Applying the critical-path approach to insider risk management

Posted on November 12, 2022 by Paul Curwell, CPP, CFE, CISSP

Paul Curwell, CPP, CFE, CISSP

What is the critical-path in relation to insider risks?

The ‘critical-path method’ (critical path approach) is a decision science method developed in the 1960’s for process management (Levy, Thompson, Wiest, 1963). In 2015, Shaw and Sellers applied this method to historical trusted insider cases and identified a pattern of behaviours which ‘troubled employees’ typically traverse before materialising as a malicious insider risk within their organisation.

Employees with concerning behaviours can sometimes manifest in the workpalce — Photo by Inzmam Khan on Pexels.com

This research paper was written after a period of hightened malicious insider activity in the USA, including Edward Snowden, Bradley (Chelsea) Manning, Robert Hansen and Nidal Hasan. Shaw and Seller’s research identified four key steps down the ‘critical-path’ to becoming an insider threat, as follows:

Personal Predispositions: Hostile insider acts were found to be perpetrated by people with a range of specific predispositions
Personal, Professional and Financial Stressors: Individuals with these predispositions become more ‘at risk’ when they also experience life stressors which can push them further along the critical path;
Presence of ‘concerning behaviours’: Individuals may then exhibit problematic behaviours, such as violating internal policies or laws, or workplace misconduct
Problematic ‘organisational’ (employer) responses to those concerning behaviours: When the preceding events are not adequately addressed by the employer (either by a direct manager or the overall organisational response fails), concerning behaviours may progress to a hostile, destructive or malicious act.

Shaw and Sellers note that only a small percentage of employees will exhibit multiple risk factors at any given time, and that of this population, only a few will become malicious and engage in hostile or destructive acts. Shaw and Sellers also found a correlation between when an insider risk event actually transpires and periods of intense stress in that perpetrator’s life.

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

The ability to identify these risk factors early means managers may be able to help affected employees before they cross a red line and commit a hostile or destructive act from which there is no coming back – but only if a level of organisational trust exists and if co-workers / employees are aware of the signs. The research by Shaw and Sellers is summarised in the following figure, which has been overlaid against the typical ’employee lifecycle’ for context:

Graphic of the critical path in relation to the typical employee lifecycle — The ‘critical path’ in relation to the employee lifecycle (Paul Curwell, 2020)

Shaw and Sellers found the likelihood of someone becoming an insider risk increases with the accumulation of individual risk factors, making early identification a priority which should help inform decisions by people managers within an organisation.

**The critical path should help inform people-management decisions**

Over the past decade, the focus of emotional and mental health and well-being has grown in western society (as highlighted by COVID 19). On the supply side, tight labour markets have focussed the attention of managers towards maintaining employee engagement and retention. Society’s increasing openness to discussing mental health issues, including stress and anxiety, is helping provide a mechanism for earlier awareness of behavioural conditions which could trigger an employee or contractor to progress down the critical path and become a malicious insider.

Consequently, there are now various supports and interventions in the workplace and in society to help employees with personal predispositions who are experiencing life stressors. Examples of workplace assistance programs include:

Employee Assistance Programs – providing access to workplace psychological and counselling services
Financial counselling – for individuals who are over-extended in terms of credit or are struggling financially (this may include support restructuring personal debt to avoid bankruptcy)
Addiction-focused peer support and counselling – such as Gamblers Anonymous or Narcotics Anonymous

I’m sure that for some people, the increasing acceptance and willingness of society to be open to listening to colleagues who may be struggling helps to relieve the pressure somewhat, whereas historically these individuals may have been forced to suffer in silence.

It is critical employees feel adequately supported in the workplace to minimise insider risks — Photo by cottonbro on Pexels.com

The importance of these programs is that employees feel they are adequately supported, and that they are confident that if they self report an issue they will not be vilified, disadvantaged long term, or even fired for doing so. This concept is referred to by the CDSE as ‘organisational trust‘, which is a two-way street: Employers and managers must be able to trust their workforce, but workers must also be able to trust that management and the organisation will do the right thing by them.

The role of continuous monitoring (insider risk detection) systems and the critical path

Preceding paragraphs discussed the three main steps in the critical path, being personal predispositions, life stressors and concerning behaviors. Some of these may be visible to colleagues, such as an employee who is visibly angry. However, other indicators, such as accessing sensitive information, office access at odd hours, declining performance and engagement, may not be visible on the surface as ‘signs’ to co-workers.

Continous monitoring and evaluation tools, otherwise known as Insider Risk (Threat) Detection or Workforce Intelligence systems, are advanced analytics based solutions which integrate a variety of virtual (ICT), physical (e.g. access control badge data, shift rosters, employee performance reporting) and contextual information (e.g. employee is in a high risk role, information access is sensitive and not required in ordinary course of duty) in one central location.

Behavioural Analytics is typically marketed as a core component of software solutions on the market, although the way in which the behavioural analytics actually works may be a ‘black box’ with some vendors. These analytics tools are typically programmed to identify one or more indicators on the critical path, and generate ‘alerts’ or automated system notifications in response to an individual displaying the programmed indicators.

Most systems use some sort of identity masking, at least in the early stages of alert review and disposition, so that employees cannot be unncessarily targeted or vilified – at least until there is sufficient material evidence that suggests a problem which is sufficient to initate an investigation under the employer’s workplace policies.

Continuous monitoring is key to address behavioural change over time — Photo by Christina Morillo on Pexels.com

Continous monitoring systems require configuring for your organisation’s context

Importantly, as with any analytics-based intelligence or detection system, the system itself is only as good as what it is programmed to detect. Shaw and Sellers (2015) have this to say in relation to the blanket application of the Critical-Path Approach to every type of insider threat:

We do not suggest that this framework is a substitute for more specific risk evaluation methods, such as scales used for assessing violence risk, IP theft risk, or other specific insider activities. We suggest that the critical-path approach be used to detect the presence of general risk and the more specific scales be used to assess specific risk scenarios.
Shaw and Sellers (2015), Application of the Critical-Path Method
to Evaluate Insider Risks

This highlights the importance of ensuring your system is properly tuned to your organisation’s inherent risks, and could require multiple detection models, each of which focuses on a specific risk (e.g. sabotage, workplace violence). Models or rules used by these systems must be tuned to the organisation’s specific threats and risks, and configured in a way that reflects the organisation’s unique operating context.

The ‘garbage in, garbage out’ principle applies here: If your organisation only uses simple out of the box rules or detection models provided by the software vendor, it is unlikely these will detect the really critical risks to your business. Continous monitoring and evaluation for insider risks is an area which is developing quite rapidly, and is influenced by the convergence of cybersecurity with protective security and integrity more generally. I will discuss these continuous monitoring and evaluation concepts in more detail in future posts.

Typologies demystified – what are they and why are they important?

Posted on August 20, 2022 by Paul Curwell, CPP, CFE, CISSP

Paul Curwell, CPP, CFE, CISSP

What are typologies and what role do they perform?

The term ‘typology’ is used in the sciences and social sciences and can be defined as “a system for dividing things into different types”. According to Solomon (1977) “a criminal typology offers a means of developing general summary statements concerning observed facts about a particular class of criminals who are sufficiently homogenous to be treated as a type“. Use of the term ‘typology’ in this way apparently dates back to italian criminologist Cesare Lombroso (1835–1909).

As we see the increasing convergence of financial crime, cybersecurity and physical threat detection in domains such as insider threats or fraud, it becomes increasingly important to have an end-to-end understanding of the path and actions that ‘bad actors’ must take to realise their objective, as well as other factors such as offender attributes / characteristics, motive, and overall threat posed. Amongst other things, constructing a fraud or insider threat typology requires a good understanding of how and where an organisation’s normal business processes can be exploited, including an understanding of the systems and data needed by offenders to be successful.

