About Paul Curwell, CPP, CFE, CISSP

Paul is an experienced security, integrity, fraud & intelligence leader who works for a ‘big 4’ consulting firm. He helps mitigate physical, fraud, trusted insider, supply chain and cyber-physical threats for critical infrastructure, financial services and other clients. Prior to Deloitte, Paul was the global lead for intelligence and due diligence investigations at Australia’s largest bank for 5 years.

The costs of an IP breach

8 minutes

Think IP theft will never happen to you?

After finishing business school, I worked for a biotechnology company based at The University of Queensland. As part of my work on campus, I interacted with many companies and came across a case which would become commonplace throughout my career – theft of IP by departing employees.

The company concerned had employed a number of scientists to perform research, with the intent of commercialising that research to generate a Return on Investment (ROI) when it was ready to take to market. Unfortunately, once the research was effectively complete a number of researchers resigned and went to a competitor, where they were offered higher pay and more senior positions.

people sitting inside well lit room
Photo by Pixabay on Pexels.com

A short time after the former employees left that business, their new employer started pursuing patents and other IP Rights for the same research. Ultimately, the former employees were taken to court and their new employer found to have acted inappropriately. Whilst this insider threat case ultimately had a positive outcome, it was at the expense of considerable time, effort and legal fees.

Could this situation have been avoidable?

An IP breach will cost your business big time

Entrepreneurs and business leaders of startups get really invested in their business, and can sometimes develop ‘tunnel vision’ where a small number of issues consume their focus and energy.

Unfortunately, in my experience leaders who are not familiar with legal issues often fail to fully grasp what is involved in remediating any data breach and are often overwhelmed when faced with managing incident response.

To illustrate the true costs of a security incident, the 2016 Deloitte report entitled ‘The hidden costs of an IP breach’ places remediation costs in two categories:

Above the surface
(better known cyber incident costs)
a) Customer Breach Notification
b) Post-breach customer protection
c) Regulatory compliance remediation
d) Media and public relations campaign
e) Legal and litigation fees
f) Technical investigation
g) Cybersecurity program uplift
Below the surface
(hidden or less visible costs)
a) Insurance premium increases
b) Increased costs to raise debt
c) Impact of operational disruption or destruction
d) Lost value of customer relationships
e) Value of lost contracts
f) Devaluation of trade name
g) Loss of Intellectual Property
Mossburg et al (2016). The hidden costs of an IP breach

Like everything in life, timing is important. If your IP leaks before you are ready to commercialise or have formalised your IP rights, it can have disastrous effects, often resulting in a small or medium-sized businesses (SMB) being shut down. Surely more can be done?

Protecting your IP through legal mechanisms – such as patents, copyright, trademarks, plant breeders rights, circuit layout rights and ‘trade secrets’ – are very important, as is use of Non-Disclosure Agreements. But you also need to consider Information Security as part of your toolbox to protect IP.

court room bench
Photo by Zachary Caraway on Pexels.com

Just because you have legal protections in place doesn’t mean your IP can’t be compromised. A worst case scenario for many organisations is that their research is leaked before they have successfully obtained a patent, or that their trade secret is published. In these situations, competitors and other actors can exploit your hard work to:

  • Quickly replicate your work and bring it to market before you have obtained full IP Rights (i.e. they beat you to the patent)
  • Bring a competing product to market, perhaps in jurisdications where you have not applied for IP Rights (most organisations cannot afford to lodge patents in every country worldwide, and do so selectively) which competes for market share – these products are often cheaper as R&D costs do not need to be recovered, but over time may cannibalise your market share and revenue
  • Engage in successive rounds of litigation and legal red tape, aiming to exhaust your legal defence funds and bankrupt your business so as to obtain the rights for free or cheaply under licence.

Thinking “it will never happen to me” and placing your investment and hard work in the hands of blind faith is an avenue walked by many entrepreneurs and researchers, many of whom learn the hard way.

Starting early to properly protect your IP through BOTH legal and information security approaches is essential. Doing only one or the other is not suifficient.

How do VCs and Angel Investors view IP?

Whilst you may be comfortable with your current IP protection arrangements, as your business starts to grow and you need capital to scale leaders need to turn their minds to what investors will think. Investors have a scarce commodity – money – and there are a lot of companies vying to help them spend it.

Investment attraction in innovative industries requires protecting your IP. In 2015, Forbes wrote an article entitled ‘Do Venture Capitalists Care About Intellectual Property?’. The answer, as you might imagine, was a resounding yes.

The article identifies two types of Business Angels – those who invest on blind faith (perhaps a friend or family member), and those who do solid due diligence. The article quotes Brian Cohen, author of ‘What Every Angel Investor Wants You To Know‘, as saying “for many startups, the IP is the sole basis for the valuation of the company, so investors need to be confident that it is real”.

Venture Capitalists and Private Equity investors get even more serious about their IP assets:

“ Many founders make mistakes in the first 12 months of business that cost them dearly as they build their companies. These mistakes revolve around intellectual property, founding team members, initial product that is built and market validation.”

Quoting Entrepreneur-turned-VC Mark Suster in Jutten (2015)

To be positioned as an attractive investment, you need to do everything reasonable to ensure the business is as attractive as possible.

white paper with print on a typewriter
Photo by Markus Winkler on Pexels.com

You need to protect your IP from Day One

One of the mistakes I see is that founders or company management often fail to pay sufficient attention to security. Information Security – which is broader than the more technical cyber security – is focused on your organisation’s most important information assets (that is, your research or technology), understanding who has access to them, and how they could be compromised.

Many innovative or technology companies pay attention to legal protections for their IP early, but information security and insider risk management is left until later. Some start-ups are founded by groups of friends who never consider they may fall out or have a falling out or rogue employee in the future.

The most critical elements of protecting your IP and trade secrets from an information security perspective include:

  • Identifying your critical information assets
  • Identify who has access to them
  • Performing a risk assessment to understand how these assets could be compromised and identifying controls and control gaps in your current processes
  • Implementing auditing and logging tools to facilitate detection, investigation and response to potential incidents
  • Implementing a fit-for-purpose information security program to properly manage your cybersecurity, workforce (people), supply chain and business partner risks in relation to your IP
  • Building an organisational culture which appreciates the importance of a positive security culture and high levels of security awareness

What can Small Medium Businesses do to mitigate these risks?

ISO27001:2022 Information Security Management System and ISO27002:2022 Information security, cybersecurity and privacy protection — Information security controls provide an excellent foundation for any business seeking to implement IP and proprietary information protection, in addition to legal avenues.

As a small organisation, it may be overkill for you to develop the complete ISMS required under 27001, but applying 27001 selectively in a measured way will help you mitigate security risks whilst at the same time providing a strong foundation to seek external investment.

