Understanding and Mitigating Smartphone Risks

ONLINE EXCLUSIVE

Nikola Blagojevic, CFE, CISA

In the past decade, public- and private-sector organizations have greatly increased their use of smartphones for their employees — they're now ubiquitous. Upside: simple and quick communication. Downside: Smartphones are easily lost, stolen and susceptible to cyberattacks because of their technological vulnerabilities. According to the CNBC article, Biggest cybersecurity threats in 2016, by Harriet Taylor, Dec. 28, 2015, "The evolution of cloud and mobile technologies, as well as the emergence of the 'Internet of Things,' is elevating the importance of security and risk management as foundations."

Smartphones are more at risk in certain areas — hotels, coffee shops, airports, cars, trains, etc. And home Wi-Fi connections can be potential risk areas if users don't properly secure them. An attacker could easily access confidential personally identifiable information (PII) and data, such as:

  • Personal or professional data (emails, documents, contacts, calendar, call history, SMS, MMS).
  • User identification and passwords (to emails, social networks, etc.).
  • Mobile applications that record PII.
  • Geolocation data about the smartphone user.

Poor configuration of particular smartphone parameters can also lead to security breaches. An attacker can initially target a smartphone that contains little or no classified data but then use it as a steppingstone to build a more complex attack to obtain access to sensitive applications or confidential data. For example, a hacker can use various seemingly unimportant pieces of data to social engineer victims to gain more information that could enable him to stage a successful attack.

So while it's crucial that CFEs are aware that mobile devices — smartphones and tablets — bring fraud risks to organizations, it's also critical that they know the risks of using their own mobile devices in professional settings.

Understanding and mitigating the risks

The European Union Agency for Network and Information Security (ENISA) has defined 10 major risks for smartphone users:

  1. Data leakage resulting from device loss or theft.
  2. Unintentional disclosure of data.
  3. Attacks on decommissioned smartphones.
  4. Phishing attacks.
  5. Spyware attacks.
  6. Network spoofing attacks.
  7. Surveillance attacks.
  8. Diallerware attacks: an attacker steals money from the user by means of malware that makes hidden use of premium short message services or numbers.
  9. Financial malware attacks.
  10. Network congestion.

We can use these risks (listed from high to lower risk) along side the ISO 27002 standard to review professional use of smartphones within organizations. Internal auditors might not have the technical expertise, so you could hire external experts with specific skills to perform the proper tests. External experts also provide necessary independence for testing organizations' security measures.

Here are various measures that can help reduce the risks associated with mobile devices:

  • Encrypt mobile devices.
  • Regularly update mobile devices' applications and operating systems.
  • Set strong passwords. Each personal identification number (PIN) should be at least eight digits long because a four-digit PIN can be easily broken. Alphanumeric passwords should be at least eight characters long and shouldn't use common names or words. An easy way to help create a memorable password is to use a favorite sentence.  For example, you can create a password from "The ACFE is reducing business fraud worldwide and inspiring public confidence." Use the first letters of each word and replace "a" and "i" with "@" and "1," respectively. Following this method, the password would be:  "t@1rbfw@1pc."

CFEs should safeguard security for their professional smartphones and those in their organizations because they're often laden with confidential company information. (Of course, CFEs shouldn't forget that paper data can be equally confidential and necessitate adequate security measures, but that's for another article.)

Find even more tips on how to guard your PII in the full article on Fraud-Magazine.com.

CEO Moving Mountains in Anti-Corruption Compliance

MEMBER PROFILE

Philippe Montigny
CEO of ETHIC Intelligence 

As a mountain climber, former diplomat and current CEO, Philippe Montigny forged his sense of determination and perseverance “while climbing the Alps, Himalayas, Atlas Mountains, those of Lebanon, as well as the volcanoes of East Africa.” As CEO of ETHIC Intelligence, Montigny may no longer have the time to physically climb mountains, but he is moving them in the anti-fraud field by expanding ETHIC Intelligence’s anti-corruption footprint on every continent.

How did you become passionate about fighting fraud?

As a member of the Organisation for Economic Co-operation and Development ( OECD) Secretary General’s Private Office, I was able to visit and work in numerous countries across the globe. I also had the privilege of participating in the negotiations which led to the 1997 Anti-Bribery Convention. I became convinced that good corporate governance is essential to an organization’s sustainable development.

What steps led you to your current position as CEO of ETHIC Intelligence?