How do typologies, modus operandi and TTP’s differ?

The disciplines of fraud, cybersecurity, intelligence analysis, security risk analysis and others have largely evolved in isolation from each other as this is the way we design organisations (by functional specialisation which align to employee positions, not threats which align to the criminals targeting the organisation). This has given rise to a variety of different terms and approaches to doing effectively the same thing.

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

As disciplines converge, driven by the need for an end-to-end view of a threat in order to facilitate timely detection, professionals across these domains need to understand the practices and lexicon used by peers. In my experience and from research, a typology provides a broad overview of the threat and will comprise multiple data points, including but not limited to Modus Operandi / TTP’s:

Modus Operandi (MO) and Tactics, Techniques, and Procedures (TTPs) are effectively the same thing in practice and refer to the way a crime (or attack) is executed, the one difference being that MO has its roots in criminal law and TTPs in the military but today is heavily referenced in cybersecurity:

Tactics, Techniques and Procedures (TTPs) – “The behavior of an actor. A tactic is the highest-level description of this behavior, while techniques give a more detailed description of behavior in the context of a tactic, and procedures an even lower-level, highly detailed description in the context of a technique.” (NIST SP 800-150)

Modus Operandi (MO) – Latin meaning “mode of operating.” “In criminal law, modus operandi refers to a method of operation or pattern of criminal behavior so distinctive that separate crimes or wrongful conduct are recognised as the work of the same person” (Cornell Law School). For example, “it was argued that these features were sufficiently similar such that it was improbable that robberies with those features were committed by persons other than the respondents” (NSW Judicial Commission).

Everything we do leaves a trail, including in the digital world (often referred to as ‘digital exhaust‘). Detecting a potential ‘bad actors’ trail to prevent insider threats, financial crime and cybercrime requires both (a) understanding what to look for (which can comprise very subtle, highly nuanced signs amongst a sea of data), as well as (b) having tools sensitive and fast enough to collect, process and analyse these signs so as to prompt a response.

My favourite analogy for a typology is a recipe: If I am going to bake a cake, the typology is to a data scientist (who designs and runs the analytics models for detection) what the recipe is to the baker. In contrast, intelligence analysts are the recipe writers – they understand all the ingredients and how they need to come together. The skills of data scientists and intelligence professionals are complementary.

How do they relate to risks?

Should you choose to perform more research into the concept of typologies in criminology, you will find they can be developed for just about anything. But in the case of insider threats, financial crime and cybercrime, we are only interested in those threats which directly impact our respective organisation, customers, products, systems or assets. This means we need to link them to risks: Whilst we can develop other typologies, if the materialisation of the threat does not result in a risk to the organisation, then the exercise may be pointless.

To develop a typology that is capable of being used in an advanced analytics-based detection system, the typology needs to be as specific as possible. This means a typology should be developed for a specific, or highly detailed risk (i.e. 4th level risk). It is common to find there are one or more typologies associated for each 4th level risk. The following figure illustrates the relationship between risks, typologies and analytics-based detection models which generate ‘alerts’ (cases) for disposition and potential investigation:

Author: Paul Curwell (2022) (c) – how typologies bridge the gap between risks and analytics-based detection

Throughout my career I have worked with many typologies, and one of my early learnings was that typologies are highly contextualised. For example, an employee who has resigned and works in sales whose job involves sending out brochures to a prospective customer’s email address is not a problem, whilst an employee who has access to sensitive trade secrets and sends emails with attachments to a personal email address may well be.

Typologies need to address this level of specificity, which is part of the reason for aligning them to 4th level risks. Good typologies also include indicators specific to the parties involved in the activity, the context of the activity, and the associated threat.

What are the components of a typology and why?

Writing good typologies is hard (I refer to them as ‘deceptively simple’). Some typologies are quite generic, written so as to be implemented by any reader with any detection system (examples include those written for Anti-Money Laundering or Counter-Terrorist Financing by bodies such as FATF, FINCEN and AUSTRAC). Substantial work can be required to take these more generic typologies and implement them – sometimes this even requires complete rewriting.

Irrespective, there are a number of fundamental components of any typology. Note however, that some required fields will be specific to the detection system used (i.e. they may be required as inputs to design or build the models):

Typology name
Threat actor details (perpetrator, group affiliation, threat type etc)
Target(s)
Description of how the attack is perpetrated
Illustration (e.g. process map) for how the attack is perpetrated
Indicators (contextual, threat and party specific)
Data sources for each indicator
Description of the steps required for investigation and any associated analytical techniques

In my opinion, a typology is ‘finished’ when it can be readily understood and converted to analytics-based detection model by a data scientist with minimal rework or clarification being required. Often intelligence professionals (who are the experts in a particular threat) write typologies and hand them over to a data scientist, who then needs to become another expert in the threat to implement them! This is not a valuable use of resources and should be avoided. There will always be gaps in intelligence and threat actors keep changing to advoid detection – so a typology may never be 100% complete – but they should be written in a manner that addresses the information and design needs of its intended audience (i.e. data scientists, investigators and risk managers).

When building your typology library, it is good practice to map these to your 4th level risks to identify potential detection gaps. Steps involved in writing a typology will be explored in future posts.

Further reading

Baesens, B., Van Vlasselaer, V., Verbeke, W. (2015). Fraud Analytics Using Descriptive, Predictive, and Social Network Techniques: A Guide to Data Science for Fraud Detection, John Wiley & Sons Inc.
Johnson, C., Badger, L. Waltermire, D. Snyder, J., Skorupka, C. (2016). Guide to Cyber Threat Information Sharing, NIST Special Publication 800-150, U.S. Department of Commerce, United States. https://doi.org/10.6028/NIST.SP.800-150
Judicial Commission for NSW (2022). Tendency and coincidence in Civil Trials Bench Book — Evidence, Sydney Australia, https://www.judcom.nsw.gov.au/
Kovac, M. (2016). Using Digital Exhaust to Improve Sales, Harvard Business Review, 8 July 2016, https://hbr.org/2016/07/using-digital-exhaust-to-improve-sales
Pherson, R. H., & Heuer, R. J. (2021). Structured analytic techniques for intelligence analysis. Thousand Oaks, California: CQ Press, an imprint of SAGE Publications, Inc.
Solomon, H.M. (1977). Crime and Delinquency – Typologies, University Press of America, Maryland, United States. https://www.ojp.gov/ncjrs/virtual-library/abstracts/crime-and-delinquency-typologies
U.S. Government (2009). A Tradecraft Primer: Structured Analytic Techniques for Improving Intelligence Analysis, Langley, VA.

Vendor Fraud: what is it?

Posted on April 16, 2022 by Paul Curwell, CPP, CFE, CISSP

Paul Curwell, CPP, CFE, CISSP

Are there fraud risks associated with vendors?

Every public and private sector organisation today has a requirement to outsource some or all aspects of their operations, whether it be purchasing supplies or equipment, engaging a managed (outsourced) service provider to run its IT helpdesk or security operations centre, our purchasing tangible products or raw materials for its operations. Managing these capabilities takes a lot of effort and typically requires a specialist team aside from the procurement function to manage key relationships day to day.

We all know that relationships are difficult by their nature, and business relationships are no different to those in our personal lives. Sometimes, however, relationships deteriorate substantially to the point of potential litigation or where those relationships may be severed. Common triggers for this includes upstream supply or quality control issues, breaches of confidentiality, and fraud.

What is fraud?