This approach means your ISMS can be progressively uplifted or enhanced as your business grows and risk profiles change – in time, you will have an ISO27001 ready ISMS to seek ISO/IEC Certification should you chose or it becomes a condition of your investment.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Product Serialisation – a tool to help counter diversion and illicit trade

5 minutes

When was the last time you bought diverted product?

Illicit Trade and diversion is a problem which keeps growing. Have you ever purchased a counterfeit product? Would you know if you did?

If you’re a regular online shopper the chancers are good that you’ve come across illicit product, possibly without knowing it.

men s gray crew neck shirt

I was recently at my local barbers getting a haircut when I noticed the container of a popular brand of talcum powder.

Only the logo and product name was in english – everything else was in Indonesian.

My barber mentioned he hadn’t noticed, but bought it because it was being sold cheaply online. This is an example of product diversion.

To highlight the risks of diverted or counterfeit product, there are many articles online about the link between talcum powder and cancer. By purchasing talcum powder on the illicit market you may unknowingly be exposed to asbestos, which causes lung cancer.

Most people know what counterfeits are, but diversion is less well known. Diverted product is authentic product sourced at a discount (or stolen) in one market, and then resold in another market. The diverter pockets the price differential between bought and sold, and the manufacturer (and their authorised distributors) lose out.

Mechanisms that provide track and trace functionality, such as serialisation, are essential for the detection and investigation of illicit trade.

Serialisation can help improve supply chain integrity and counterdiversion

When we talk about serialisation in a supply chain context, it refers to the process where a unique identifier – usually a serial number or barcode – to individual items or products in the supply chain.

In combination with data management, analytics, and a well-developed program, serialisation is a way to realise the tracking and tracing of products as they move through the supply chain and circulate in the market.

Supply Chain Integrity can be defined as providing an “indication of the conformance of the supply chain to good practices and specifications associated with its operations”

European Union Agency for Network and information security (2015)

Serialisation offers benefits to Supply Chain Integrity:

  • Traceability – Serialisation is the traceability mechanism by which manufacturers can track the movement of their product through the supply chain
  • Provenance – Serialisation itself will not establish provenance (unless serialisation is uses blockchain), but data related to provenance could be linked with the serial number to indirectly establish provenance
  • Authenticity – Serial numbers should be unique and be matched to specific product versions or models, making it possible to identify counterfeit and diverted product through test purchases, ‘mystery shopping’, or seizures by police or customs

Given the safety risks associated with illicit product, its no wonder the pharmaceutical industry is a leading adopter of serialisation:

  • The US Drug Supply Chain Security Act (DSCSA) requires serialisation, track and trace capabilities in the pharmaceutical supply chain, from manufacturers to retail pharmacies.
  • The 2019 European Union Falsified Medicines Directive (FMD) applies only to presciption medicines produced, imported or distributed in the EU.
  • The Chinese National Medical Products Administration (NMPA) has been managing serialisation since it was first introduced in 2013.
  • India commenced the serialisation journey in 2019, through its Drugs Technical Advisory Board (DTAB).

Australia is late to the party on serialisation in the pharmaceutical industry, with the Therapeutic Goods (Medicines—Standard for Serialisation and Data Matrix Codes) (TGO 106) being mandatory from 1 January 2023.

How does serialisation work?

Serialisation is the unique identification of each unit of a product, allowing a unit to be identified distinctly within its batch. Serialisation can be applied at multiple levels in any shipment:

  • Pallet
  • Consignment
  • Packaging (item and carton levels)
  • Labelling
  • Item

To maximise efficiency, Serialisation markings must be machine-readable and are typically applied via three techniques:

  • Barcodes
  • QR codes
  • Data Matrices

According to the Therapeutic Goods Administration (TGA), a Data Matrix contains various beneficial features not associated with the other methods, including:

  • A large data carrying capacity
  • Built-in error correction providing reliability and readability in situations where the label is damaged or if the pack is irregularly shaped
  • The ability to be easily printed at high production speeds, such as those found in medicine manufacturing environments.
deliveryman scanning the barcode
Photo by RDNE Stock project on Pexels.com

How can small-medium businesses access the benefits of serialisation?

It used to be that product serialisation was an expensive endeavour, but a number of recent articles online suggest serialisation is becoming much cheaper. The costs of serialisation can be quite substantial if not managed properly, but product serialisation can also add value to your supply chain and inventory management practices beyond mitigating illicit trade.

As the technology becomes more common and compliance programs mature, SMBs will be able to leverage their existing systems with serial number generation and management tools and labelling or printing tools to access the benefits of product serialisation.

    Further reading

    DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

    Diversion of critical technology – a byproduct of global competition?

    6 minutes

    Global competition for science and technology is heating up

    Unless you have been sleeping under a rock these past five years or so, you will be aware that the world is again in an era of great power competition. One key area in which this geostrategic competition is playing out is in science and technology. In addition to the omnipresent competition between businesses, nations are now trying to gain the upper hand for economic and national security reasons in a way we haven’t seen since the end of the Cold War.

    Developing a high level of scientific and technological capability maturity takes decades and requires substantial infrastructure, starting with basic education systems all the way to post-doctoral research. The research needs to be supported by a legal, regulatory and financial environment conducive to commercialisation, such as Intellectual Property law, sources of capital investment, and the right government policy settings. Lastly, countries need to have companies capable of converting consumer-ready ideas into products, and the ability to take these products to market.

    Where countries or companies cannot or do not wish to take a product to market, they use Technology Transfer mechanisms to assign ownership or control. If you can’t or won’t build these capabilities organically, the alternative offers a fast-track option: Steal it. If you want to take the illicit path, you have three main options: Theft, patent infringement and counterfeiting, or diversion.

    medival professionals holding test samples
    Photo by Tima Miroshnichenko on Pexels.com

    What is Diversion in the context of Technology Transfer?

    To understand the diversion of critical technology we need to establish some definitions, starting with Technology Transfer. I spent quite a bit of time learning about Technology Transfer at university, but it seems the inherent complexity hasn’t changed in many years. According to a 2011 World Health Organisation (WHO) report, the term “technology transfer has been notoriously difficult to define precisely”.

    WHO have chosen to go with a World Intellectual Property Organization (WIPO) definition which defines technology transfer as “a series of processes for sharing ideas, knowledge, technology and skills with another individual or institution (e.g. a company, a university or a governmental body) and of acquisition by the other of such ideas, knowledge, technologies and skills”.

    Diversion” refers to the unauthorised or unintended redirection of technology, confidential information, or components / materiel from its intended (authorised) receipient or use to a different party or for use in a different purpose.

    Diversion is different to Theft (although they often arise simultaneously): Theft is effectively taking something that isn’t yours without permission (and often without paying for it). For example, going on a laboratory visit, picking up a laboratory notebook and discreetly putting it in your bag for later is theft, not diversion. Although I cannot find evidence of it being discussed in this way in the literature, I consider Diversion a type of Fraud as it typically involves obtaining a benefit (the confidential information or technology) by deception.

    faceless operator examining drone in modern studio
    Photo by Pok Rie on Pexels.com

    Why should we care about the Diversion of critical technology?

