The Corporate Security Myth (Article from 2008)

The Corporate Security Myth.

Ed. Note: This article was released last year to highlight and re-introduce the concept of corporate vulnerabilities to the kind and scope of threats that are currently out there in the business world. I thought that if I am going to begin a thread on this blog about corporate security then where better to start than to give it the kind of introduction this article provides. I hope this article gives you the inspiration to stay tuned for the subsequent articles on this subject, and to invest in the time it takes to give your company an honest analysis to see how vulnerable it is to this kind of threat.



The Corporate Security Myth.
October 26, 2008.


Companies spend hundreds of thousands of dollars, in many cases millions of dollars, investing in corporate security in the interest of preventing both internal and external causes of business losses and critical business process interruptions. Generally speaking, they do offer businesses some very basic infrastructure and legal protection, but in real terms the vulnerabilities most companies have far outweigh the minimalist standards of security that those same companies have employed in recent years.

In many respects the decline of effective corporate security has dovetailed remarkably closely with the West’s decline in national security standards post-Cold War. The Peace Dividend was spent not just by governments, it seems, but by business entities as well. Unfortunately, just because the old Soviet Union ceased to exist does not mean that there are no bad guys left in the world, and individual criminals and organized crime have leapt into fields of criminality far more profitable than drugs, prostitution, smuggling, or simple theft. Stealing from businesses is now the number one crime in the world by dollar value according to interviews I have had with law enforcement and intelligence officials over the last few years. And the number one thing being stolen from companies is…. their identity.

Identity theft is not just a crime against average Americans or the general public – it is the thin end of the business wedge being used today by organized crime, disgruntled ex-employees, and it is also a very real vulnerability for national security from threats from terrorists and foreign powers, and it is being applied in ever more comprehensive strokes against businesses worldwide.

Consider the example of NEC of Japan. This past winter a handful of executives of a particular company were charged with a variety of crimes stemming from their theft of the identity of NEC Corporation – with a global impact of more than $5 billion. By pretending to be NEC Corp., they foisted massive costs of returned defective products to NEC on the real company while retaining the profits garnered for selling it in their name, all with NEC being none the wiser. They entered into massive amounts of debt on NEC’s behalf to finance their unauthorized plans, and left NEC holding the bag for it. They ruined NEC’s reputation for quality around the world by selling bad, cheap, knock-off products and leaving the real NEC to clean up the mess. And it went on for several years before anyone even had their first hint that something was wrong. NEC’s credit rating was affected, its’ public image was tarnished, it’s relationships with retailers around the world was damaged – a truly unexpected calamity caused by an otherwise unrelated external threat.

Consider the case of CardService International, a leading credit card transaction processing firm, who a few years ago was the target of very serious identity theft. Rogue invalid companies were started as executive search firms who would place ads on major employment search sites like Monster, CareerBuilder, Workopolis, HotJobs, etc. They would advertise positions for companies, in this case CardService International, and collect resumes from prospective applicants for those positions. Only after a few weeks, applicants would begin to call after not hearing back about their applications. The phone number in the ad was for the HR department at CSI, but CSI had never heard of the position, let alone any of the CV’s that the applicants had sent. By the time CardService International had discovered the scam, it was too late. Tens of thousands of prospective employees had sent private information in response to the recruiter’s requests including things like phone numbers, addresses, social security numbers, and all other data needed for a ‘pre-screening employment verification/background check.’ The staff hours needed and legal costs involved in trying to solve or minimize the damage from this scam for CSI’s purposes alone were astronomical. Consider, then, that this was not just happening to CSI at that time, but to dozens, perhaps hundreds of other companies simultaneously. And just as someone started to figure out the scam, the recruiting company would ‘go bankrupt’ and all trace of the ownership and staff would disappear, only to reappear with completely different and new recruiters under different names in different cities, repeating the scam from scratch over, and over again.

As a side note, the media have only just recognized this threat to personal identity theft this past weekend with a number of articles based on a theoretical test performed by a research group in the UK. They still have yet to seriously report on the actual accounts of this kind of fraud already reported to law enforcement around the country and around the world.

Neither of these scams, in fact, had anything to do with the companies in question. NEC could not have known what was happening purely through internal or external penetration threat security measures. No one went to CSI to hold them up at their building. These identity theft scams happened in virtually complete isolation from the companies whose names were used to commit major fraud. Current business security methodology has no viable means of protecting companies from this kind of security risk, and it is far too rampant and widespread for companies to ignore. One unofficial estimate of the losses/costs sustained by CSI for that particular example included more than a dozen professional staff deployed for more than 6 months with extensive over-time and almost a year and a half of fruitless legal costs trying to serve papers on the defunct and disappeared perpetrators. Assume that each of those professionals were paid at least $40,000 per year. That amounts to more than $250,000 in costs alone, plus the legal fees, court costs, and public relations mess. Interviews with staff also indicated that a number of applicants for those positions were purchasing reps in charge of their firms’ credit processing service purchasing decisions, and many of those had immediately put a replacement contract up for tender in order to drop CSI as they no longer felt that CSI was a safe service provider for financial transactions, even though no transactions had in fact been involved and CSI was not responsible for any wrong-doing. The impression left with applicants was that CSI was not serious about protecting its’ business reputation for security, and therefore would not be serious about any of its’ other security measures. The impact on sales, customer confidence, employee confidence, and potential real recruiting efforts is virtually incalculable.

These two examples only serve to illustrate that every company is just as vulnerable to the same kinds of dirty tricks, scams, and frauds and a host of other threats of varying scales, none of which are corporate leaders ready to deal with yet. And when the day arrives that the company hit by these scams is yours, will you have enough spare resources left to handle the impact? What happens if it hits you at the same time as:
- A major audit?
- A manufacturing strike?
- A critical supplier drastically limits your credit?
- You are in the middle of negotiating with a major new client or a new round of financing?
- A major company executive passes away?
- A major network virus destroys your company’s ability to respond?

Can you be sure your firm will survive it? Is your corporate security effective against these kinds of frauds and criminal threats, or is it still only part of the corporate security myth?