law, a commercial organisation will be liable to prosecution if a person associated with it engages in bribery. It is the corporate offence that managers, executives and directors need to address with some immediacy. If it was revealed that a bribe was paid in connection with obtaining or retaining business or a business advantage, a company could be prosecuted for failing to prevent bribery. Penalties include an unlimited fine and custodial sentences of up to 10 years.

A company’s only defence in court would be to prove that it had working “adequate procedures” in place to prevent bribery and that, in the case in question, the paying of the bribe had circumvented those procedures. Turning a blind eye at executive or board room levels (including non-executive directors) is no longer an option and could have grave consequences for the reputation of the company and its individual directors as well as punitive financial costs.

The key question for commercial organisations is:  “what are adequate procedures?”  The Ministry of Justice has issued guidance on the Bribery Act, based on six principles that are designed to help organisations implement anti-bribery procedures. One of these principles is communication (including training), which states:

“The commercial organisation seeks to ensure that its bribery prevention policies and procedures are embedded and understood throughout the organisation through internal and external communication, including training, that is proportionate to the risks it faces.”

So employees need to be trained in anti-bribery policy and procedures. What should this training include, and how should it be delivered to ensure that it is considered ‘adequate’ in the eyes of the law?

The guidance gives some pointers to an answer. It states that training should be “effective in firmly establishing an anti-bribery culture. It may take the form of education and awareness-raising about the threats posed by bribery in general and in the sector or areas in which the organisation operates in particular, and the various ways it is being addressed.” The guidance goes on to make a distinction between general awareness training about anti-bribery, to be done by all employees, and anti-bribery training for specialist areas, such as s purchasing, contracting, distribution and marketing, and working in high risk countries.

The amount of anti-bribery training a commercial organisation undertakes should be proportionate to the risk of bribery it faces. So for large companies that operate in countries that represent a high corruption risk, a high level of training will be necessary. For a small UK-based company with no international markets, the amount of training required will be less.

To provide a defence, anti-bribery training will need an associated audit trail, that tracks who undertakes the training and when they undertake it. For this reason, e-learning presents the best delivery solution, as it is easy to roll out to everyone in an organisation, and can provide the necessary audit trail.

As a defence against the corporate offence, all companies will require some basic awareness training, ideally in e-learning format, that seeks to promote an anti-bribery culture and explain the threats presented by bribery and corruption. This e-learning will need to communicate effectively to everybody, and not take too long to complete, ideally less than 20 minutes.

What outcomes should this short, general awareness e-learning unit deliver? What should participants in the training be able to do upon completion? To demonstrate commitment to establishing an anti-bribery culture, the outcomes need to be clear and demonstrable. Here are four outcomes, which if delivered, will fulfil the purpose of general awareness anti-bribery training.

1. Explain what is meant by ethical behaviour at work.

Participants will need to explain what ethical behaviour means, and why it is important to them both personally and to the organisation they work in. The training will explain the business benefits of ethical behaviour, and the impact of individuals who engage in unethical conduct. It will need to identify the risks of unethical behaviour to the participant’s  job, his or her colleagues and their organisation.

2. Make ethical choices at work
Participants should be able to make better ethical decisions as a result of the training. Ideally the training will include practical scenarios that allow participants to exercise their own judgement on ethical dilemmas.

3. Recognise unethical behaviour
Employees need to be able to recognise unethical behaviour, not only in themselves, but also in others. Ideally, they will be able to identify the warning signs that may precede an unethical act, and take action to prevent it.

4. Get help
Finally participants need to know how to get help if they are faced with an ethical situation. While a 15 minute training unit will not be able to give guidance on all ethical situations that may arise, it can certainly explain the procedures for obtaining relevant advice.

If these outcomes are delivered successfully, an organisation will demonstrate commitment to an anti-bribery and corruption culture, as well as providing some practical guidance on how to minimise the risks of bribery and corruption.

Those in a managerial or supervisory role may require further training on how an anti-bribery policy should be implemented. People working in high-risk areas, such as sales or procurement, may require additional training specific to their function. General awareness anti-bribery training certainly makes a good starting point for an anti-bribery policy.