    The impact of diverted technology depends on the what the technology actually is and the identity of the perpetrator. Diversion is commonly perpetrated by nation states, competitors, private intelligence collectors, non-state actors (e.g. terrorist groups), and trusted insiders (e.g., employees, supplier’s workforce). Diverted technology can have a number of national security and market competitiveness impacts, which over time erode competitive advantage and can expose companies and countries to undue risk, including:

    1. Military Superiority: Critical technologies often underpin a national defence capabilities. If adversaries or third parties access these technologies, your competitive edge can be eroded.
    2. Economic Competitiveness: Advanced technologies drive economic growth and national competitiveness. At the start of this 4th Industrial Revolution, science and technology goes hand in hand with economic prosperity.
    3. Critical Infrastructure Vulnerabilities: Critical technologies are often used to support critical national infrastructure like energy, transportation, and communication. Diverted technology could be used to identify novel vulnerabilities in systems (including zero-day cybersecurity vulnerabilities), which could be exploited by adversaries leading to widespread disruptions.
    4. Proliferation of Weapons of Mass Disruption and Dual-Use Technologies: Defence and dual-use technologies (those with both military and civil applications) can be diverted to sanctioned groups or nation states, destabilising global security.
    5. Diminished Strategic Autonomy: In this new ere of geostrategic competition, being reliant on another country is a strategic vulnerability (we saw this from the effects of the COVID-19 pandemic). Diversion can lead to increased dependence, potentially compromising a nation’s independence.
    6. Foreign Interference and Espionage: Diverted technology can provide adversaries with insights into a nation’s capabilities, strategies, and operations, potentially undermining its diplomatic and security efforts.

    There are many ways in which technology can be diverted, such as False End Users, front companies, use of brokers or intermediaries to obtain information, joint ventures or mergers and acquisitions, IP Licensing agreements, insider threats, foreign student arrangements, and many more. In some cases, once the diverted technology is obtained by the adversary, it will be copied or reverse engineered before going into production (manufacturing). The benefit here means that companies can build a competing product (or military capability) at a cheaper price. without the overheads of having to recover the costs of research and development.

    Further Reading

    • Gaida, J., Wong Leung, J., Robin, S., Cave, D., Pilgrim, D. (2023). ASPI’s Critical Technology Tracker – Sensors & Biotech updates, Australian Strategic Policy Institute, https://www.aspi.org.au/
    • Hannas, W., Chang, HM (2021). Unwanted Foreign Transfers of U.S. Technology: Proposed Prevention Strategies, Centre for Security and Emerging Technology, https://cset.georgetown.edu/
    • McBride, J. and Chatzky, A. (2019). Is ‘Made in China 2025’ a Threat to Global Trade?, Council on Foreign Relations, https://www.cfr.org/
    • Toman, D., Famfollet, J. (2022). Protecting Universities and Research from Foreign Interference and Illicit Technology Transfer, European Values Centre for Security Policy, https://europeanvalues.cz/
    • WHO (2011). Pharmaceutical Production and Related Technology Transfer, www.who.int

    DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

    Channel stuffing fraud – a distribution problem

    8 minutes

    What is Channel Stuffing?

    Channel Stuffing is also known as ‘trade loading’, and is where sales teams sell an abnormally large quantity of product to distributors at one time. These sales are usually at a significant discount, or on generous payment terms making it both attractive and financially viable to the buyer. Channel Stuffing increases earnings in the short-term, but you are effectively front-loading the next quarter’s sales, which makes it harder to achieve future sales targets.

    Sometimes, Channel Stuffing can be fraudulent, such as where a sales person engages in Channel Stuffing to get a higher short term incentive (bonus) or commission knowing they intend to resign before the next quarter. In some cases, the buyer (e.g. retailer) is forced or coerced by the Distributor to purchase the extra inventory. This can damage the relationship and even impact the retailer’s financial viability.

    To make it more attractive to sourcing and procurement teams in the retailer, the sales person attemping Channel Stuffing may offer bribes or kickbacks to the retailer’s staff to complete the Channel Stuffing transaction, or distributor sales staff and retailer procurement staff may be acting in collusion to perpetrate the scheme. An illustration of how Channel Stuffing works is shown below:

    Companies that don’t have proper controls in place are likely to fall victim here – it’s worth pointing out that Channel Stuffing is an internal fraud, a type of insider threat which occurs in the distribution stage of the supply chain.

    man operating silver machine for silver steel kegs
    Photo by ELEVATE on Pexels.com

    What industries are most exposed?

    Industries most at risk of Channel Stuffing are those with high margins, because high margins can be discounted without overly impacting revenue. Those most likely to be impacted include:

    • Consumer Electronics
    • Tobacco
    • Automotive Industry
    • Pharmaceuticals
    • Fast Moving Consumer Goods (FMCG)
    • Technology, including software providers
    • Fashion and apparel
    • Industrial equipment
    • Alcohol and Distilled Spirits

    As with many supply chain and distribution fraud schemes, it is hard to find reliable statistics on incident data so I have replaced a graph of losses with a more uplifting pic of something I enjoy – getting outdoors!

    people riding on inflatable raft
    Photo by Hilmi Işılak on Pexels.com

    Who are the victims in Channel Stuffing?

    There are two victims in channel stuffing fraud – that is, parties who incur a loss. First is the distributor (channel partner) itself which employs the sales team. This is commonly the case in fraud perpetrated by one or a small group of disaffected sales leads who are trying to engineer a good bonus and intend to resign in the near future to avoid any repercussions.

    Where sales people have fraudulently engineered sales, the channel partner may need to engage legal support to claw back bonuses, and may also be subject to financial penalties from the manufacturer under the Distribution Agreement for having inadequate controls which allowed Channel Stuffing to happen.

    The second victim is the manufacturer or business which creates its products and sells them to customers via its channel partners. This company is dependent on third party channel partners to execute the distribution agreements as agreed.