The Commonwealth Fraud Control Policy defines fraud as ‘dishonestly obtaining a benefit, or causing a loss, by deception or other means’. As defined here, a benefit can be non-material or material benefit, tangible or intangible. Benefits may also be obtained by a third party. Examples of fraud relating to vendors include:

theft
accounting fraud (e.g. false invoices, misappropriation)
causing a loss, or avoiding and/or creating a liability
providing false or misleading information
failing to provide information when there is an obligation to do so
misuse of assets, equipment or facilities
making, or using, false, forged or falsified documents
wrongfully using confidential information or intellectual property.

Business to business fraud is a problem which remains largely off the radar – many businsess have problems with their vendors or business partners, but these rarely end up in court or in the media. Frequently, even when a business relationship goes wrong, the parties to the relationship still need each other and will work to rebuild trust that has been lost where an alternate supplier or partner is not available.

One important note on vendors is that they form part of your organisation’s inner circle: they are trusted insiders who, by virtue of this status, have privileged access to your organisation, its products, information, services, systems, facilities and people beyond that of the ordinary public. It is critical that vendors be considered as part of your Insider Threat Management Program, as well as in your Supply Chain Security, Integrity and Fraud Program. Where there are overlaps in coverage in these programs, this should be harmonised.

Associations with irreputable vendors can also damage your organisation’s reputation, and potentially introduce the risks of civil or criminal action as well as shareholder activism. One example here is where a vendor is involved in modern slavery, and your organisation’s due diligence program has not detected this in advance.

Photo by Rolled Alloys Specialty Metal Supplier on Pexels.com

What is the vendor fraud landscape?

Vendor fraud can be defined as fraud involving a vendor that occurs at any point in the supplier process, which is:

Supplier selection
Contracting
Operations
Termination

The Association of Certified Fraud Examiners (ACFE) notes that vendor fraud can occur in anything from billing to delivery of supplies, and can be broadly grouped in two categories. Vendor frauds involving trusted insiders, such as employees and contractors, can occur indepedent of the vendor or in collusion with them. There are also various types of vendor frauds perpetrated without the involvement of insiders. These range from what we might call ‘soft frauds’, such as subtly charging the wrong hourly rate or claiming travel expenses when not applicable, through to more serious problems like product substitution. A high level taxonomy of vendor fraud is shown below:

Vendor frauds involving insiders	External vendor frauds
Billing schemes (invoicing)	Labour fraud schemes (for outsourced services)
Corruption schemes (e.g. kickbacks, bribery, conflicts of interest)	Travel fraud schemes
	Fraud schemes involving materials
	Shell companies and pass through schemes
	Hidden subcontractor schemes

ACFE – high level vendor fraud taxonomy

As you can see, there is a wide spectrum of vendor frauds – the ACFE’s training course on vendor fraud, referenced below, is a great starting point for someone new to this area. Some are specific to particular types of work – such as labour and travel fraud schemes more prominent with the outsourcing of services.

Vendor fraud versus supply chain integrity: what’s the difference?

As the focus of @forewarnedblog is on protection and integrity of critical technologies, supply chains, IP, products, brands and marketplaces, I would be remiss if I did not cover vendor fraud schemes involving materials and ‘supply chain integrity’ in more detail.

The term ‘supply chain integrity’ is being used increasingly in common language to reflect whether business (as opposed to retail consumers) buyers have ‘got what they paid for’ in relation to materials (products). As consumers, when we buy a product (the material) we expect it to meet certain quality or provinance (origin) standards, such as those advertised by the seller or manufacturer. In countries like Australia, many of these requirements are also enshrined in consumer law. If a product breaks or fails, or if it is poor quality such as paint peeling off, then we feel disappointed and probably worse. It is business’ responsibility to make sure this outcome doesn’t happen for its consumers, which is where a Supply Chain Integrity program comes in.

A Supply Chain Integrity program aims to “mitigate the risk end-user’s exposure to adulterated, economically motivated adulteration, counterfeit, falsified, or misbranded products or materials, or those which have been stolen or diverted” (The United States Pharmacopeial Convention, 2016). These programs apply to both buyers and sellers, but the focus differs depending on where you sit in a supply chain.

The overlap with vendor fraud lies with what ACFE refers to as “fraud schemes involving materials“, where risks such as product substitution (a buyer pays for a product meeting one set of specifications, but it is substituted for a cheaper, lower quality, alternate or less functional model which might be less reliable or functional for the user). Typically, the trust a consumer places in a product or service is also wrapped up in the seller’s brand – if we see a product for sale from a brand we trust, we might buy it without question. Commonly, Supply Chain Integrity is bundled with Supply Chain Security into a consolidated ‘Supply Chain Integrity and Security’ program (SCIS), as seen in the global pharmaceutical industry.

Typically, an SCIS program focuses on both upstream supply (i.e. ensuring substandard products or raw materials do not infiltrate your supply chain as an input to say manufacturing), and downstream to ensure that counterfeits and diverted products do not enter a supply chain through nodes such as authorised distributors. In contrast, vendor fraud programs are typically narrower in scope.

What does this mean in practice?

In my opinion, if you are in an industry with serious life, safety or reputational (‘brand’) risks attached to the quality of materials provided by your suppliers, using a vendor fraud program to manage product substitution fraud risks may not be sufficiently robust or rigorous. Typically these programs focus on whether the vendor supplied a substandard product (i.e. may have defrauded you in terms of your sourcing, purchasing or procurement process) rather than a more holistic program aimed at improving the security and integrity of your supply chain overall (i.e. all products across all vendors). For these industries, a holistic Supply Chain Integrity and Security program (that also addresses the vendor fraud risk of product substitition) is more appropriate.

We already see this situation emerging in high reliability industries (e.g. mass transport, pharmaceuticals and medical devices, automotive and aerospace). In Australia, this area is becoming increasingly regulated with amendments to Australia’s Security of Critical Infrastructure (SOCI) Act which covers eleven critical infrastructure sectors and introduces new rules for managing supply chain integrity and security hazards. There’s a lot to unpack in this topic – I will cover some types of vendor fraud, particularly product substitution (sometimes called ‘product fraud’) in future posts.

Understanding the risk of organised crime infiltration in your business

Posted on February 1, 2022 by Paul Curwell, CPP, CFE, CISSP

Paul Curwell, CPP, CFE, CISSP

What is Serious Organised Crime anyway?

The concept of organised criminal infiltration into your business or supply chain is interesting. I’ve worked with a number of critical infrastructure operators in Australia who have this concern: the nature of their business provides a unique opportunity for criminals to exploit their business, or the employees position, to facilitate their own or others criminal activity. Before we start to get carried away that serious groups like the mafia are infiltrating your business, it’s worth understanding key elements of the ‘spectrum of crime’ which forms a basis for any Threat Assessment:

Criminal enterprise – a group of individuals with an identified hierarchy, or comparable structure, engaged in significant criminal activity (FBI)
Opportunistic individuals – individuals who take advantage of internal control gaps or weaknesses and opportuinities of circumstance to perpetrate criminal and / or unethical activity (e.g. fraud or business espionage) (Curwell, 2022)
Organised criminals – “small, organised networks of entrepreneurial offenders, often transitory in nature, that develop to exploit particular opportunities for illegal profit. These groups vary from temporary associations created to commit a time-limited series of offenses, to enduring businesses that invest in on-going criminal activities” (Eck & Clark, 2013, p28).
Organised crime (organised criminal group) – “a structured group of three or more persons, existing for a period of time and acting in concert with the aim of committing one or more serious crimes or offences established in accordance with this Convention, in order to obtain, directly or indirectly, a financial or other material benefit” (Smith 2018 in United Nations 2004: 5).
Transnational Organised Crime – those self-perpetuating associations of individuals who operate transnationally for the purpose of obtaining power, influence, and monetary and/or commercial gains, wholly or in part by illegal means, while protecting their activities through a pattern of corruption and/or violence, or while protecting their illegal activities through a transnational organisational structure and the exploitation of transnational commerce or communication mechanisms (FBI)

Its important to remember that not all crime that happens somewhere like a border, port or airport will be perpetrated by serious organised crime. Anecdotally, a lot of the crime I come across day to day involves opportunistic individuals and organised criminals. These risks are managed through employment screening and internal controls (which might include detection programs – see What can be done about it? below).