5 Misconceptions About the Bribery Act that Could Prove Costly for Your Business

June 29th, 2011

The Bribery Act will be implemented on 1st July 2011 and is commonly viewed as being the strictest anti-corruption law in the world. The Act creates the following new offences:

* offering, promising or giving a bribe;

* requesting, agreeing to receive or accepting a bribe;

* bribing a foreign public official;

* failure of a commercial organisation to prevent bribery.

The clause that has set the cat amongst the pigeons is the new Corporate Offence of failure to prevent bribery by those working on behalf of the organisation, including employees, agents and subsidiaries (whether domestic or foreign).
Penalties for falling foul of the legislation could include: 10 year custodial sentences; unlimited fines and potential debarment from government contracts. Despite the severe nature of the penalties, many directors are displaying a worrying degree of ignorance and apathy towards their compliance requirements.
Here are some of the tell-tale signs of companies that may be in for a shock after the 1st July.
Misconception 1 “The Bribery Act doesn’t apply to me; it’s only for the Big Guys……”
Think again. If you want to win contracts from prime contractors, they’ll require evidence that you are fully compliant with the Bribery Act. You may find that anti-corruption procedures will soon form an important part in the selection process for competitive tenders. Also, insurance underwriters have confirmed that they’ll take a close look at anti-bribery and corruption procedures when assessing applications for Directors’ and Officers’ Liability and Professional Indemnity insurance cover. Organisations that don’t meet the required standard will either have their applications declined or face the prospect of higher premiums. This means that if you find yourself in the unfortunate position of being the innocent victim of a bribery investigation, you risk being unable to claim insurance to pay for legal defence costs. And lawyers don’t come cheap.

Misconception 2 “I can ignore the Bribery Act because my company is already compliant with the Foreign Corrupt Practices Act (FCPA)”.

The FCPA is the US anti-corruption legislation and it applies to any organisation that does business in the US. Companies that have been found guilty under the FCPA have experienced reputational damage, multi-billion dollar fines and jail terms for some of their executives. Compliance with the FCPA does not necessarily denote compliance with the Bribery Act. For example, the Bribery Act draws no distinction between public sector and private sector bribery; has no exemption for facilitation (grease) payments or for promotional expenditure and introduces an explicit offence of failing to prevent bribery by associated parties. Perhaps this is why some US attorneys frequently refer to the “Bribery Act as the FCPA on steroids”.
Misconception 3 “I’m already prepared for the Bribery Act as I don’t take my clients out to lunch”.
If you read the Government Guidance on the Bribery Act, you’ll see that organisations will be required to do much more than revise their corporate hospitality arrangements in order to comply with the legislation. An organisation can defend itself if it can prove that it had adequate procedures to prevent bribery. Prudent businesses are now implementing these procedures.
Misconception 4 “I won’t get caught”.
The Serious Fraud Office will be able to collaborate with police departments, the Department of Work and Pensions, the Foreign and Commonwealth Office, the intelligence services and overseas regulatory authorities. In short, they’ll have resources for thorough investigations. In addition, if your organisation is involved in bribery, there is a serious risk of an investigation being triggered by a whistle-blower.
Misconception 5 “There’s a bit about our anti-corruption policy in the HR handbook”.
Anti-corruption policies and procedures are meaningless if they’re not implemented. This was one of the main conclusions from those who investigated the Siemens case after the company was charged a record $1.3 billion in fines for bribery in 2008. The following questions will help you evaluate your current anti-corruption plans so that you can make the recommended changes.
Is your Board charged with overall responsibility for your anti-corruption programme?
Are your anti-corruption policies and procedures communicated to all relevant personnel and have you considered the possibility that translations may be required for non-native speakers?
Are your anti-corruption policies and procedures publicised on your web-site and other public materials?
Are your personnel and other associated persons, such as your subsidiary staff, joint venture partners and agents given access to anti-bribery and corruption training?
Do you have a mechanism that will allow people to report suspicious conduct?
Are there internal controls to ensure that anti-corruption procedures are being followed?
Are your internal controls audited and reviewed?
Please be in no doubt: for your compliance programme to be adequate for the Bribery Act, anti-corruption procedures need to be embedded into all aspects of working practice.