    Impacts of Channel Stuffing include:

    • Financial: Depending on scale and materiality, Channel Stuffing will likely impact a manufacturer’s actual revenue against plan (forecast), artificially inflating revenues in the short term. For publicly listed companies or companies with Private Equity investors, if not detected material cases of Channel Stuffing could be misleading to investors and have regulatory impacts.
    • Customer Satisfaction: Customers of the distributor (i.e. retailers) may be forced or coerced to take on additional inventory, which can impact customer satisfaction, brand and reputation. Where products are easily substituted for a rivals, retailers may even stop offering a product and switch to selling other brands.
    • Inventory distortions: A large volume of unexpected sales (through Channel Stuffing) will result in excess inventory at a retailer, which could take months to clear and may even need to be discounted. This situation can also trigger a manufacturer to build more product, believing that market demand for their product is high. When Channel Stuffing is discovered, one or more parties will be left holding excess inventory, with all the associated implications.
    • Misrpresentation of sales and marketing campaign effectiveness: If a large incidence of Channel Stuffing occurs during a sales campaign or when A|B testing is underway, this may give a wrong impression that the sales are driven by marketing or advertising when they are actually fraudulent. This can cause manufacturers to spend thousands of dollars on marketing and advertising which isn’t actually working.
    • Returns: Some purchasing terms may include provisions for retailers to return excess inventory for a refund a few months after the sale was completed. Sales teams may walk away with a larger bonus, but the manufacturer will be left to unexpectedly refund some or all of the sale, and accept the additional inventory or alternately agree to the inventory being sold at a heavy discount to end users or offloaded onto the resale market. Either way, the manufacturer loses.
    man falling carton boxes with negative words

    How can you identify Channel Stuffing and what are the indicators?

    Identifying frauds and insider threats like Channel Stuffing is really an intelligence and analytics problem. In order to detect fraud, we need to know what we are looking for. The most effective way of doing this is to build one or more typologies that captures how the fraud scheme would actually work in your business, and what to look for. If you’ve never heard of a typology, have a read of my previous article.

    If you read Forewarnedblog.com regularly, you will know I frequently talk about the importance of keeping data on incidents – such as through an incident register. Use the details of a previous case (or public cases involving your competitors or similar industries) for Comparative Case Analysis which allows you to develop detailed fraud detection typologies.

    Detecting any type of threat in your data involves identifying the patterns (behaviours, indicators), anomalies (unusual activity), and signatures (unique offender characteristics associated with how they perpetrate the fraud). Indicators of Channel Stuffing to look for in the data includes:

    1. Unusually High Sales Volumes: Look for anomalies and spikes in sales figures, especially towards the end of reporting periods or bonus periods
    2. Rising inventory: setting aside seasonable flutuations and sales trends, can inventory increases be reliably explained?
    3. Extended Payment Terms: Do unusual sales volumes correlate with issuing of extended payment periods or more favourable return policies for retailers?
    4. Excessive Discounts or Incentives: Is your business offering unusually high discounts, rebates, or incentives to distributors or retailers?
    5. Returns and Chargebacks: (lagging indicator) Can abnormal rates of returns, chargebacks, or unsold inventory be observed in a period after indicators 1-4 were identified?
    6. Abnormal Sales Patterns: Are there any anomalies such as consistently high sales in the last week of a reporting period?
    7. Increased Distributor or Retailer Complaints: Are partners reporting concerns about pressure to accept more inventory than they can reasonably sell?
    8. Unrealistic Sales Targets: Are they realistic, or are they impossible which encourages sales staff to resort to Channel Stuffing (especially where sales team compensation is commission-based)?

    By paying attention to these indicators, you can help businesses detect and prevent channel stuffing, ultimately safeguarding their financial integrity and long-term relationships with distributors and retailers. Additionally, offering guidance on transparent and ethical sales practices will contribute to sustainable business growth.

    Four things businesses can do to minimise Channel Stuffing risk

    With an understanding of what Channel Stuffing is and the ways it can be identified, there are four key things businesses can do to mitigate the risk:

    • Develop typologies and use data analytics to continuously monitor for, and proactively detect Channel Stuffing
    • Implement transparent, detailed reporting that ensures visibilty of emerging trends and issues that allows early management intervention
    • Ensure appropriate reporting and audit rights are included as part of any distributor compliance program forming part of Distribution Agreements. Channel Managers need to consider this in the Channel Management strategy.
    • Implement programs to perform market surveillance and obtain customer (end user) feedback to understand what is actually happening and who is buying your product. This helps validate observations in data analytics

    As with all fraud schemes, paying attention to your data and having a good understanding of your business can help deter and detect frauds early. The bottom lime is that proactively looking for Channel Stuffing can avoid significant downstream pain!

    Further Reading

    DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

    An introduction to third party screening processes

    7 minutes

    What is screening and why is it important?

    Screening is a term applied in the governance, risk and compliance field which equates to one or more database checks. In a screening process, the name of a business, organisation or individual is queried in a database to identify potential matches.

    white jigsaw puzzle illustration
    Photo by Pixabay on Pexels.com

    Where a match is identified, the screening process should include a confirmation step to determine how reliable the match is prior to determining next steps. Screening is used in a range of functions, including:

    Many risk and compliance laws and international standards have a reasonable expectation that screening will be performed by business and government as part of routine business operations or as part of customer service delivery. Vendor screening is also an essential part of vendor due diligence and is a foundational element of any supplier integrity framework.

    Overview of the screening process

    Any screening process comprises two stages – screening design and screening delivery – with a total of five steps in the process, as follows:

    Stage 1 – Screening Design

    • Determine screening context and objectives: Confirm what you need to achieve by screening. This could be an obligation under legislation, standards, or policies.
    • Agree screening parameters: Determine what you are going to search (sources), when (at what point in a process or relationship), how frequently (e.g. once on commencement of relationship annually ), who will perform the work and where the results will be stored.

    Stage 2 – Screening Delivery

    • Perform name-based screening: Query the relevant database for a name manually or automatically, ensuring all steps and results are documented.
    • Qualify potential matches and escalate matters of concern: Have a mechanism to perform further view (investigation) of likely matches
    • Perform Quality Assurance (QA) to validate search parameters, providing assurance that your proceses achieve their intended objectives.

    Screening processes employing ‘name matching’ algorithms are inherently risky

    If you are unfamilar with text analytics or computer science, you could be forgiven for thinking every search you do in a database is the same, but this is not correct. Broadly speaking, there are two main types of screening query:

    • Exact Name Matching: This search setting queries the exact phrase you have entered against the database (some systems may also be case sensitive). If there is a typo or names are back to front, no match will be returned giving a erroneous result.
    • Fuzzy Name Matching: Fuzzy matching is used to compare to search strings which may be similar but are not identical based on critieria determine either by the user (when performing the search) or by the algorithm.
    google search engine on macbook pro
    Photo by Pixabay on Pexels.com

    Common problems encountered when designing your screening process (Stage 1 above) include:

    • Spelling errors
    • Truncated words
    • Names containing multiple languages (e.g. Arabic + English)
    • Names that have been incorrectly translated to English (either in a database record or in the search parameter)
    • Dealing with initials and titles / honorifics
    • Words that are out of order (e.g. surname -> first name or first name -> surname)
    • Spaces and hyphens
    • Nicknames or unofficial names

    When performing screening for compliance purposes, it is common to determine how your screening procesess (including selected search parameters) complies with your organisation’s policy, legislative obligations, or risk appetite. It is also important to understand your data, both in the database and the material you are using to search. If your data quality is poor, you can have the best process in the world but you will still miss something. In a compliance or reputation context, improperly performing screening can have serious financial and legal consequences.