Common activities of serious organised crime – is there a nexus with your business?

Understanding the types of activities which commonly involve serious organised crime groups can help businesses assess their likely exposure to this activity. In the following list, I have compiled a list of offences based on information published by the FBI and ACIC:

Bribery
Currency Counterfeiting
Embezzlement
Fraud schemes
Cybercrime
Investment and financial market fraud
Revenue and tax fraud
Credit card fraud
Superannuation fraud
Money Laundering
Murder for Hire
Drug Trafficking
Prostitution
Exploitation of Children
Organised retail crime

Human Trafficking and Slavery
Intellectual Property Crime – including Counterfeit Goods
Illegal Sports Betting
Cargo Theft
Sale and distribution of stolen property
Murder
Kidnapping
Gambling
Arson
Robbery
Extortion
Tobacco and firearms smuggling
Vehicle theft

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

What we know about Serious Organised Crime in Australia today

Access to detailed assessments of the nature and sophistication of serious organised crime in Australia are not publicly available. However, one of the most useful reports is the periodic assessment of Serious Organised Crime released approximately every 5 years by the Australian Criminal Intelligence Commission. This report provides a useful outline of serious organised criminal markets in Australia, as follows:

Illicit Commodities	Serious Financial Crime	Specific Crime Markets	Crimes Against the Person
Narcotics	Cybercrime	Visa & Migration Fraud	Exploitation of Children
Illicit Pharmaceuticals & Anaesthetics	Investment & Financial Market Fraud	Environmental Crime	Human Trafficking & Slavery
Performance Enhancing Drugs (e.g. steroids)	Revenue & Taxation Fraud	Intellectual Property Crime
llicit Tobacco	Superannuation Fraud
Illicit Firearms	Credit Card Fraud

ACIC (2017). Serious Organised Crime in Australia, Canberra

Understanding whether your business, including your supply chain, has a nexus with any of these criminal markets will help inform your threat and risk assessment process in relation to organised criminal infiltration. As with assessing physical security of your office premises or facilities, you may not have a direct nexus with organised crime but your suppliers or neighbouring businesses might. This creation of an indirect nexus should also be considered, as this could have adverse reputation, safety and disruptive effects on your business, employees or customers.

The role of criminal enablers

Some organisations may not be directly of interest to OCG, but they may be recognised as having something or someone who can enable or facilitate their objectives. Examples here include access to information, professional facilitators (eg. lawyers, accountants, trust & company service providers), systems (eg being able to change a database record in a third party system), or sub-leasing warehouse or storage space.

The Australia Criminal Intelligence Commission identifies six enablers of serious and organised crime (ACIC, 2017):

Money laundering
Technology
Professional facilitators
Identity crime
Public Sector corruption
Violence and intimidation

Enablers can be targeted by organised crime either directly (eg group leases warehouse space for its own activities) or in relation to employees in key positions. Employees who have some sort of vulnerability, either at home or at work, may be coerced, bribed, intimidated or extorted to perform acts at the direction of a group.

Photo by ThisIsEngineering on Pexels.com

What can be done about the risk of organised criminal infiltration?

So far in this post, we’ve demystified what constitutes serious organised crime, the types of activities (offences) commonly associated with this activity, the criminal markets where organised crime groups are found, and the professional intermediaries and enablers who might knowingly (or unknowlingly) support them. The next question is what to do about it.

The starting point for any business leader concerned about potential organised criminal infilitration in their business is a thorough, objective and factual assessment of the threats and risks, and their associated likelihood and consequence. Once understood, a proper security plan can be implemented to mitigate these risks.

With infiltration by organised crime there is a potential insider threat. This can materialise within both the employee and contractor / third party populations, including within the extended supply chain. This also needs to be considered when scoping any assessments. Suggested actions for businesses concerned about organised criminal infiltration include:

Perform a Threat Assessment to map your ‘threat universe‘ (i.e. who is likely to target your organisation), and why
Undertake a Security Risk Assessment, which incorporates identifying critical assets, vulnerabilities (control gaps), consequence and likelihood (i.e. which of your assets might serious organised crime groups actually consider attractive) for the various threats identified in the Threat Assessment. For risk such as product theft or product diversion, don’t forget to assess if your products are CRAVED.
Undertake a Personnel Security Risk Assessment – this is commonly separate to your Security Risk Assessment, but identifies high risk positions and roles in the organisation which give acceess to your critical assets, and the types of employment screening (background investigation) and continous insider threat detection programs that may be required to mitigate the risk
Perform due diligence on prospective and current employees, contractors, suppliers and business partners / third parties based on the risks idenitifed in your Security Risk Assessment and Personnel Security Risk Assessment.
Develop a robust intelligence and security program to monitor for ongoing changes to your organisation’s threat landscape (including building capabilities such as media monitoring), and where appropriate, develop partnerships with police and security agencies to help mitigate the risk to within your organisation’s risk appetite.

Following these steps will ensure you know where you need to focus your security effort and resources. It may be that your greatest risk is that of opportunistic individuals and organised criminals (including trusted insiders and employees or contractors of your third parties or business partners) and not serious organised crime, requiring a different treatment strategy. If in doubt, seek assistance from an appropriately qualified professional who is licenced by the State Police to give security advice in the relevant Australian jurisdiction. If in doubt, have a read of this advice from ASIAL, the Australian Security Industry Association.

Product security risk assessments for tangible goods

Posted on December 19, 2021 by Paul Curwell, CPP, CFE, CISSP

Author: Paul Curwell

State of art – managing fraud and security risk in relation to products

It makes sense that out of the universe of products on the market globally some products are more attractive to thieves and criminals, including trusted insiders, than others. Whilst working through my holiday reading I came across some research undertaken in 1999 by Ronald Clarke, a leading criminologist.

I’ve been interested in what makes a product vulnerable to security and fraud risks for at least ten years. Take a moment to think about what we do with products: whether a passport or airplane part, we manufacture them before ultimately selling them to consumers, most of whom are free to use them and resell them at will on the secondary market. This means they need some protection against fraud and security threats, especially if your reputation or commercial revenue model is linked to the product’s ongoing integrity.

Whilst working in banking my team would undertake product fraud and security threat and risk assessments, at that stage primarily on the bank’s new fleet of Automatic Teller Machines (ATMs). ATMs are targeted in a number of ways, both physically and virtually, through attack vectors such as ram raids, Plofkraak attacks, and cyber hacking to ultimately access the cash contained inside. More recently, I provided expert review of threat and risk assessments for a suite of financial services and identification products (including digital identities) for another client.

To my knowledge, there is no formal threat and risk assessment methodology for products per se, but Clarke’s methodology seems a good starting point.

What satisifies a criminals cravings?