© Copyright, Sarah Dougan, E-Security Exchange 2011

 

Data Security Breach Scenario 1: The Postal Scam and the Telephone Bill

December 18th, 2010

The following scenario is based on the fictitious charity called Organisation X that offers support and befriending services to vulnerable members of the community, the majority of whom have learning difficulties or physical disabilities. Organisation X relies upon government funding and voluntary donations. It is staffed by volunteers and paid employees.

Please note that the scam described below is ongoing. Warnings have been issued by the Royal Mail and the Trading Standards Office.

A card is posted through the doors of victims from a company called PDS (Parcel Delivery Service) suggesting that they were unable to deliver a parcel and that you need to contact them on a Premium rate number. Please do not call this number, as this is a mail scam originating from Belize. If you call the number and you start to hear a recorded message, you will already have been billed £315 for the phone call. The Police contact Organisation X to say they have discovered the perpetrators of the scam, who have confessed to targeting vulnerable individuals cared for by Organisation X after discovering names, addresses and other personal details on an unencrypted USB stick found in the back of a taxi.

Police have notified the families of the individuals who have discovered that, on average, they have been conned out of £900 each after calling the premium number to arrange delivery of  a parcel. One family has gone to the press.

Please feel free to comment on the potential costs and other repercussions that could arise from this incident.

Essential Tips for Protecting your Business From Credit Card Fraud

July 12th, 2010

You only have to look at the various types of credit card frauds I outlined in a post a few weeks ago to realize that it is very likely that your business will eventually be a target. Whether this leads to financial loss for you or your customers it is important that you protect your reputation first and foremost. This is not to say you put reputation before acting in the correct manner. The most shocking part of any revelation of major fraud is often how long a company or government department takes before admitting an issue has occurred. The TK Maxx credit card fraud is a classic example of this.

In 2006 TK Maxx discovered that hackers had cracked their encryption system and gained access to their customer’s credit card data since as far back as 2003.  This of course was bad enough, but what made things worse was that it took 18 months before the news of the breach was released. So tip number 1 in terms of protecting your business from credit card fraud is to have a response plan in place from the start. Always take the attitude that fraud WILL occur – once you know that a customer has been affected you should inform them immediately. Any short term damage will be mitigated by the long term protection of your reputation and image.

When dealing with customers online it is best to use a 3rd party provider – you don’t want to have the responsability of storing and protecting your customer credit card data – and compliance with PCI (Payment Card Industry) requirements is at it’s most basic.

What about preventing fraud in the first place? It’s unlikely you will ever find a way to prevent fraud completely – but the minimum standards to make it less likely should be:

  1. Insist that you or your payment gateway provider use SSL encryption for all credit card transactions. SSL encrypts the traffic between your site and your customer’s browser and makes it less likely that a transaction could be spied on over the internet.
  2. Use the Credit Verification Value (CVV) number in all transactions. The CVV value should not be stored in any way once communicated as it is a random number generated for each individual credit card and provides some assurance that the customer has the card in their possession
  3. Use the Address Verification System (AVS, i.e. that the credit card address be given when ordering over the internet) – even though this is almost obsolete as a verification on its own when used in conjunction with the CVV number it provides further assurance that the card is in the physical possession of the customer.
  4. Only keep data when needed and discard when finished and ensure your payment gateway provider follow s the same policy. It’s tempting to store credit card details to make transactions easier for your customers – but be aware of the risks that if you store data you are responsible for it!

I’ll end by reiterating the most important tip – be transparent in your dealings with your customers, if a breach occurs be sure to inform all those affected immediately and take steps to rectify them. Any immediate financial loss could be insignificant when compared with long term damage to your reputation.

 

Measuring the Maturity of you security controls

July 2nd, 2010

It’s is one thing to build a security plan, another to implement it and a struggle to maintain it. It’s very common to see security policies and plans with no controls in place to support them (as I have touched on in previous posts).  This is a major problem when you need to display security implementation to a potential or existing client. Sure you have a plan, but what does this actually achieve? This is where maintaining a Security Maturity dashboard is very useful.