    What should businesses screen for?

    Precisely what a business screens its vendors for will vary depending on regulatory obligations, internal policy settings and risk appetite. In some cases, the cost of performing the screening may outweigh the risk. Examples of what is commonly employed as part of a screening process include:

    Screening is only the first step in any supplier due diligence or third party risk management. Remember that not everything is in a database, and may require an audit or use of investigative techniques for detection. Show and Shadow Factories are one such example.

    There are a plethora of screening solutions on the market, particularly for vendors. Some screening solutions are aggregators meaning they offer access to multiple different databases (e.g. financial viability plus adverse media) within the same interface. Many aggregators also offer proprietary reporting and case management tools, as well as continuous monitoring and alerting functionality at a variety of price points.

    What about emerging markets where there is no data?

    Screening tools are powered by databases, so the quality of the output reflects the data quality inputs. I have previously worked with clients to test the accuracy, coverage and reliability of paid proprietary databases against known results to determine whether the information holdings of paid databases are as accurate as they claim.

    Unfortunately, the results of these comparisons haven’t always been great, particularly when it comes to data quality in emerging markets. Here are three things to consider in this scenario:

    • Consider the type of record and what the regulatory obligations are for updating that record in the given jurisdiction. A country which provides 3 months for company secretaries to register a change of director is not going to show up in a database just because the company has made a press announcement
    • Understand whether the database vendor collects the records themselves, or if they are an agregator (or worse, an aggregator of aggregators). The closer your provider is to the primary source the greater the likely the record will be accurate and timely
    • Remember that errors can be made in declarations or when transposing information unless the country uses data validation tools. Some errors can be intentional, such as where a front company provides fictitious director details

    When designing your screening process, it pays to understand what you are doing and why, and confirm this meets your requirements and acceptance criteria.

    Further Reading

    DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

    Business Email Compromise – persistent threat or consistently mismanaged?

    5 minutes

    What is Business Email Compromise (BEC)?

    I remember working in banking when BEC first happened – according to Google, this was around 2013. In our bank security department, we worked out how the fraud scheme worked, quickly developed internal controls and process improvements to reduce our vulnerabilities, and effectively treated the risk. So why in 2023, ten years later, are business owners still falling victim to BEC and other scams? More concerning, some executives only hear about BEC when they have become a victim – so what is BEC and how does it happen?

    BEC is a type of fraudulent email scheme (scam) – more specifically a cybercrime – where fraudsters attack a company’s internal processes or functions. Most commonly, I come across BEC in relation to invoicing scams or banking transactions, but there are also other less common variations. Criminals use phishing techniques, which involve well crafted or deceptive emails, and in some cases other social engineering tactics as well, to convince an employee or manager that they are legitimate.

    an exhausted woman reading documents
    Photo by Mikhail Nilov on Pexels.com

    At times, these emails may even be combined with other channels such as phone calls to reinforce the sense of urgency, build trust and rapport with the victim. A simple ‘BEC attack example’ involves 4 phases – research & reconnaisance, targeting, attack, escape – as illustrated below:

    Here’s an example how BEC could play out:

    BEC is still happening – why?

    As a cybercrime / online fraud, the simple TTP (Tactics, Techniques, Procedures) employed by criminals mean and the ensuing response by workers means BEC is still going strong. According to the Australian Competition & Consumer Commission (ACCC) ‘Targeting scams 2022‘ report:

    • In 2022, Australian’s reported $569million in losses to ScamWatch, a 76% increase on the previous year
    • The volume of incidents has decreased – but the value of incidents has increased (average losses have increased by 224% since 2020)
    • Losses from False Billing scams totalled $24million in 2022

    These statistics demonstrate the size of this problem. Clearly, businesses need to do more to manage fraud, cybersecurity and scam risks.

    Why is BEC still this prominent? Simple – because it works.
    For criminals, fraudsters and scammers, it’s quick, cheap and profitable.

    People are too busy to stop and think about what they are doing or take process shortcuts, to trusting of what happens online due to poor security awareness or inadequate fraud awareness training, or because the way the scammer delivers their ‘attack’ email is so well crafted it gets the recipient on the hook easily and convinces them it’s legitimate.

    For managers, its important to realise that BEC has a strong nexus to your Insider Risk Management program – BEC scams cannot succeed without a wilful, complacent or ignorant insider.

    A strong Trusted Insider program should be mutually reinforced and supported by a strong security culture, where all staff (including contractors and casuals, not just employees) understand and embrace the importance of security to your business. If security awareness is low and you have a poor security culture, employees and contractors can be complacent or even ignorant of the risk.

    How to prevent BEC and other scams?

    Who typically gets targeted? Because BEC frauds primarily target the invoicing process, staff in accounts and procurement are most likely to be targeted, as well as potential line managers, executives and their assistants.

    1. Up your game – improve culture and awareness

    Whilst all staff in your organisation should have some level of fraud and security awareness, staff in these roles should have a high level of understanding about BEC, it’s various forms, and how prolific it is.

    2. Identify, assess and manage the risk

    Too often, I find organisations which haven’t stopped to think about how fraud and security issues can materialise in their business. Business need to perform a detailed security risk assessment to understand how and where they may be vulnerable to cybersecurity or fraud compromise. Any security or fraud risk assessments should be regularly updated to reflect changes in the business and its operations.

    3. Review your business processes and internal controls

    Frauds and scams differ from violent crimes in that they exploit a business process. To succeed, criminals must complete a particular task, often in a specific order. For a business, each of these tasks is a vulnerability unless you have sufficient internal control coverage to mitigate these risks.

    In practice, I find overlaying a process map of the scam or fraud from the criminals (external) perspective onto the internal business process helps identify gaps (vulnerabilities). This is often done in Red Teaming and other Security Assurance activities.

    Further Reading

    DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

    What security policies do small and medium sized businesses need?

    5 minutes

    Policies play an essential role in coporate governance – even for SMBs

    One of the topics I’ve always been interested in is how we can uplift the resilience of Small and Medium Sized Businesses (SMBs). Whilst SMBs are the engine rooms of our economy, they typically have immature information security and fraud protection capabilities despite facing the same threats as large organisations. In fact, the 2020 Australian Cyber Security Centre (ACSC) survey showed that 65% of Australian SMBs surveyed spend less than A$999.00 on their security! It’s no wonder they fall victim to phishing, ransomware, data breaches and other exploits. Like having a good security culture, and tone from the top, policies are another essential.

    OK, so the topic of policies can be quite dry – many of us don’t get excited by reading our company policies (some of us might even fall asleep), but they play a key role in setting expectations for staff, customers and suppliers. Corporate Governance is all about how businesses are organised, managed and governed, and comprises the principles, practices and structures that help inform decisions, operations, and conduct.