In his research, Clarke found that products commonly targeted by shop lifters in a retail exhibited six attributes which spell the acronym CRAVED, as follows:

Concealable – this is relative to the situation. Shoplifters might target small items they can easily conceal in clothing (eg watches) over a large TV, but sometimes it’s easier to walk out with something large. I previously did some work with a client involved in international air freight, and one of their risks was that trusted insiders could smuggle large items concealed in something else out of the airport through a legitimate freight shipment.
Removable – to target a product, you need to be able to pick it up and move it. Unlike services, products are generally transportable.
Available – there are two elements to this – products that are widely available, and those that are readily accessible (i.e. not kept in a locked cabinet with inventory or stock in store). Audit logs and access control measures, amongst others, should protect more valuable items.
Valuable – whether trusted insiders or organised fraud rings, criminals generally don’t steal things which are not of value to them. Value is also contextual – whilst a high demand product such as consumer electronics is seen as valuable to a large potential market, some products might be valuable to an individual for a specific purpose. We can reasonably expect the former might be targeted multiple times by one or more actors, whilst the latter category might be targeted only once.
Enjoyable – Clarke’s work looked at products most commonly associated with shoplifting, so there is an element of consumer desire (i.e wants & needs) here. But if our COVID crisis has taught us anything about supply chains, its that Maslow’s hierarchy of needs also plays a role (the repeated hoarding of toilet paper by consumers comes to mind).
Disposable – attractive products are those easily sold, or resold, either for cash or another form of value transfer. There is more demand, hence more of a market, for some products than others. Think of how easy it is to dispose of a second hand (or stolen) fridge over a passport.

Readers will note that CRAVED really applies to security related threats, such as theft, much more than fraud. I’m not aware of any formal product fraud risk assessment methodology.

How can we apply the CRAVED construct to manage product risk?

Clarke’s research was performed in 1999, so it is somewhat dated but the principles likely remain valid. Also, the research focused on retail and is not representative of other industries. Nevertheless, we can use the principles outlined by Clarke to inform the design of any product specific risk assessment methodology: CRAVED provides a starting point.

Based on my experience assessing product risk for fraud and security threats, I offer three tips to consider when designing and / or executing a product risk assessment to address fraud and security threats:

Tip 1: Analyse your historical incidents

Collecting detailed incident data is a foundational element of any fraud, security or risk function. Ideally, you want to capture as much detail as you can at the time of the incident, even if it may not seem relevant now. It may be much harder, or even impossible, to capture some data in the future.

TIP: If you are not doing this already, you should start. Ideally, try to collect as much historical data for say the past 12-24 months as you can, even if it is not complete, and put in place processes and tools to collect rich incident data going forward.

As you start to analyse your historical incident data, ask yourself the following questions:

Which product(s) are most commonly targeted? Assuming the Pareto Principle (’80:20 rule’) applies, a small number of your product models will be targeted more commonly than others. You need to identify these and assign a higher likelihood score during your risk assessment.
Are there any geographical aspects to these incidents? E.g. do they commonly occur in specific locations? This might indicate that some products are more likely to be stolen or attacked in a specific geographical area. The logical follow up question here is why…
Are there specific dates or times when most incidents occurred? In some forms of fraud, it is common to see spikes in fraud incidents in summer and a significant decline in winter. Additionally, some forms of crime are more likely to happen at night. Perhaps you might identify an unusual pattern, such as high rates of theft on a weekend when your business is closed, suggesting a potential insider threat.
How do these incidents occur? You need to get a good understanding of the criminal’s business process, particularly if there is a specific pattern or series of steps that are commonly undertaken which you might be able to disrupt using internal controls (mitigations). You can use a variety of analytical methods here including business process mapping, red teaming and analysis of competing hypothesis to achieve this.
Who is the perpetrator? Even if you can’t identify the perpetrator by name (which is unlikely), try to categorise perpetrators into groups such as opportunistic individuals, organised criminals, organised crime (eg mafia), trusted insiders etc. Over time, as you develop richer data sources and a deeper understanding of your data, you might be able to distinguish groups or sub-categories based on the groups specific behaviours (i.e. their Modus Operandi [MO] or Tactics, Techniques and Procedures [TTPs], such as a specific organised fraud ring.
Why do you think specific products are being targeted? You may need to do some critical thinking here, or alternately comparative case analysis methods would be helpful. You need to understand whether the products that are mainly being targeted (e.g. the 20% – assuming the 80:20 rule applies to your data) are being targeted for a reason. Ask yourself, do they share common attributes (such as the CRAVED attributes identified by Clarke)?

Tip 2: Identify any design attributes which could be modified to reduce the product’s attractiveness to criminals

Sometimes there are design attributes to a product, or even a service (e.g. a business process) that makes one manufacturer’s product more likely to be targeted than a competitor. Additionally, sometimes the design of a product makes it more likely to be targeted – an example could be not having branding or a serial number readily visible, which might allow criminals to ‘rebadge’ it as it is being sold. Repackaging is another area of risk here. Understanding these factors means you can work with product managers and design engineers to modify your product and make it less attractive to criminals, which means it is less likely to be targeted.

Ultimately, your goals here are revenue and brand protection. If you can design your product to be a ‘harder target’ (i.e. less attractive), you might save on downstream fraud and security costs. Alternately, some products are readily counterfeited, with sometimes lethal consequences for unsuspecting consumers. Aside from potentially tragic impacts to consumer’s lives, your organisation’s brand and reputation might be adversely impacted simply because your product design was easy to counterfeit and commercially attractive to counterfeiters.

In this case, the cost of the reputatation or brand damage (such as by consumer boycotts, lost sales) may far exceed the costs of product redesign or implementing additional security measures. Product managers need to know if anything specific makes their product overly attractive to criminals, and if so, do something about it in the design phase.

Tip 3: Understand where the product is most likely to be attacked or compromised

For example, if a product is more at risk during shipment, can better cargo security measures be implemented? If a product is at risk of counterfeiting, product authentication measures such as security packaging and traceability programs could be the solution.

It is very uncommon to encounter situations where managers have unlimited resources – a well-designed product risk assessment methodology can be used to identify those products requiring increased protection based on likelihood and consequence, and those requiring less protection. These insights can be used to efficiently allocate your limited risk management resources, as well as helping product managers understand why their product is at risk.

Defining your ‘Threat Universe’ as a building block of your intelligence capability

Posted on October 17, 2021 by Paul Curwell, CPP, CFE, CISSP

Author: Paul Curwell

The role of a threat universe in your intelligence capability

The focus of intelligence is generally on what is happening (and likely to happen in the future) external to your organisation. In the commercial world, risk and compliance teams are often inwardly focused, looking at who is doing what and identifying potential implications, rather than focusing on the external source of the risk (i.e., the threat).

Identifying and categorising your actual and potential threats is a first step in building a new intelligence capability. The threat universe is a taxonomy of all possible threats and their associated vectors which could target your organisation, products or supply chain. Defining your universe of threats creates the boundaries for what your intel function does and does not need to focus on, including any strategic intelligence progams such as horizon scanning.

The dangers of intelligence ‘silos’ across your organisation

Depending on your role, you may only be interested in threats associated with a specific functional area, such as fraud, cyber-crime or physical security, as opposed to having an enterprise wide focus. However, silos create problems when threats overlap (e.g. criminals who started with opportunistic theft of physical goods move on to defrauding your organisation through its services).

If you don’t have the right mechanisms in place, your organisation will be blind to these overlaps and you will not realise you are being targeted. An example here is fraud in banks – teams working on credit card fraud might not share their data with teams working on motor vehicle insurance fraud, yet the actual criminal targeting them might be the same person.

The first step in building a threat universe is identifying your most important assets, as this helps inform both a threat actor’s motive and any threat vectors they are likely to use (how a threat actor might successfully defraud or attack you).

