As I sat in the taxi in Jackson, Mississippi, waiting for the cab driver to “call in” my credit card because he had no credit card machine or app on his flip phone, I cringed. Just four days prior, I was teaching an ACFE webinar on travel fraud and here I was, hamstrung by an antiquated process that put my credit card at risk.Read More
According to the regulation’s detailed website full of helpful tips and background information, the European Union’s (EU) General Data Protection Regulation (GDPR) was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. But, as i-Sight’s Dawn Lomer recently pointed out, fewer than half of the companies recently surveyed were prepared for the regulation that comes into effect May 25.Read More
Dr. Jessica Barker addressed hundreds of anti-fraud professionals yesterday at the 2018 ACFE Fraud Conference Europe and told them that a new weak point in organizations’ cybersecurity might stem from an unlikely source — General Data Protection Regulation (GDPR) compliance. “One of the speculations about what we will see with GDPR is more extortion around hacks,” she said.Read More
Nikola Blagojevic, CFE, CISA
In the past decade, public- and private-sector organizations have greatly increased their use of smartphones for their employees — they're now ubiquitous. Upside: simple and quick communication. Downside: Smartphones are easily lost, stolen and susceptible to cyberattacks because of their technological vulnerabilities. According to the CNBC article, Biggest cybersecurity threats in 2016, by Harriet Taylor, Dec. 28, 2015, "The evolution of cloud and mobile technologies, as well as the emergence of the 'Internet of Things,' is elevating the importance of security and risk management as foundations."
Smartphones are more at risk in certain areas — hotels, coffee shops, airports, cars, trains, etc. And home Wi-Fi connections can be potential risk areas if users don't properly secure them. An attacker could easily access confidential personally identifiable information (PII) and data, such as:
- Personal or professional data (emails, documents, contacts, calendar, call history, SMS, MMS).
- User identification and passwords (to emails, social networks, etc.).
- Mobile applications that record PII.
- Geolocation data about the smartphone user.
Poor configuration of particular smartphone parameters can also lead to security breaches. An attacker can initially target a smartphone that contains little or no classified data but then use it as a steppingstone to build a more complex attack to obtain access to sensitive applications or confidential data. For example, a hacker can use various seemingly unimportant pieces of data to social engineer victims to gain more information that could enable him to stage a successful attack.
So while it's crucial that CFEs are aware that mobile devices — smartphones and tablets — bring fraud risks to organizations, it's also critical that they know the risks of using their own mobile devices in professional settings.
Understanding and mitigating the risks
The European Union Agency for Network and Information Security (ENISA) has defined 10 major risks for smartphone users:
- Data leakage resulting from device loss or theft.
- Unintentional disclosure of data.
- Attacks on decommissioned smartphones.
- Phishing attacks.
- Spyware attacks.
- Network spoofing attacks.
- Surveillance attacks.
- Diallerware attacks: an attacker steals money from the user by means of malware that makes hidden use of premium short message services or numbers.
- Financial malware attacks.
- Network congestion.
We can use these risks (listed from high to lower risk) along side the ISO 27002 standard to review professional use of smartphones within organizations. Internal auditors might not have the technical expertise, so you could hire external experts with specific skills to perform the proper tests. External experts also provide necessary independence for testing organizations' security measures.
Here are various measures that can help reduce the risks associated with mobile devices:
- Encrypt mobile devices.
- Regularly update mobile devices' applications and operating systems.
- Set strong passwords. Each personal identification number (PIN) should be at least eight digits long because a four-digit PIN can be easily broken. Alphanumeric passwords should be at least eight characters long and shouldn't use common names or words. An easy way to help create a memorable password is to use a favorite sentence. For example, you can create a password from "The ACFE is reducing business fraud worldwide and inspiring public confidence." Use the first letters of each word and replace "a" and "i" with "@" and "1," respectively. Following this method, the password would be: "t@1rbfw@1pc."
CFEs should safeguard security for their professional smartphones and those in their organizations because they're often laden with confidential company information. (Of course, CFEs shouldn't forget that paper data can be equally confidential and necessitate adequate security measures, but that's for another article.)
Find even more tips on how to guard your PII in the full article on Fraud-Magazine.com.
Lindsay Gill, CFE, Director of Forensic Technology
Forensic Strategic Solutions Inc.
A key salesman left a manufacturing company, purportedly to work in sales in another industry. Under normal circumstances a company would be disappointed to lose a key salesman. However, in this instance, while productive, the salesman was a troublemaker and a constant source of negativity. Shortly after this salesman left the president and CEO of the company received a call from one of his top customers. The customer had just received a call from the company’s No. 1 competitor; this competitor was able to tell the customer the details of his latest order with the president’s company. The president and customer alike were concerned about how confidential company information was available to a competitor. After much reassurance to the customer, the president was able to save the order.
The president then engaged our firm to perform digital forensics and get to the bottom of things. We imaged the hard drives of the sales department. Upon analysis of the former salesman’s computer we found that immediately prior to leaving, the salesman had saved the companies detailed customer list to a USB drive. We also found frequent emails to his personal email address (webmail account) that included attachments containing order histories for key customers. Additionally, we analyzed the email exchange server and found emails between the former salesman and current sales staff. The email address being used by the former salesman was with the competitor in question. While the emails were innocent chit chat it revealed that the former salesman had not been truthful about his new place of employment, a fact which violated a non-compete agreement. Investigation of the corporate phone system indicated frequent calls from the former salesman’s cell phone to the current sales staff. We found that the current sales staff was relaying information to the former salesman during these “innocent” calls catching up on their day to day activity.
Situations like this occur more frequently than business owners would like to think. So what are some of the key signs employers should look for to help identify the malicious insider?
- Employees who have a grudge against the company or are constantly talking about changing jobs
- Increased rule-breaking or misbehavior
- Physical altercations
- Breaking dress code
- Suspicious behavior
- Signs of extreme stress
In addition to paying attention to how your employees are behaving, you need to implement monitoring technology to pinpoint the following:
- Increased or unusual patterns in network/workplace access
- Log reports of attempted unauthorized access
- Large data transfers during nonbusiness hours
- Frequent emails to outsiders with attachments
- Excessive file downloads
As always, educating employees about the importance of security is always the first step in protecting company information. Annual renewals of non-disclosure agreements and employee education are key to protecting your company from the malicious insider and creating a culture of security.