    Policies are formal statements that outline guidelines, principles or rules governing the behaviour, actions and decisions of staff and management within an organisation. Whilst SMBs don’t need a comprehensive policy library like you would find in an ASX100 company, there are a few security policies which are essential.

    white and red boats on lake
    Photo by Gilberto Olimpio on Pexels.com

    What are the main security policies every SMB should have?

    When it comes to security policies for small to medium-sized businesses (SMBs), there are several key ones that can make a significant impact – see below for details:

    • Information Security Policy: This policy establishes guidelines for protecting sensitive information, data, and assets. It covers data classification, access controls, encryption, password standards, and safe data disposal.
    • Acceptable Use Policy: This outlines how employees can use company resources like computers, networks, and the internet. It helps prevent misuse and establishes boundaries to ensure productive and secure usage.
    • BYOD (Bring Your Own Device) Policy: As remote work becomes more common, this policy addresses the use of personal devices for work purposes. It should outline security requirements for these devices to ensure they don’t compromise sensitive data.
    • Incident Management Policy: This policy should address what to do in relation to a broad range of incidents, such as cyberattacks, natural disasters, and equipment failures. It outlines how to respond promptly and effectively to minimise disruptions.
    • Remote Work Policy: With the rise of remote work, this policy addresses the security measures needed for employees working outside the office. It should cover secure connections, data storage, and device security.
    • Access Control Policy: This policy defines who has access to what data and systems. Implementing least privilege principles ensures that employees only have the access necessary for their roles.

    Additional policies, covering topics such as physical security and vendor / third party security standards may also be appropriate, complementing your business’ employment, code of conduct, and other workplace policies.

    booth branding business buy
    Photo by Pixabay on Pexels.com

    Start as you mean to finish

    When running any business, there is always so many things to do. Marketing, sales, customer engagement, product – the list goes on. Governance and Risk Management often take a bit of a back seat, especially in smaller organisations, and typically only become more important as organisations grow and management has time to focus on these issues. However, policies and risk management are one of those things that really needs to be considered earlier for three reasons:

    • Policies – even simple ones – add value to a business by improving governance, ensuring staff adopt the desired behaviours, and improved management outcomes
    • Provide clear and constistent advice to staff around BYOD and Remote Working – data loss and data breaches are becoming an increasingly common occurence, and remote working and BYOD arrangements are a key vulnerability. Whilst technical controls are available to mitigate some risks, a policy that clearly sets out what is expected of staff and in which circumstances is essential to manage risk.
    • Well-governed suppliers are more attractive to buyers – due to their size, SMBs are unlikely to have robust supplier assurance programs which contractually oblige suppliers to meet certain standards, but they are likely to sell their products or services to larger companies. Having good governance and standards in place demonstrates a degree reliability, quality and integrity which suppliers can put faith in and might just win you that next contract!

    Further Reading

    DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

    Returns Fraud – a risk for eCommerce companies

    7 minutes

    What is Returns Fraud?

    Returns fraud is a deceptive practice where customers purchase a product from a retailer so as to either temporarily ‘borrow’ the item, or to obtain a refund or store credit. Returns Fraud involves deception on the part of customers, who seek to return a product under ‘false pretences’. Common returns fraud typologies include:

    • Online returns fraud – where customers make a false claim in order to obtain a refund or store credit. Typically, these customers claim that they did not make the purchase (when buying using a credit card), that the goods did not arrive, or that the goods which arrived were faulty, damaged or did not match the description when purchased. Many customers do not return these products whilst also claiming a refund, meaning they actually keep the goods and profit from the refund.
    • Product substitution with lower cost items – customers purchase a high-quality item from one store / brand, and a similar but low quality item from another store. They may remove product tags or labels, or place the substitute product in the high quality product’s packaging before returning. Often returned goods are not properly scrutinised, or may be returned to third party service providers, and by the time the fraud is detected it is too late.
    • Product substitution with counterfeit items – this typology is the same as with lower cost items above, except the substituted product is a counterfeit item. This creates issues for retailers if the counterfeit item is repackaged and released for resale without proper inspection, and can result in brand damage or create consumer safety issues.
    • Wardrobing – a common problem especially for online retailers, consumers purchase items of clothing for a specific event (such as a party), use the item of clothing, then return it for a refund or exchange without declaring this use to the retailer.
    • Use of fraudulent receipts – some consumers alter or forge sales receipts and use these along with often substituted or second hand goods to attempt a refund without having purchased the item. Physical retailers without robust returns processes, who do not verify information on receipts against their records, or who place returned items to one side to process in quiet periods, are particularly vulnerable.

    Returns Fraud can be perpetrated by external parties (i.e. opportunistic individuals and actual customers), employees (i.e. trusted insiders), and external parties in collusion with trusted insiders.

    elegant male outfits on dummies in modern boutique
    Photo by Andrea Piacquadio on Pexels.com

    How does Returns Fraud impact retailers?

    If not properly managed, Returns Fraud can have significant implications for retailers and may even send struggling businesses to the wall. Returns Fraud will impact profits, operating costs and brand in the market. Examples of the impact of Returns Fraud on retailers include:

    • Increased Operating Costs – Retailers may need to employ additional staff to manage and process returns, as well as spending more on loss prevention or fraud protection programs. In some cases, specialist expertise may be required, particularly for high value or complex disputes which retailers are not equipped to handle.
    • Card Scheme penalties – Card Schemes such as Visa and Mastercard apply financial penalties to retailers (merchants) where a customer disputes a transaction, such as in the case of ‘online returns fraud’ (above).
    • Customer Experience and Trust – Retailers who implement stringent policies risk frustrating or offending legitimate customers, resulting in complaints, negative ratings online, or refusal to deal with the brand again. Balancing customer experience with retail security is a huge challenge.
    • Returned Inventory Management – The ‘reverse supply chain’ is challenging for any retailer, but it needs proper attention to mitigate risks of substituted, damaged, soiled, or counterfeit product being accepted, repackaged, and resold as legitimate by a retailer with potentially disastrous results.
    • Financial losses – As mentioned in my previous post ‘Product Security is fundamental to Product Management‘ (see “Security and integrity risks need to factor in pricing decisions“, link below), once a product has been stolen or diverted a retailer needs to sell significantly more product units to recover those losses. Over time, these losses erode revenue and impact profit margins, potentially making the business unviable.

    The challenge with Returns Fraud, as with any other security program, is the need to balance the inherent risk of Returns Fraud with customer service and customer experience. Some retailers have accepted a high incidence of Returns Fraud, only to find it has eventually sent the business bankrupt as word gets around the retailer is an easy target and the incidence of fraud increases.