There are many ways to build a maturity dashboard – essentially it is drawn from the balanced scorecard methodology which has it’s own variants – the core design is always the same however. It depends on defining a baseline for your security implementation and the steps required to achieve that baseline.

Basically for each area covered by your security plan you will need a policy, procedures, controls, metrics, compliance and continuous process enhancements (CPE) to achieve full maturity. As you will most likely start with a policy for the areas you want to cover that represents the most basic level of maturity. As you build your security plan through the use of industry standards, risk assessments and security incidents (by using “lessons learned”) you can start moving up in terms of security maturity. This is the scoring system I use:

  • Level 0 = Gap (No policy, procedure or controls in place)
  • Level 1 = Basic (Policy and procedures in place, no metrics or controls in place)
  • Level 2 = Standardized (Policy, procedures and controls in place no metrics but infrequent compliance checks)
  • Level 3 = Advanced (Policy, procedures and controls in place with metrics and compliance – no CPE program)
  • Level 4 = Dynamic (Policy, procedures and controls with full metrics and CPE program)

Of course there are nuances – as you assess each area of your plan you will see that you are either exposed (have a score of 0) or have a policy in place (score = 1). However, The very act of carrying out the assessment means that you have acknowledged a gap and have started to respond to it (if you follow the correct process you will start to draft a policy to fill the identified gap), in this case you actually have a score of 0.5.  Once you have identified the starting point (ie – the good, bad and indifferent parts of your security implementation) you can start planning a program and how to move from one level to the next.

You can even provide an overall score for your organization so you can take a high level view of your progress. By creating a maturity report with a scorecard you can demonstrate a commitment to security even before you have put any in place (as long as you follow through of course!). This can be a key element in heading off negative audit observations or findings or reassuring new and existing customers that their data is safe in your hands.

I will provide more detail on maturity planning including how to set up your own dashboard in future posts. As I have said above – there are many approaches to how you measure your security implementation, the main thing is that you check compliance with your OWN policies on a regular basis.

 

 

 

 

Security Considerations in Technology Choices

July 2nd, 2010

As a manager you will not be expected to know the ins and outs of how your website is built – however it is important to make the right choice of technology and not just trust in the advice from your IT department. Every website technology has it’s pitfalls and today I will run through some of the better known website technologies and their pitfalls. If you have been following my posts over the past few months you will have seen how important I believe good governance and due diligence is when building your IT strategy.  Having a basic understanding of the technology in use for your company is an essential part of this.

There are dizzying array of web tools that allow even the most technologically inexperienced to create and maintain a commercial website. You must decide which you are going to use and why – commercial programs such as Dreamweaver, Front page etc… all have their pros and cons from an operational point of view.. and in terms of security are no better or worse than each other for the most part – the security issues related with building sites using these tools are almost all user related.. it is what scripts you write or put in place that will determine your risk exposure (as well as hosting provider etc… which I have discussed in a previous post)

Content management solutions (CMS) and template built solutions pose different issues – the manner in which these are managed and maintained when online provide the first major decision that you will face when deciding how to create your website. Most CMS programs provide an online administration page. This administration page is a major flag for a potential hacker and could be a serious vulnerability.

This does not mean that open source CMS solutions such as Joomla, Mambo, Drupal etc… should not be considered – just that you should be clear as to the risks involved and weigh these against the benefits that these very powerful solutions can provide you. It could be argued that tools such as these benefit from a large user community which can respond quickly to security issues where commercial products are not so nimble, on the other hand since the source code is fully available there is more scope for vulnerabilities to be discovered and exploited – this means that security releases and updates are released quickly, but patches and updates are needed more regularly. This requires more vigilance on the part of the website administrator. It is a choice that you must make and is more often than not decided by cost and available resources to manage your site.

Open source tools are very popular but have the disadvantage of being technically unsupported – even if you pay for support the code used is open to being exploited as it is in essence all out in the open. Having said that, as a starting point for your e-commerce site, using tools with pre-built templates provide very powerful solutions for little or no outlay.

