Euro-View: Sven Bergmann on business cyber-security
Recently, Europol released its 2017 “Serious and Organised Crime and Threat Assessment – SOCTA” report. Shortly after that release, I had the privilege to speak as a panelist at the Brussels conference, “Fighting Organised Crime and Terrorism,” co-hosted by Europol and the British Chamber of Commerce. There, corporate leaders and crime experts from around the world agreed that the Europol report was sober reading. It laid out the challenges legitimate businesses face when confronted by illegal entities that mimic their profit-generating behaviour, but for destructive ends.
During the conference, Europol’s director, Rob Wainwright, explained that both criminal organisations trafficking in illicit goods and terrorist organisations have clear executive leadership, as well as various departments. They are able to shift their operations to meet unexpected demand. They add new business lines, new operations and new markets. They exit markets that become too hard to compete or succeed in, and most importantly, they can execute such illicit operations on an industrial scale. They are, in short, increasingly organised like businesses.
But that is only the most dramatic way that criminal and terrorist organisations have changed (although sometimes the same organisation gains funds through criminality, and then uses those funds to finance terrorism). In its report, Europol identifies three other new global trends.
First, criminal organisations have gone increasingly global. With the rise of the Internet, crime groups can achieve global reach in record time. This enables them to exploit new illicit trade markets in new countries rapidly, if demand increases. Like the Internet itself, organised crime has become decentralised.
Second, criminal organisations now offer illegal trade as a service. In the same way that a legitimate business has access to many service providers, organised crime groups now have access to highly specialised, global, and nimble service providers. For example, criminal service providers will specialise in providing stolen identities, raw materials, distribution services, freight forwarding or illegal border crossings.
Crime as a service makes disrupting criminal enterprises extremely difficult. If an enforcement action takes out one “service provider”, 10 others will be instantly available to fulfill that same need.
Finally, better data analysis is key to successfully combating these global, distributed, decentralised, highly adaptive and fragmented organised crime groups. As Wainwright pointed out at the conference, additional information or data is not required, but rather a better aggregation, integration and analysis of existing data. This includes the integration and analysis of multiple dispersed existing data sources.
As a result of these changes, organised crime has become a pervasive and ubiquitous threat for businesses requiring a new response. The question is: what are the implications for business? What can the private sector do to better protect its personnel, its products, and its customers?
In my view, companies need to develop and deploy a comprehensive security strategy across all facets of their business. The framework that I offer below structures such a strategic response according to internal threats, revenue threats and external strategies.
First, internal threats. As a first step, businesses need to focus on shoring up corporate security, cyber security and supply chain security. Every day, organised crime groups attempt to infiltrate the inner workings of companies to gain access to confidential information, employee or customer data, physical locations and distribution systems. Having tight internal controls over physical locations, IT systems, and distribution systems provides the foundation for an effective defense.
Secondly, revenue threats. Businesses must develop a comprehensive brand and supply chain protection strategy, as well as systems and tactics to consistently monitor and defend against illicit trade in their products. Effective brand and supply chain protection will guard businesses against revenue loss, threats to their brand value, and risks to their business investments.
Finally, external strategies. Companies must go on the offense through external strategies that ask law enforcement and government officials to focus on the organised crime and illicit trade impacting their industry. This offensive effort should also include actively engaging with government officials and policy makers to pre-empt or manage unnecessary regulatory burdens.
In conclusion, the time for businesses to act is now. As the proverb says, “crime never sleeps”. This has never been truer than today. Transnational criminal organisations have evolved into highly organised and adaptive global entities that pose a ubiquitous and pervasive threat for businesses. Businesses need to take action now to shore up their internal defenses, build comprehensive brand and supply chain protection programs, and proactively engage government officials, public policy makers and law enforcement officials. By waking up to the threat, they can protect their most valuable assets before becoming a target.