Work out what is valuable to your business

A basic rule of security is that you can’t protect your assets if you don’t know what you’re supposed to protect. There are many ways of doing this, but I start with a simple taxonomy and then get into further levels of detail with my clients. When I think of assets, I start with five main categories:

Asset Categories	Description
People	Includes your employees and customers
Facilities	Buildings such as offices, plants, warehouses, laboratories
Information	Includes Intellectual Property (IP such as patents, copyright, personal or private information (generally covered under privacy legislation), and confidential business information (proprietary information) such as marketing plans, strategies, pricing models
Systems	Comprises the computer networks, servers and related technology that keeps the business functional
Brand & Reputation	Represents the premium the market places on your products and services as a result of how you do business

Your products & services are assets too!

Products are all too often overlooked by many security and fraud professionals. There are two things you need to consider. Some threat actors make money by abusing your products or services. Pharmaceutical counterfeiting and loan fraud syndicates are two examples, both of which profit by directly targeting a company’s products or services.

Perhaps more pernicious are those who use of your products or services as a criminal enabler. This means that your company may not lose money by having criminals use your products or services, indeed, some companies might even make money in the form of sales revenue, but your products or services are used to facilitate criminal business operations. Money laundering and identity crime are two common examples. A less obvious one is drug trafficking rings that smuggle illicit product into a legitimate shipment to transport their illicit product.

Identifying the threat actors likely to target your assets

Once you have identified what is likely to be targeted in your business, the next step is to understand who is likely to target you. You will likely not have all the information you need to complete this step without some research, but you will probably be able to complete a high level summary quite quickly. Remember that criminals might be considered to lie on a spectrum, from opportunistic through to serious organised crime.

Use this simple taxonomy for threat actors to get you started:

Threat Actor	Description
Opportunistic Criminals	Opportunistic criminals are only engaging in crime because they think they won’t get caught. For example, perhaps you are a retailer who sells expensive clothing, and your products can easily be slipped into a bag without paying?
Unsophisticated Criminals	I use this category to describe people who might be engaging in crime more than just opportunistically, but are either just starting out or really aren’t any good. History has plenty of examples here, and this category (particularly those that aren’t any good), are probably the ones most likely to get caught.
Organised criminals	Organised criminals are just that – organised. That implies some level of competence, which likely translates into them being harder to find and catch. This is particularly the case with fraud syndicates. If you have something which is attractive to criminal groups, or can provide them with access to something that is valuable which they couldn’t get any other way (e.g. a way to launder their money or use someone else’s identity), you may be a target. Fraud syndicates and cyber-crime rings are frequently encountered examples here, although there are overlaps between these examples and all other categories.
Organised Crime Groups	We need to make a distinction between ‘organised criminals’, basically sophisticated groups of people engaged in criminal activity, and true ‘organised crime groups’ like the Mafia and Yakuza. Successful criminals are all organised, but not all organised criminals are members of transnational organised crime groups. Organised crime groups these days are generally transnational, and involved in a broad spectrum of legitimate and illegitimate enterprises.
Nation States & their associates	Nation states and their associates (such as front companies and intermediaries) can be involved in a range of activities including Intellectual Property Theft, technology transfer, weapons profileration, economic espionage, foreign interference, information operations (e.g. cyber attacks, misinformation / disinformation campaigns), supply chain attacks and sabotage (physical and cyber).
Terrorism & Politically Motivated Groups	An unfortunate reality of life is that some crimes are politically motivated – Terrorism is one example. Companies and their assets (including employees) may be directly targeted for some reason – perhaps they are high profile and an easier target than say a police station or government building – or they may just be in the wrong place at the wrong time. If your office is in the same building as a government agency or other high profile business, you would be wise to ensure this is on your threat universe.
Issue Motivated Groups	Issue Motivated Groups might sound a bit strange, but these are effectively groups of people who are willing to commit crimes (sometimes serious crimes such as murder) in the name of what they feel is important. Examples include environmental activists, anti-abortion activists, religious motivations, animal rights activists and others. They range from peaceful and benign (e.g. peaceful protests) through to very serious – such as the bombing of anti-abortion clinics or the murder of staff associated with them. You need to know if your company operates in an industry that is targeted by IMGs.
Street criminals / gangs	This might seem a strange addition to the list depending on where you live or operate, but it is important to remember the threats facing corporate travelers as companies have a duty of care towards their employees. Theft (including cargo theft), robbery, random acts of violence, and even opportunistic kidnappings perpetrated by common criminals or organised groups may need to feature on your risk register if you send employees to high risk locations.
Insider Threats	Refers to any person who has the potential to harm an organisation for which they have inside knowledge or access, including employees, contractors, consultants, and employees / contractors of suppliers and business partners. An insider threat can have a negative impact on any aspect of an organisation. Insiders can also collude or collaborate with external threats such as organised crime groups.

As you start to define your threat universe, you can develop sub-categories which will help you further identify and manage the threat. For example, if your organisation is exposed to organised crime, start to categorise them. Add sub-categories such as middle east organised crime, outlaw motorcycle gangs etc. Then you can undertake research to find out what sort of activities they typically engage in, and whether your business, products or supply chain are typically targeted by each group in your region. Having done this exercise once, you can keep it up to date by building a media monitoring capability to identify emerging trends.

Applying your threat universe in practice

A threat universe could comprise something similar to an an organisational chart, and be supplimented with prorfiles and information you gather on each group. Advanced versions will be in a database or similar system. Your threat universe should be a living document, which develops as both your business evolves and the external environment in which your business operates changes.

Once complete, you can start to focus your intelligence resources. Not everything on your threat universe is going to be a problem right now (i.e. be a ‘current threat’) – indeed, there may not be any threats targeting you within a specific category right now, but this can change without warning. When something strange happens or the beginnings of a new trend start to emerge, you can easily look to your threat universe and assess whether this is something you need to be worried about.

Australia’s economic espionage laws: what this means for ‘trade secrets’ protection after 2018

Posted on September 26, 2021 by Paul Curwell, CPP, CFE, CISSP

Author: Paul Curwell

Are Australian’s culturally reluctant to take steps to protect our Intellectual Property?

Throughout my career, I have worked with businesses, R&D intensive organisations and universities which make a living commercialising their Intellectual Property (IP). As an undergraduate biotechnology student, I completed a number of internships with research laboratories in Australia and the United States, before working out that wasn’t the right career for me. Later, as a Master of Technology Management student at business school in Brisbane, I wrote my thesis on the protection of IP. I then moved on to a mix of consulting and industry roles, mostly in financial services. Unfortunately, wherever I go in Australia I regularly encounter situations involving IP and trade secrets theft. For example:

A departing employee who blatantly stole IP from their employer, only to find in-house counsel couldn’t be bothered to take action either against the employee or their new employer (where they were using the stolen assets) as they didn’t consider IP theft a real issue
Another company not only failed to terminate the IT accounts for multiple employees who had left at the same time for a direct competitor, but also stole their former employer’s laptop and used it and their login credentials to login to their former employer’s IT network from their new employer’s offices to steal the IP they hadn’t already taken, as well as commercial material such as pricing which had been updated since they left
An employee who had a lucrative contract with a foreign third party to supply the research paid for by their primary employer to the third party, without the knowledge of the primary employer and in breach of their employment contract and fiduciary duty

Photo by Polina Tankilevitch on Pexels.com

Based on my experience, I am comfortable saying the culture of IP protection, and the maturity of associated IP protection programs in Australia is low. Australian businesses are overly reliant on legal measures to protect our IP, at the expense of adequate security and insider threat programs. Unfortunately, once your IP is gone, it is very expensive and time consuming to get it back. Having spent almost 20 years working in the fraud and security field I am still amazed at the way in which we protect our confidential information and IP in Australia and the almost complete disregard we show for both protecting these intangible assets and responding when something goes wrong: This is in complete contrast to that of the US and other R&D intensive nations. Slowly, finally, things are starting to change.