HTML editors  may give you more control, but assuming you are not a web designer yourself you will have to pay for sites to be built and maintained – open source CMS solutions are much more user friendly and have the potential at least to be set up and maintained by the technologically challenged.

If you’ve never worked with HTML or Web pages and don’t really understand how they work then it’s going to take you quite a bit of time to get a good site up and running and the chances of leaving security holes are much greater.

I should point out here that if you hire a third party to build your site it is imperative that you follow due diligence when assessing a potential company or freelancer to build your site. It is very easy to hire someone “sight unseen” from an online freelance body shop (such as elance.com or guru.com etc…) – however the very same person building your site could also be a potential threat to your business. Even if there is no malicious intent from the person or company you hire they may not follow good security practices themselves which again opens up the possibility that you will be hacked or infected by a virus. Be sure to review a companies reputation on the web and consider hiring an independent security professional to review code and platform settings.

E-mail, Passwords and Backups

June 25th, 2010

If you have been following this blog over the past few months you will have seen how good governance is the key to good security. We’ve seen how to follow best practice when setting up your website and online services, how to choose a domain safely and how to assess potetential hosting providers.  This is all good stuff but there are operational steps you will need to follow once your site is up and running.

Your hosting provider will give you an email address (most likely several e-mail addresses). You should consider closely how you will manage e-mail for your business. You should consider some secure email solutions such as hushmail, ziplip and others provide some level of security for your communication, but it really depends on what you are transferring via mail. Use an encryption method such as pgp or others for messages you wish to keep confidential.

What will you be sending and what will you be receiving? Confidentiality and integrity can be ensured by encryption, but you will need to decide what your needs are. If you intend using direct marketing methods, you should be careful not to appear to be spamming potential customers – a good overview of spamming legislation can be found here .

We’ve touched on many areas of security already in this document. And all the strategies that you will need to find the right Domain Registrar and hosting provider  – but it all comes to naught if your password and account information is not secure – this is most fundamental aspect of security.

Traditionally your password was the one way a system could identify you and even with smart card and biometric security it remains the cornerstone of IT security on the desktop. As such, it is the only measure for protecting your account, processes, and files. This is true from the most privileged account to the least privileged account on your website.

Among other things, this means:

  1. Do not give your password to anyone else.
  2. Don’t write down your password! (I’ve seen them under keyboards, on noticeboards and yes – on post-its!)
  3. Change your password regularly – every six months at the very least, 3 months is better
  4. Choose a secure password, but make it one that you will remember!

How To Choose A Secure Password

DON’Ts

  1. Your password should not be the same as your username, nor should it contain your username or simple permutations of it.
  2. Your password should not contain any personal data – the names of your  wife, girlfriend and kids are out!  As are social security numbers, phone numbers, birthdates, license plate numbers. It would be easy to be TOO paranoid of course. Think of something memorable to you, but that only YOU would know
  3. Your password should not contain correctly spelled words in any language.
  4. Your password should not contain names of your favorite actors, programs or sports team

DO’s

Applying two or three of the tips below to a reasonable password can make it almost uncrackable:

  1. Embed extra characters in the word. A semi random set of numbers with a symbol for example
  2. Misspell words
  3. Use unusual capitalization. All lowercase, or all capitals, or capitilizing first letter of  words
  4. Concatenate two or more words or parts of words.
  5. Embed one word in the middle of another, or interleave the letters of two words

One very important aspect of securing your website is to make regular backups. Received wisdom dictates that Backups should ideally take place outside of business hours, when network traffic is at its minimum – this is not applicable to a 24/7 e-commerce website though! So any backup solution you consider should have minimal impact on your website.

You should check with your hosting provider about regular backups – these should be backed up to a separate server, but still accessible to you. At a local level you should backup all data and files for extra protection – don’t rely on just one backup solution.

Backup strategy is a subject all in itself – and will differ for each type and size of business. The most important thing is to DO BACKUPS – no one ever had a problem with too many backups of their work!