    Three simple steps to mitigating Returns Fraud risk

    Recent media reporting indicates the incidence of Returns Fraud is increasing worldwide, particularly wardrobing and online returns fraud; however, there are three steps businesses can take to mitigate the risk:

    • Return policies – Policies must be clear, legal, compliant with card scheme rules (for credit card payments), and transparent to allow consumers to understand retailer expectations and conditions of sale. Policies should be displayed prominently on the website and in-store, and customers should acknowledge conditions of sale in writing prior to payment. Evidence that a customer has read and acknowledged these policies should be retained by retailer systems and processes in the event of a legal dispute.
    • Using data analytics for fraud detection – data is essential for detecting unusual patterns or behaviours indicative of returns fraud. Provided the required data is collected, typologies can be developed and dashboards built to quickly facilitate detection. Examples of indicators retailers might look for in their typologies include customers who frequently return items (analysed data should include customer name, address, phone number, or email address to identify common purchases using fictitious names); returns of specific products or product categories within 48-72 hours after purchase; and returns of ‘prestigious’ items which consumers might not be able to afford. Early detection, proper investigation, and collection of evidence is crucial to minimising a loss.
    • Build high levels of employee awareness and a strong security culture – Employees are one of the most important elements of any security or fraud program. Poor awareness of fraud and security creates ignorance of the risk, preventing staff from being able to recognise problems and respond in a timely manner. Staff should be trained both on commencement and periodically (at least annually) throughout their employment, with targeted training being undertaken in response to new trends or criminal tactics. Further information on improving security culture can be found below.

    As you can see, the risk of Returns Fraud is real and must be properly understood, assessed and managed by retailers to mitigate unplanned losses and vulnerabilities. Failure to properly consider and plan for Returns Fraud in any retail business is likely to result in substantial financial loss, legal disputes, and brand damage, and may even send the business into insolvency.

    Further Reading

    DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

    Often overlooked, Product Security is fundamental to Product Management

    7 minutes

    Products are core to modern business strategy

    If you read Ellen Merryweather’s (of Product School.com) post of January this year (refer Further Reading), you may get the sense that product management is coming of age. A focus on products for businesses can provide stickier customers, unlock access to non-traditional markets, and generate annuity revenue rather than single transactions. These days, I find there are two main categories of products:

    • Products in their own right – such as medicines, or items of clothing and auto parts (e.g. tyres)
    • Products that are bundled with services – we see this with cloud-based software solutions, as well as products connected to the Internet of Things (IoT)

    Increasingly, physical products are incorporating connections to the IoT to provide after-sales services such as device updates or performance monitoring. Unlike services which are transactional, products have a finite lifespan both in terms of their operations (how many times they can be used, or will last) and from a market perspective before they are imitated by competitors, superseeded, or in the case of patented products when the patent expires. This means there is a target window in which to generate Return on Investment.

    vehicle headrest monitor
    Photo by Mike Bird on Pexels.com

    Product security and integrity risks are varied

    There are a range of fraud, security and integrity risks which impact products, many of which are specific to products and indusries. If not properly managed, product risks can have material implications on profitability and reputation, including:

    • Revenue loss or margin shrinkage due to theft, fraud and abuse by customers, staff and suppliers
    • Consumer safety / law issues including product safety and product recall
    • IP risks including patent, trademark (counterfeiting) and copyright infringements, and the tort of ‘passing off’
    • Commercial risks arising from brand damage, competition etc
    • Geopolitical risks – such as trade embargoes, disruptions and material shortages
    • Information and cyber risks – data theft, privacy breaches, cyber attacks, malware
    • Supply chain and distribution risks – including end user fraud, distributor fraud, and product diversion
    • After market risks – such as parallel imports, grey market products, resold products etc.

    Despite this risk landscape, I find it’s rare to see product management or product strategy frameworks that clearly articulate the importance of product risk management and the role of product managers in this. Contemporary product protection programs need to address cybersecurity, fraud, insider threats, supply chain security, and product integrity issues such has tampering to mitigate these and other fraud and security threats.

    lake with mountain view
    Photo by Ian Beckley on Pexels.com

    Inherent risks mean security & integrity has a place in product development

    When they materialise, fraud and security threats can have a range of direct and indirect impacts which affect product manufacturers, their suppliers and distributors, and customers (end users). Examples here include unplanned losses which erode product margin, sales or resales by unauthorised distributors which financially impact and poison relationships with authorised suppliers, and warranty and returns frauds by customers which compounds financial loss with additional expenses such as staff handling time.

    Consideration of security related issues is fundamental to realising both the return on investment into designing and releasing a product, and to maintaining the confidence of regulators and consumers that a product does what it says it will.

    To properly consider and mitigate these problems, I would argue that starting with a product risk assessment is an essential first step. Product managers need to assess and quantify fraud, security and integrity risks during the New Product Development (NPD) process. What is NPD? This is a 6-stage process that runs from concept to design, prototyping, and market, as illustrated below:

    The C-I-A triad of information security provides three risk categories that can be used as a starting point for product risk identification irrespective of whether the product is tangible (e.g. a computer chip or bottle of wine) or intangible (e.g. software):

    • Confidentiality – has the ability to keep sensitive information secret
    • Integrity – making sure your product is trustworthy, has not been tampered with, and is authentic, conforming, and reliable
    • Availability – making sure the product servicable as and when expected

    When we think about integrity and products I almost find it easier to think about it from two perspectives: seller and buyer. Supply Chain Integrity, which focuses on Provenance, Authenticity, and Traceability, is increasingly important for buyers where there are consumer safety or critical infrastructure protection considerations. In regulated industries, sellers (manufacturers) may need to consider how their products (and supply chains) may be compromised in order to make their products more attractive to buyers:

    Product Security and Integrity is more than cybersecurity

    In my experience, it is common to see product security programs focus exclusively on cybersecurity; however, this one-dimensional approach fails to understand the true nature of security threats. Security theory relies upon the concept of ‘security in depth’ – the use of multiple, complementary controls of many types (e.g. system, people, financial, physical security) which are mutually reinforcing and provide layers of redundancy to protect the asset.

    Focusing on one layer (e.g. cybersecurity) at the expense of all others just encourages criminals to achieve the same objective via other means. Examples of the varied security programs required at different stages of NPD include information protection programs and prototype security:

    Security and integrity risks need to factor in pricing decisions

    Understanding how to factor security and integrity risks into product pricing requires an understanding of how products are priced. Typically, a product is priced using a method which calculates total cost of inputs to create (and sell) your product, plus a profit margin – the article from Shopify (referenced in Further Reading below) provides a great introduction to product pricing and strategy.

    Importantly, calculating the cost to produce and sell a product differs from your pricing strategy – for example, you may have a product which is cheap to product but can be sold at a very high margin, either because of some unique factor, market demand, or limited supply. Conversely, you may wish to quickly gain a large market share for first mover advantage or to displace competitors, in which case you may be prepared to cut your margin.

    So what sort of security and integrity programs might you need to cost?