When I left the OECD in 1998 it was to help set up a consultancy in London that specialized in international relations and development; our goal was to assist companies with their expansion into international markets, and consequently I traveled to Africa frequently. Gradually, I noticed the extent to which corruption figured into the daily operations of most of our clients. In 2001, having become the sole owner of the company, I decided to change the focus and specialize in corruption prevention. I named the companyETHIC Intelligence.

What are the most important skills (that relate to your position) you have learned throughout your career?

I believe that two qualities are essential in corruption prevention: humility and the ability to question oneself and one’s ideas. Although talented people (with the best intentions) design anti-corruption compliances procedures, they are up against audacious individuals who can be very creative at bypassing company rules. That is why it is necessary to question our way of addressing the issue on a regular basis. Compliance must evolve constantly to adapt to the ever-changing ways in which people pay bribes.

How do you stay up to date on the latest fraud schemes that people try to perpetrate?

In order to stay up to date on developments in anti-corruption compliance, as well as emerging case law, I continue to conduct training and risk assessments with compliance officers, legal directors and corporate executive committees. These bring me into regular contact with people who face challenges daily when doing business across the globe, from Lagos to Shanghai and Sao Paulo to Moscow. 

In addition, once a year we organize, “Excellence in Compliance Day: emerging challenges and the search for best practices” for the compliance officers of our certified companies. Members of our certified companies have the capacity to identify emerging needs in compliance and to suggest appropriate methods to meet these challenges. The day, organized as a brainstorming session, enables us to advance collectively on the subject. The “Excellence in Compliance Day,” training and risk assessments enable me to stay well abreast of developments in the rapidly evolving field of anti-corruption compliance.

What do you hope to personally pass on to the next generation of fraud fighters?

I would like to convey the idea that a company can have a strong anti-corruption compliance program and still be competitive. The next generation should know that they can have a successful professional career while maintaining the highest personal standards of integrity and ethics. Integrity, in my view, has both moral and economic value.

Read Philippe's full profile on ACFE.com.

What Makes a Fraudster Tick?

FROM THE RESOURCE GUIDE

John Gill, J.D., CFE
ACFE VP of Education

It is an unfortunate truth that fraud exists in every country and in every industry. One of the most challenging parts of this continuing fight is understanding what goes on in the mind of someone who commits fraud. What causes one person facing financial hardships to steal from his employer while another finds a more honest way to pay his bills? And what goes through the mind of individuals as they are making that choice — that first decision — to become a fraudster? How do they continue to justify their actions to themselves as they carry out their schemes?

As an anti-fraud professional, it’s important to look for the answers to those questions. You cannot effectively deter fraud unless you have a full and complete grasp of the different motivations and tipping points that might affect a fraudster. I have found that interviewing fraudsters is one of the best tools to truly enter their minds. Each story is interesting in its own right, but when combined, you begin to see the common thought patterns displayed by these perpetrators before, during and after the crime. It is also important to examine different theories offered by experts — both past and present about what causes some people to turn to fraud. 

One thing that has always stood out to me while trying to understand fraudsters is that the Fraud Triangle is alive and well. Every so often, someone argues that the triangle is no longer relevant or needs to be revised. But based on the interviews the ACFE has conducted over just the last four or five years,it is just as relevant now as it was back in Dr. Donald Cressey’s day. His basic theory still holds up: fraud is likely to occur if the subject has some kind of unshareable financial pressure, a perceived opportunity to relieve that pressure, and the ability to rationalize his or her conduct so that there is a lessening of guilt or a feeling of justification.

I am excited to announce that the ACFE has developed a new 1-day class, Understanding the Mindset of a Fraudster. We will also be offering a 4-hour version of the class as a Pre-Conference session at this year’s 27th Annual ACFE Global Fraud Conference. The seminar will examine fraudsters’ behaviors and motivations, as well as the pressures, opportunities and rationalizations for their frauds. Through discussions about human behavior, video interviews with convicted fraudsters and interactive problem-solving, you will gain a deeper understanding of mindsets and personality traits common to many fraudsters.

A good fisherman understands how a fish reacts to different types of lures and water conditions. A good fraud examiner understands how individuals react to different interview techniques and workplace controls. Understanding more about the mindset of a fraudster will better prepare you to catch those people who travel outside the lines to enrich themselves at someone else’s expense. 

Read John's full article and find more training resources in the ACFE's latest Resource Guide.