Credit Card Fraud – What to look out for

June 18th, 2010

In my previous post I discussed how to manage credit card transactions using a payment gateway provider. This is by far the most secure way to manage transactions without exposing your business to either regulatory scrutiny (PCI compliance) from the credit card industry or actual fraud. But what is fraud exactly? These days it ranges from the traditional card number theft to fake cards created by skimming etc… As I often say to clients – your credit card is almost as exposed when used in traditional “real world” outlets as it is online. Most of these issues involve the possession of the card number, the card itself or a fake copy. There are at least two types of fraud that have been doing the rounds for the past few months that are worth highlighting – both as a general warning on the use of credit cards online  and also how it can impact your business.

The scams are known as “Triangulation” scams. Often these work best on auction sites like e-bay or Amazon, but it is not unique to them

Triangulation scam 1 – The customer as victim:

  1. Bogus seller on e-bay advertises product
  2. Victim purchases item/wins auction
  3. Victim pays bogus seller through PayPal (or worse by sending credit card details)
  4. Bogus seller pays ANOTHER “innocent” seller for goods using a stolen credit card using VICTIM’S details
  5. Victim gets goods (important point! – goods do actually get delivered to the victim)
  6. Bogus seller now has Victim’s credit card details or money

Using this technique an online fraudster can hop from credit card to credit card gathering money along the way. In previous posts I have mentioned domain hijacking – it’s obvious that the technique above can be further refined if a domain has been hijacked and directs to a phishing website address.

Triangulation scam 2 – In this scenario the merchant is the one who gets burned:

  1. Bogus customer orders goods and services with stolen card
  2. Before card can be verified as stolen goods/services are returned or cancelled  and refund requested
  3. Bogus customer provides different refund details
  4. Merchant provides refund to new card number
  5. Bogus customer disappears with the cash

This isn’t exactly a sophisticated attack – and could be conducted over the phone or face to face in a shop. The point isn’t that credit card scams are more prevalent on the web, just that some simple techniques could be combined to rip you or your customers off!

The key thing to remember as a vendor is that you need to ensure that you protect your customers data at all times. There is no quick fix to prevent your company becoming one of the points of the triangle above – it involves vigilance and good governance. There are some actions you need to take when dealing with credit cards online – as described by susan ward on about.com.

Risk Assessments – the core of any good security plan

June 4th, 2010

There is a common misconception that the aim of IT security is to apply a “perfect” set of procedures for protecting information. Perfection is an impossible goal and your plans should reflect this. The aim of your plan is not about perfection, it’s about being able to properly recognize the weaknesses in your organization and take steps to mitigate against them. The risk assessment is the cornerstone of this approach.

I won’t go into the minutiae of the risk assessment process – you will find resources for that in our training material – but it is worth pointing out what should be included in your risk process. This is actually quite simple. EVERYTHING needs to be included. Or at least everything that is within the scope of your plan. The key is to rate your risk appropriately no matter how small or unlikely it may seem.

Most risk assessment templates start off with entries for Fire, Flood, Earthquake, Volcano etc…. Many of which may seem highly unlikely threats to your information. I would recommend that these types of risks should be included in your planning – even if they constitute minor residual risks that will most likely never happen. Often the perception of what will “never happen” is incorrect in any case. I’m sure that companies whose critical business travel was disrupted by the Eyjafjallajokull volcano are completing their “Ash” plans as I write – a great example of something that “will never happen”!

Rating you risks according to likelihood, impact and actual exposure (vulnerability) is important, and it is also important that you lay out in your plan what the appropriate level of management response should be for each risk. This means that you decide that some issues need immediate response; others can be seen as requiring a lower response time.

Once you have assessed your risk you need to work out how you will “treat” them. This could be through new procedures to be included in your security plan itself, a change in how you do business (or where you do business) or simply to accept certain risks as acceptable and residual. It would be a mistake to bury problems in your plan as “acceptable” just because you don’t have the will to mitigate them. This is an all too common mistake. No plan will succeed if the risks are not dealt with honestly and appropriately. The management support and willingness to recognize weaknesses is key to any risk plan.