‘Trade secrets’ defined for the first time in Australian legislation

In August 2018, the National Security Legislation Amendment (Espionage and Foreign Interference) Act 2018 recieved royal asset, and now forms part of Australia’s Criminal Code Act 1995 (Cth). Theft of trade secrets and IP is big business globally, and involves both nation states, criminal groups and individuals. The US Trade Representative estimates the cost of trade secrets and IP theft at US$200bn to $600bn annually. When the perpetrator is a nation state, or acting on behalf of a nation state, this is termed ‘economic espionage’ (as opposed to traditional espionage which focuses on theft of national security related information). When the perpetrator is a competitor or private intelligence company, this is termed ‘industrial espionage’. In Australia, economic espionage is considered a form of Foreign Interference.

Foreign interference is activity that is:

carried out by, or on behalf of a foreign actor
coercive, corrupting, deceptive, clandestine
contrary to Australia’s sovereignty, values and national interests

Foreign interference activities go beyond routine diplomatic influence and may take place alongside espionage activities. A range of sectors are targeted:

democratic institutions
education and research
media and communications
culturally and linguistically diverse communities
critical infrastructure

Most Australian’s don’t believe industrial or economic espionage happens here in fortress Australia, but unfortunately these practices are alive and well, its just they rarely make it to the courts or hit the headlines, and victim companies rarely if ever disclose this fact. So what does this new legislation do? Effectively, it “introduces a new offence targeting theft of trade secrets on behalf of a foreign government. This amounts to economic espionage and can severely damage Australia’s national security and economic interests. The new offence will apply to dishonest dealings with trade secrets on behalf of a foreign actor“.

92A.1 Division 92A – Theft of Trade Secrets involving a Foreign Government Principal

The penalty for commiting this offence is 15 years imprisonment.

Division 92A does not cover theft of confidential information or trade secrets where there is no involvement of a foreign government – these cases are addressed under other legislation as well as under common law and will be subject to a separate post.

What is a ‘Foreign Government Principal’?

Under section 90.3 of the legisiation, an offence of trade secrets theft requires the perpetrator (e.g. the employee) to be acting on behalf of a ‘foreign government principal’. Note that the legislation also defines a ‘foreign principal’, which is different. A ‘foreign government principal’ is defined as follows:

the government of a foreign country or of part of a foreign country;
an authority of the government of a foreign country;
an authority of the government of part of a foreign country;
a foreign local government body or foreign regional government body;
a company defined under the Act as a foreign public enterprise;
a body or association defined under the Act as a foreign public enterprise;
an entity or organisation owned, directed or controlled:
- by a foreign government principal within the meaning of any other paragraph of this definition; or
- by 2 or more such foreign government principals that are foreign government principals in relation to the same foreign country.

Importantly, the legislation is written quite broadly so as to encompass many of the typologies typically found with economic espionage, namely the involvement of national as well as state / province and local level government agencies, associations and similar legal entity types.

Section 70.1 of the Criminal Code 1995 provides a comprehensive definition of a ‘foreign public enterprise’ which encompasses both formal control (i.e. in the form of shareholdings) as well as influence (i.e. indirect or coercive control which might be exerted against a company’s key persons by a foreign government to ensure support).

Three elements of the offence define expectations of employers – IP Protection programs

In addition to the involvement of a ‘foreign government principal’, a person (e.g. employee, contractor) commits an offence under Division 92A if the person dishonestly receives, obtains, takes, copies or duplicates, sells, buys or discloses information; and the following three circumstances exist:

The information is not generally be known in trade or business, or in that particular trade or business concerned
The information has a commercial value that would be, or could reasonably be expected to be, destroyed or diminished if the information were communicated
The owner of the information had made reasonable efforts in the circumstances to prevent that information from becoming generally known

The first circumstance is relatively straight forward: if the information is public or in any way considered ‘common knowledge’, it is not a trade secret. Secondly, like all forms of IP, trade secrets must have some form of commercial value, for example, being used to build or do something which creates a saleable asset or generate revenue. Lastly, the owner of the trade secret(s) must have taken reasonable steps to protect that information from unauthorised disclosure – i.e., the implementation of an IP Protection program.

These elements are common to the definitions of a trade secret in other jurisdictions, such as the United States and Canada. Additionally, the legislation does not provide any guidance on what might be considered ‘reasonable efforts’ by a court to protect such information. However, there is a body of industry better practice around what IP Protection programs should look like which can be used by employers and IP Rights holders to inform these decisions. For more information, have a read of my earlier post on this subject.

Building a media monitoring capability 101

Posted on March 6, 2021 by Paul Curwell, CPP, CFE, CISSP

Author: Paul Curwell

Media Monitoring as part of a wider externally-focused risk intelligence capability

Businesses cannot operate effectively without an external listening capability that helps identify current and emerging issues in the operating environment. Competitors, regulatory change, technological innovation, and important developments involving suppliers and key customers have historically been ‘followed’ by businesses everywhere. However, with the rising importance of reputation risk and regulatory compliance, topics such as economic & trade sanctions, corruption, fraud, privacy & security incidents, business interruptions, modern slavery and environmental issues are also being increasingly watched, especially where suppliers or contractors pose a risk ‘by association’ to the buyer.

Our 24/7 news cycle and the global pace of change means it is no longer viable to read the newspaper once a day or occasionally Google a competitor every few months in your spare time to identify changes in your operating environment – media monitoring today needs to be a core part of your risk intelligence capability, employed on a systematic, continuous basis and integrated into other business processes to add value.

Conceptually, media monitoring seems relatively straightforward, but it follows the iceberg principle with most of the challenges laying beneath the surface. Many organisations struggle with media monitoring when they need to operate across large volumes of search criteria, countries, languages and mediums. Practically speaking, there are also differences between monitoring traditional print, TV and radio channels and social media: This post focuses on traditional channels, whilst social media will be addressed in a future article. The article outlines the key considerations when designing a media monitoring capability, the challenges, what to focus on, and what to do with what you’ve found.

Selecting sources and monitoring tools

The majority of media monitoring programs are run in an ad-hoc manner, without any real understanding of the sources or content of interest. The sophistication of these programs range from performing ad-hoc searches in the internet browser, to using tools such as Google Alerts and data aggregators. Typically, businesses focus on print media to the exclusion of TV and Radio, despite both having interesting and relevant content (take for example, an executive from a competitor being interviewed on the business channel).

The first step in selecting sources involves thinking about what, and who, you want to monitor, and where the content would be published. This ‘where’ is a function of both geography but also industry, as some of the richest coverage might be featured on niche industry platforms. Media monitoring typically focuses either on people or entities, both of which involve name-based searches (e.g. ‘Apple’ or ‘Tim Cook’). Where large numbers of search results are returned, it is normal to use boolean operators to write queries which search for the individual or entity’s name in conjunction with other search criteria, such as ‘strategy’ or ‘fraud’. This process can get quite complex, involving potentially dozens of words of interest (or derivatives of them, such as ‘Crim*’ to search for ‘criminal’, ‘crime’, etc in the same search) in addition to the entity name (i.e. “[name]” and “crim*”).

Media Monitoring Challenges

Licensing and Copyright – news information is subject to copyright, and many IP Rights Owners require their content to be licensed. These costs, and any licensing constraints (e.g. forwarding of a complete article is prohibited without an enterprise license) will require some thought around how any capability is designed, as well as impacting budget.

