One of the largest threats forcing companies to re-think their risk management strategy is the threat of internal actors. We spoke with Ed Stroz, a risk management expert who shared his insight as to why he believes this problem is increasing. Stroz is the founder and Co-President of Stroz Friedberg, an Aon company and global leader in cybersecurity, investigations and intelligence.
Stroz oversees the firm’s growth and client development, while ensuring the maintenance of its distinctive culture. He also provides hands on strategic consulting in cyber and physical security as well as investigations, intelligence and due diligence. Before starting the firm, Stroz was a Special Agent with the FBI where he formed their computer crime squad in New York.
Christopher P. Skroupa: What is the threat of internal extortionists and actors for the 21st century company?
Ed Stroz: Internal actors in extortionist schemes continue to be a threat to companies and other organizations. The reasons can stem from weak background checking procedures, if background checks are performed at all, to the insider becoming a more appealing target as organizations improve their external security making it harder for bad actors to infiltrate.
Even an insider with no bad intentions can get embroiled in facilitating an incident if they are approached outside of work and threatened or persuaded to take adverse action against their employer. An employee can easily fall victim to advanced social engineering, phishing, and ransomware attacks. Some of the most valuable corporate assets in the 21st century are in the form of intellectual property such as trade secrets, research and development knowledge, or business strategies. Those types of assets can be of great value to competitors and others. Because these assets are informational, they can be copied rather than subject to traditional “theft.” This makes detection of their compromise to be difficult, and it also can make it easier for an insider to rationalize copying them for illicit purposes.
The problem will only continue to grow since technology empowers the insider. If an employee does have bad intent, the Internet facilitates transactions and communications that can be hidden from detection – such as through the dark web, encryption, and virtual currencies – that can conceal the actions of a malicious insider and the external repositories where their communications reside.
Skroupa: How is that threat evolving? How has it changed in the last 20 years?
Stroz: The threat has evolved in step with changes in the workforce and technology. Twenty years ago businesses were just coming to terms with the Internet and electronic communications platforms like email. Nobody today needs to be told how much communication is now electronic, whether that communication is a financial transfer of funds, written correspondence, spoken words, or transmission of video images. I’ve heard Frank Abegnale, whose criminal fraud exploits were depicted in the Hollywood movie, “Catch Me If You Can,” say that the opportunities for fraud today are so much greater than when he was operating. Abegnale had to master paper and ink and forge checks and he still was able to commit enormous fraud schemes. Today there are so many more “surfaces” for a bad actor to attack and exploit just using a phone and a computer.
Skroupa: How can companies counter the threat before it happens?
Stroz: Before is an important word in this question. Just as the United States had to change its approach to fighting and investigating terrorism after the 9/11 attacks from one of investigating what had already happened, like planes being deliberately piloted to crash into buildings, to one of preventing and disrupting such actions in advance, we should engage in a preventative strategy. A proactive approach is infinitely more effective and valuable than a reactive one. A way organizations can try and get ahead of this risk is to conduct assessments to uncover how prepared it is to address insider risk. It’s important to work with cross-functional teams such as human resources and legal, in addition to information security. Additionally, more mature companies can help anticipate internal threats by using responsible behavioral science insights to help detect individuals who show signs of being “at risk” and then planning a thoughtful approach to those situations informed with expertise and care.
There will always be a “threat” because we will always be vulnerable to people who have access to our assets, systems, and networks. But we can work to reduce the risk of the threat being realized or, if it is realized, minimize the impact. We have to think and act in terms of “risk management” instead of risk elimination.
Stroz will be the moderator for Multi-National Company Over Government: The New Solution for Societal Challenges at The 21st Century Company conference in New York, NY on November 7.