The money test--what to keep in mind to protect a startup
The money test--turning away from the abstract to enhance security
A child kidnapped off of a front porch. A bucket of gold dust snatched from a security company in New York. Investors defrauded through hacking and social engineering scams.
Such are the headlines that shock us—and in some cases rightly keep us up at night. None are to be taken lightly, but all have a tragic and common element: in every case criminals took advantage of abstract thinking.
This is admittedly an abstract statement in and of itself. But allow a further example. Recently CDDI had was drawn into a case that combined asset trace work, surveillance and gumshoe interviews in the wake of what was by any standard outrageous fraud. Yet here was also an uncomfortable element of the case that simply could not be ignored: an assistant to the CFO€'yes, a secretary€'had full rights to company accounts.
And here the problems began.
To be fair (and critical), we should first mention that an abstract defense system in the form of a detailed compliance/checklist system was long in place.4Second, we should add that to some extent the company’s internal systems worked: the above-mentioned secretary was outed during standard audit.
Unfortunately, said secretary was outed long after the damage was done.
In short, she had pilfered up to hundreds of euros month from company accounts over the course of years. And this was only the beginning, as such petty crime is often noticed by fellow criminals long before it is picked up by audits or invoice anomalies. Thus, our unethical secretary was soon pressed by outside forces to provide email access, letterhead information, historic emails and a wealth of sundry information in between. This allowed organized crime a beachhead to run a much larger and much more debilitating scam, albeit with the secretary’s (somewhat unwilling) help.
Which meant hundreds of thousands of euros gone. And it all began with abstract thinking.
Before we point out the company’s mistake, we should note that investigators continually see the same type of “abstractâ€--in other words, ineffective--approach to both personal and company issues. A child ceases to become a living being, but instead becomes an issue, an idea, and thus she is left alone on a front porch to await a bus to church. A bucket of gold dust (in itself an atypical/almost abstract idea) is left unguarded for a split second while a guard double-checks delivery information. And finally, a secretary is trusted fully and completely with company accounts because a “standard compliance system†is in place.
In short, at one point or another all of the above morphed from the real to the abstract.
To illustrate this, we challenge clients to practice perhaps an overly-simple yet effective test exercise on both compliance and operative systems€'i.e. turn the abstract into “a suitcase full of money.€
In other words (and not to belittle the pain of the affected family) had the previously-mentioned child been treated as a suitcase of money, she likely would not have been left unattended on that front porch for a second. Likewise, if the bucket of gold dust had been considered a suitcase full of real, spendable money, the security guard in question certainly would have kept it chained to his very wrist.
And finally, if company accounts had been treated as what they are€'straight up cash€'the firm in question likely would have added a simple access barrier to said secretary€™s daily routine.
Again, the above is not meant to belittle or blame. The examples are meant to point out human nature. In this age of the overworked and task-saturated, we do indeed lose the plot. What should be in the foreground becomes background noise. That which is most valuable becomes intangible. In short, even loved ones become an idea.
And no matter what anyone says, it is easy to steal an idea.
Which brings us to the company's mistake: while the secretary in question was obliged to participate in "ideas"--i.e. trainings and compliance reports, she was not herself limited in what she could attempt on a daily basis. Apart from the fact that she had never undergone even a basic background check, she had full rights to the company€™s invoicing and transfers from day one.
At this point some may ask just how this happened--or even just what was the alternative. The answer to both goes back to the history of the company in question. A startup grew into a company of real size, but unfortunately, it also kept its “startup, small-company†mentality, which in this case meant only basic electronic banking access remained in place. Had this company spent a mere nine euros a month, it could have graduated to a more adept system that would have de facto limited our pilfering secretary to only preparing invoices thus and stacking them in the system for her supervisor.
This was a small step ignored (in what was otherwise a rush to success). But had this one, tiny step been put in place, the secretary€™s manager would then have had the ability to double-check invoice payments (i.e. suitcases of money) before they were sent—and actually retain sole rights to send them at all. A small deterrent, perhaps, but an effective and concrete deterrent nonetheless.
Put simply, if each payment were treated as such a “suitcase of money,†likely the pilfering would have been picked up early and prevented the later, much more debilitating, social engineering scam.
As basic as this sounds (and here we are not making light of the need for compliance programs, training or the complexity of business today) it all goes back to the basic premise of keeping close that which you hold dear.
In other words, a static system, especially one that has denigrated into the abstract, is no less than a problem waiting to be solved. Unfortunately, it is also a challenge that beckons to thieves and deviants alike—primarily because such thieves and deviants do not focus not on the abstract, but on the real holes in an abstract defense barrier and how to get what they want.
And remember they want what is dear to you. Your cash, your personal information, possibly even your child. But good news is that if you abandon the abstract for more concrete, eyes-on solutions, most thieves, scammers and deviants will move on to softer targets.
For there are plenty out there to be had.
CEO, Corporate Due Diligence and Investigation, Warsaw Poland, Det. License RB-69/2016, query@cddi.eu