Syndication – increasingly common globally, syndication has the effect of increasing the volume of search results. Platforms such as Factiva have in-built tools to remove duplicates, however manual processes (e.g. Google Alerts) may take additional time to process

Reliability of free tools – free media monitoring tools use a variety of technologies to identify and index content, which can impact reliability. Unlike platform providers, they typically require closer scrutiny to ensure they are performing as intended.

Press Freedom and ‘Right to Forget’ laws – the reliability and coverage of the mainstream media is increasingly being influenced by attacks, government constraints on journalists, and corruption. In other jurisdictions, ‘Right to Forget’ laws mean the subjects of adverse coverage can have articles such as coverage of convictions or imprisonment deleted, impacting historical search results.

Where large volumes of search queries are required and where budgets allow, news aggregators such as Factiva and ProQuest, as well as other specialised industry journals, represent an excellent option provided they have coverage of the content you are seeking. Once you have identified your sources, you should check to see where their content is published as some publications are not covered by aggregators or news syndication services.

As with print media, television and radio content is also searchable via specialised aggregators. Typically these providers will index the content (i.e. note keywords and other search terms), to enable a word-based search to be performed via their portals. Once results are returned, they can then be screened for relevant content. Two examples of television indexes include BBC Monitoring and InformIT TV News.

Case Management: Reviewing, storing and evaluating matches

Media articles or other search results are typically recorded in some sort of ‘case management system’, which can be anything from a register kept in Microsoft Excel to a database or workflow system such as ServiceNow. There are a few steps in this stage of the process, including:

Reviewing each returned search result to determine whether it meets your criteria for retention (i.e. is it relevant, timely and actionable in relation to the question you are seeking to answer and is this new information, or is it a duplicate?)
Documenting selected fields / information from the article in your case management system – such as names or addresses of parties mentioned
Copying details of names, addresses, relationships, events or other reporting which could affect your relationships with key customers, suppliers or employees into a separate database (this is particularly important for fraud prevention and legal disputes)

This raises the question of who is performing the media monitoring, and how well they understand the intended recipients (i.e. their readers or internal ‘customers’). All too often media monitoring is performed by a central team, with consumers in the business being forwarded copies of news articles they have already read or receiving lots of emails that go unopened. Whether the function is performed centrally or by business line, the most important thing is that information is converted to intelligence so it is actually useful.

Whilst media monitoring can be started with the best of intentions, it quickly becomes a waste of time and effort if the generated content is not relevant and actionable to the recipient (i.e. can they actually do something useful with it) and timely (telling them an event has occurred 3 months after they’ve known about it is useless), if the content is not properly curated and searchable as volumes increase, and if the team performing the role becomes seen as a sender of spam.

Actioning what you’ve found

Once you have identified what’s important, the next step is to do something with it. By this stage of your process, you should be left with a number of articles that contain content of interest. In my experience, this is the stage where many media monitoring processes begin to fall apart.

Case Study:

A large bank had implemented a robust media monitoring process to track strategic developments involving competitors and the market. They were actively monitoring multiple channels, saving articles of interest to PDF from print media sources, and uploading them to a Document Library on their intranet (SharePoint). Over time they had thousands of articles containing rich information but it was never extracted and developed into intelligence. To make use of their collection, they had to individually review each search result rather than being able to see what all search results meant in the wider context. In time, it became quicker for users to simply use Google and the whole effort became a complete waste of time.

Media monitoring is only the first capability building block in an external listening process, and if your process relies upon emails or file libraries in a shared folder or on SharePoint once you hit a certain number of files you will start to encounter data challenges that affect our ability to extract any real value from your media monitoring. To avoid this situation, I recommend you add two steps to the end of your media monitoring process:

Dealing with information about people, events, places and things

Articles with content such as names, incidents, relationships, events and places need to have this information extracted into a structured format (ideally a database but CSV format will also suffice), with the original article attached. Whilst you can use document tags instead of structured content, it is not as effective (1) because you will still need to extract the data into a structured format to properly analyse it, and (2) over time libraries of tags will become unmanageable and you may encounter system limitations. To keep pace with volumes, I find this information most efficiently captured as the article is reviewed, rather than letting everything pile up.

These sort of articles typically relate to issues such as a key customer or supplier’s financial solvency, highlight relationships between employees and a supplier or customer (i.e. conflicts of interest or fraud risks), and legal disputes which might disrupt the supply chain. Consequently, the typical audience for this information will be finance / procurement, legal, audit, risk and compliance.

Articles of a strategic nature

In contrast to information about people, places and things, information of a strategic nature (e.g. articles on regulatory change, interviews given by a competitor on their new product) should be compiled into a separate document or ‘wiki’. Environmental Scanning is a common technique used in the strategic analysis and intelligence communities and is ideal for compiling and analysing this type of content, and will be covered in a future post.

The key difference between strategic information and that of people, places and things is the way it is used – it is mainly employed by strategy teams, product managers, or in other planning activities rather than more operational tasks, hence it needs to be reviewed less frequently. Strategic information is typically reviewed in the context of other strategic information or when making specific decisions.

Optimising your capability

The last step in developing any capability is to periodically evaluate its performance. For a media monitoring capability, this means running separate searches to ensure you haven’t missed anything with current search criteria (have you had consumers in the business ask about something you didn’t pick up?), ensuring that sources are reliable and credible and that search parameters are current, and that your downstream processes in terms of storing, evaluating and reporting remain valid.

Further reading

Alexander, M. (2016). Appropriately Structure Data in Your Excel Data Models, https://www.dummies.com/article/technology/software/microsoft-products/excel/appropriately-structure-data-in-your-excel-data-models-138384/
BBC (2021). BBC Monitoring – Essential Media Insight, https://monitoring.bbc.co.uk/
Boehm, R. (n.d.) Using Tags for Document Management, Purdue University, https://guides.lib.purdue.edu/tagging
Boolean Black Belt – Sourcing / Recruiting (2008). Basic Boolean Search Operators and Query Modifiers Explained. https://booleanblackbelt.com/2008/12/basic-boolean-search-operators-and-query-modifiers-explained/
Masters, J. (2019). What Are Economic Sanctions?, Council on Foreign Relations, https://www.cfr.org/backgrounder/what-are-economic-sanctions
Schwartz, P. (1996). The Art of the Long View: Planning for the future in an uncertain world, Currency, United States.
United States Army (2012). Open Source Intelligence, ATP 2-22.9
World Economic Forum (n.d.). Global Risks, https://www.weforum.org/global-risks/

The critical path should help inform people-management decisions

The role of continuous monitoring (insider risk detection) systems and the critical path

Continous monitoring systems require configuring for your organisation’s context

Further Reading

How do typologies, modus operandi and TTP’s differ?

What are the components of a typology and why?

Are there fraud risks associated with vendors?

Vendor fraud versus supply chain integrity: what’s the difference?

What does this mean in practice?

Further Reading

What is Serious Organised Crime anyway?

Common activities of serious organised crime – is there a nexus with your business?

What we know about Serious Organised Crime in Australia today

What can be done about the risk of organised criminal infiltration?

Further Reading

State of art – managing fraud and security risk in relation to products

What satisifies a criminals cravings?

How can we apply the CRAVED construct to manage product risk?

Further reading:

The dangers of intelligence ‘silos’ across your organisation

Work out what is valuable to your business

Your products & services are assets too!

Identifying the threat actors likely to target your assets

Applying your threat universe in practice

Further reading

‘Trade secrets’ defined for the first time in Australian legislation

What is a ‘Foreign Government Principal’?

Three elements of the offence define expectations of employers – IP Protection programs

Further reading

Selecting sources and monitoring tools

Actioning what you’ve found

Dealing with information about people, events, places and things

Articles of a strategic nature

Optimising your capability

**The critical path should help inform people-management decisions**