Home « Danbee Investigations

Archive for the ‘Home’ Category

How Vulnerable Is Your Company to Cybercrime?

Wednesday, October 7th, 2009

by Barry Brandman

Cybercrime can literally be launched from any place on the globe. Unauthorized entries into corporate servers and networks can result in fraud, the theft of proprietary information, the misappropriation of company funds, as well as highly destructive and costly sabotage.

There are generally three categories of those who illicitly seek to penetrate corporate computer systems.

One group, which has grown significantly, is motivated by political or philosophical beliefs. They have vendettas against certain corporations or industries. You’ve seen groups such as these staging protests at national and international economic summits. Taking their beliefs to an extreme justifies their efforts to sabotage networks and data communications.

Another group of hackers, sometimes referred to as “script kiddies”, are predominantly driven by mischief. Hacking into servers and websites, and then defacing them, is in essence cyber-vandalism. To many, it has become a game of matching wits – theirs against corporate or government IT experts who are entrusted with protecting networks.

A third category of attackers is driven by greed, and in certain respects can be the most dangerous form of hacker. In many cases, they are highly sophisticated, well financed and have successfully stolen classified data from government, organizational and corporate websites and networks. In fact, there are international crime organizations specializing in cybercrime as well as solo “cyber guns-for-hire” who will attempt to penetrate a corporation’s network for the right price.

With the downturn in the economy, company employees have become another area of risk. One investigation involved a company executive who became vindictive as he witnessed the value of his stock options plummet. As a personal vendetta directed at senior management, he accessed highly confidential files, including customer lists and marketing plans, and sent them to a competitor.

Experts fear that for every cyber related fraud, theft and embezzlement that is uncovered, there could be as many as 80-100 crimes that go completely undetected.

Cyber Crime Risk Assessment

Here’s a basic diagnostic self-evaluation that can help you evaluate just how vulnerable your server, network, proprietary data and internal communications may be:

Do you, at least once per month, verify that your data is actually being backed up the way you think it is?
Are passwords used by your employees a minimum number of characters and numbers (or are they relatively easy to crack because they consist of nicknames, birthdays, etc.)?
Are employees automatically required to change their passwords at least three times per year?
Does your company regularly update your operating system and software packages with the most up-to-date patches?
In the last 12 months, have you had experts perform a penetration test where they attempt to deliberately circumvent your firewalls and hack into your servers?
Is all company e-mail encrypted?
Does your company utilize effective intrusion detection products that will help detect, identify and stop unauthorized access?
Have you analyzed your network architecture to identify vulnerable points of entry for viruses?
Is your server in a highly secured room, protected by controlled access electronics, alarms (intrusion and temperature) and video equipment? If so, are the security clearances periodically reviewed to determine whether modifications are needed?
Do you have the ability to uncover employees sending damaging information from your company’s e-mail systems?
Does your company’s disaster recovery plan incorporate storing backed up data at an off-site location and making contingency plans for employees to work elsewhere if they can’t get to company offices?
Are employees given orientation and training regarding protecting company networks and following established security policies?
Are comprehensive background investigations performed on candidates and employees who will have access to classified data?
Are there follow-up background investigations conducted when employees are transferred or promoted into high security positions?
Is there a confidential 800 number available and effectively promoted for employees to anonymously call if they suspect or know of illegal or unauthorized activity by a co-worker, vendor or contractor?

If you haven’t answered yes to at least ten of these questions, your company may well be an easy victim, and it’s probably time to take action.

Posted in Cybercrime, Home, White Collar Crime | No Comments »

The 7 Deadly Sins of Logistics Security

Monday, September 28th, 2009

It’s estimated that the cost of business crime in the United States now exceeds $100 billion a year and is responsible for nearly 1/3 of all corporate bankruptcies. In a survey taken by a national accounting firm, nearly 25% of the respondents reported that theft related losses in their respective firms exceeded $1 million.

Most wholesalers, consolidators, freight forwarders and distributors that find themselves victimized by internal theft share a common denominator: They have usually committed one or more of what I refer to as The 7 Deadly Sins of Logistics Security.

Is your company guilty of making any of these costly mistakes?

1. Are you relying on safeguards that simply don’t work?

Ask most executives how they protect their inventory and they’ll answer “alarms, guards and closed circuit television.” If these security solutions are effective, then why is it that so many companies that sustain loss have these controls in place?

Alarms are designed to protect against break and entry, not theft committed by insiders – which is how inventory loss usually occurs. Most uniformed guards are not adequately trained to recognize internal theft and collusion. Closed circuit television will only be effective if it has been strategically designed and consistently monitored, which is typically not the case.

2. Do you make it easy for dock personnel to work in collusion with truckers?

Because they don’t know how to prevent internal theft, many companies inadvertently make it too easy for drivers to work in unison with shippers, receivers, checkers and loaders. These theft schemes are silent, with no bells or whistles going off to alert anyone that they are taking place, which is why they oftentimes add up to a small fortune.

3. Is your company too reactive?

A large percentage of companies that incur shrinkage do little to prevent it from happening in the first place. By the time they decide to take action, they’ve already incurred a substantial loss and the missing inventory is never recovered.

It’s been repeatedly proven that preventing loss is far less expensive then reacting to it.

4. Do you have an efficient way for concerned employees to report security problems?

A confidential hotline can be an invaluable tool to learn about individual theft, collusion, fraud, workplace substance abuse, arson, product tampering, harassment or discrimination. Yet, many companies still rely on methods of communication that don’t work for security sensitive issues like these, such as open door policies or in-house tiplines. As a result, employees who become aware of unethical or illegal activity tend to remain silent.

In order for a tipline program to be successful it should be outsourced so workers can speak to people who won’t recognize their voices. Employees are more likely to confide in someone outside their company, rather than using an in-house system for tips.

Equally important, callers should never have to provide their name. The best response comes when you offer complete anonymity. The way we accomplish this with the Danbee Hotline for example, is to provide every caller with a code number, which is one reason why we’ve received information that has exposed millions of dollars of losses.

5. Are you checking your checkers?

Too many companies have made the mistake of not keeping their checkers accountable. Because of this lack of oversight, a percentage of checkers become negligent or dishonest over time, and that’s when companies can rack up substantial losses.

One effective way to control the accuracy and integrity of your checkers is by having loss prevention audits regularly performed. These can be done numerous ways.

One method would be to have a security representative arrive (without any advance notification) during the time your trucks are being loaded, select one (or several) and reconcile the product found on the trucks to the shipping manifests.

Another technique would be having surprise audits performed on your trucks as drivers begin their route deliveries. We refer to these as non-covert surveillances. By having an investigator meet a driver at their first stop and performing a verification of each piece delivered throughout the course of the day, you will uncover product that has been over-loaded.

Both of these security techniques are excellent ways to not only detect collusion or gross negligence, but they will also prevent it from taking place.

6. Does your company effectively weed out on-the-job substance abusers and distributors?

Nearly 90% of all employee drug users either deal or steal to support their addiction. As many distribution executives have learned, if you have a drug problem inside your company, you can expect to have a theft problem as well.

Two of the best ways to identify drug users and distributors on your payroll is through the use of a tipline program or by inserting an undercover investigator into your operation.

7. Do you provide meaningful training for your key personnel?

All too often, losses occur because managers and supervisors are not educated on how to recognize the subtle, ingenious ways that theft takes place in a distribution center. Keep in mind that much of this theft and collusion looks exactly like standard operating procedure. The reality is that if your key people don’t know what they’re looking for, they probably won’t see it.

Posted in Blue Collar Crime, Home, Supply Chain Security | No Comments »