    • Product security and integrity controls including anti-counterfeit packaging, tamper evident features and anti-theft measures
    • Cybersecurity features such as Identity and Access Management, data encryption, network security and cyber threat intelligence, particularly if connected to the Internet of Things
    • Fraud protection features to mitigate the way opportunistic and organised fraudsters can abuse your product, such as via warranty fraud
    • Supply chain integrity and security including distribution frauds, product diversion and returns fraud. Whilst not product security per se, this add to the costs of goods sold
    • Market Surveillance to consider security threats such as counterfeiting and gray market activity as well as consumer safety and quality issues
    black dslr camera on white surface
    Photo by Pixabay on Pexels.com

    Some product managers include an additional ‘charge’ for fraud or security issues in the product cost. This effectively acts as an insurance mechanism, with the aggregated charges on sales not affected by fraud or security underwriting those that are. Obviously the ability to do this depends on many supply demand factors in the market.

    If you didn’t appreciate the importance of managing security and integrity risks inherent in product development and product management, hopefully you will now. As you can see, product risk has brings material considerations that need to be a feature of any product management framework.

    Further Reading

    DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

    Graph or Social Network Analysis – what’s the difference?

    Common terminology sows the seeds of confusion

    If you’re someone who has been involved in fraud protection, Anti-Money Laundering, Counter-Proliferation, Sanctions Evasion, anticounterfeiting (the list goes on) – basically any sort of investigation of networks, you will likely have come across concepts such as graph, link analysis, and network analysis. However, when you start to write use cases for your organisation and develop your functional requirements for technology, this starts to get messy. For those new to this area, the figure below provides an illustration of what social network analysis is:

    Illustration of a social network in analyst notebook
    Social Network Analysis illustration, US Dept. of Justice (2016)

    Unfortunately, the terminology we use every day is the source of much confusion amongst business users (investigators, intelligence analysts, security & fraud professionals), data scientists and technologists alike, making it hard to understand the actual problem which needs to be solved by technology. To understand this space, there are three main concepts to get your head around:

    • Network Analytics: Is a term that has its origins in computer science and ICT, and is used to help model, monitor and assess the health and performance of computer networks
    • Graph Analytics: Also known as ‘Graph Technology’, this term actually refers to a type of database – the Graph Database – which stores data in the form of a ‘graph’ or network. Graph is heavily used today in the newly emerged field of Data Science.
    • Social Network Analysis: Also known as ‘link analysis’, ‘network analysis’, and a variety of other names, this methodology has been around since the 1970’s and stems from the social sciences. It uses algorithms and other methods to model and depict the behaviours of groups of entities (e.g. people, objects), attributes (e.g. the characteristics of objects, such as a person’s name), and the relationships (connections) between them. This is important as Entities typically exist as ‘networks’ in society.

    The three concepts outlined above, each a distinct academic discipline, can be applied to three simple User Personas, as outlined below:

    UserUse Case
    IT DepartmentsUse network analytics to assess and manage the health of your IT and OT (operational technology – such as SCADA systems) networks
    Data Scientists, Data EngineersUse Graph Databases to facilitate complex modelling, analysis, and other data management related tasks
    Intelligence Analytsts, Investigators, Risk & Compliance OfficersPerform social network analysis to understand threat networks, such as criminal networks, organised fraud syndicates, or illicit corporate structures to assist in their identification, targeting and disruption
    Three illustrative user personas for graph and social network analysis

    Despite often using terminology interachangeably, we are actually referring to three distinct concepts which cause confusion when co-mingled.

    What is a graph exactly?

    A basic graph – whether we are talking about the way data is visualised within a graph database or as part of social network analysis – is depicted by nodes (entities) and edges (links or relationships). Fraud teams use enhanced depictions of ‘graphs’ to enrich a data with more information. Graphs (social networks) can be queried to return matching results, such as showing all individuals who are connected to a specific address in some way (e.g. home, work, family connections).

    For data scientists, one attractiveness of a graph database is that large networks can be more efficiently searched or analysed compared to a Relational Database (RDBM) such as SQL Server or Teradata. There are numerous use cases for graph databases, including:

    • Entity Resolution – to determine whether two entities are actually the same based on various attributes
    • Knowledge Graphs – to help answer questions or find the answer to something
    • Product Recommendation Engines – for customers of eCommerce stores to suggest other products purchased by similar customers
    • Master Data Management
    • ICT network infrastructure monitoring
    • Fraud detection

    Examples of graph databases on the market today include those produced by Neo4j, TigerGraph, AWS Neptune, Microsoft Cosmos, and many others.

    Why is Social Network Analysis important for countering threat networks?

    The term “Threat Network” is used by the U.S. Government when discussing any type of hostile actor (even lone actors are typically part of some social network). Examples include organised crime, nation states, organised fraud syndicates, counterfeiting syndicates, and industrial espionage networks. Without going into too much detail here, every threat network has a number of common roles which are required to achieve its objective.

    Let’s say a consumer fraud ring is running a boilerroom scam to defraud elderly investors. The network needs people to manage its finances, communications, recruitment, targeting to spot vulnerable investors, scammers to actually defraud them, and managers and leaders to coordinate the scheme. This concept is illustrated below in relation to drug production and trafficking:

    Organisational structure showing roles within a typical organised crime network
    Illustration of various roles within a threat network (JP 3-25)

    Social Network Analysis allows for visualisation of relationships and structures of all parties involved in the network, providing the ability to overlay additional information such as functions in the network. Social Science algorithms, such as Betweenness and Centrality, can be applied to social network data to identify key players or connections. These threat network vulnerabilities can then be targeted, such as through arrests or new internal controls, to disrupt threat actor activites. This concept is illustrated below:

    Illustration of how a network can be disbanded (disrupted) with effective targeting
    Illustration of how disrupting a network can render it ineffective (JP 3-25)

    How can I perform Social Network Analysis?

    Interestingly, you do not need a ‘graph database’ to perform Social Network Analysis. What you do need though is a suitable user interface for business users (e.g. investigators) which allows them to query, analyse, and interact with their data to achieve an outcome – such as identifying key players in a fraud ring. Without a suitable interface, business users will be unable to exploit the data effectively rendering it useless.

    Fraud and law enforcement teams have used Social Network Analysis for decades. You can do simple Social Network Analysis on paper or a whiteboard without the use of software – this is where the term ‘link analysis’ originated from. Whilst pinboards are useful for Hollywood movies and simple networks, analysts today are swamped in data making software essential.

    man in gray long sleeve suit holding a pen - social network analysis with paper and a pinboard
    Photo by cottonbro studio on Pexels.com

    In the late 1990’s or early 2000’s, the popular software known as Analyst Notebook was developed and is still in use today. These days, there is a proliferation of thick client and browser based software which performs this function, including Maltego, Linkurious, Palantir, Quantexa, and RipJar.

    As outlined here, there is a distinct difference between the concepts of network analysis, graph and social network analysis. Each has its own use cases, methodologies, user groups and supporting software. Understanding this landscape, and how all the pieces fit together, is essential to building any sort of threat intelligence or detection analytics capability.

    Further Reading

    DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.