About Paul Curwell

I help businesses protect their Intellectual Property (IP), revenue and product from fraud and security threats. My content provides clear steps to protect your Trade Secrets, attract investors, and accelerate business growth from startup to commercialisation using my RTP Playbook.

Integrating Security into Quality Management Systems

Posted on June 10, 2025 by Paul Curwell

Paul Curwell

5–8 minutes

My 3 Key Takeaways

If you’re in deeptech or manufacturing, your Quality Management System (QMS) can do way more than keep auditors happy—it can protect your IP, prevent fraud, catch compliance failures, and reduce insider threat risk.
Integrating your security and compliance processes into a QMS lets you achieve more with less: fewer tools, fewer people, fewer mistakes.
Most deeptech SMBs already have the infrastructure—they just haven’t connected it all yet. That’s the opportunity.

Let’s Talk About the Boring Stuff That Could Kill Your Business – Quality & Security

Let’s be honest—QMS, fraud controls, insider threat detection… not exactly stuff that gets founders leaping out of bed. But you know what’s worse than a dry compliance meeting?

Watching your research walk out the door with a departing employee.
Getting sued because someone emailed a product claim to a customer before the regulator signed off.
Losing a major sales deal because your QMS and security systems don’t talk to each other.

If you’re in a knowledge-intensive industry and chasing investor capital or enterprise contracts, these aren’t just compliance risks. They’re existential threats. Thankfully, you probably already have everything you need to prevent them!

Read on to find out how.

Your QMS Doesn’t Have to Just Cover Compliance—It’s Commercial Defence

Sure, you’ve got ISO 9001, ISO 13485, or FDA 21 CFR 820 in place. You have to. But compliance is the floor, not the ceiling. Today, quality is about more than audits. It’s about trust—with regulators, buyers, and investors. And increasingly, quality failures stem from security failures.

This means your risk and compliance programs can’t live in silos – let me show you what I mean:

Security Failure	Business & Compliance Impact
Employee sends IP to Gmail pre-exit	Trade secrets lost, investor trust damaged
Supplier compromise injects code	Product recall, brand hit
Staff emails HCPs with unapproved claims	Regulatory violation, potential litigation
Ransomware halts diagnostics	Delayed care, reputational damage
Research data shared publicly	IP protection compromised

As you can see from this table, these aren’t just cybersecurity issues. They’re business continuity, liability, and commercialisation risks as well, which are exactly what a well-integrated QMS should be catching.

The 3 SMB Risk Management frameworks you need to protect your business

Integrate Quality and Security to Create Your Advantage

Most deeptechs are SMBs which run lean. No in-house CISO. No army of compliance officers. But—you do have a quality team and a QMS. That’s your edge. If you can embed security, IP protection, and insider threat controls into your QMS, you gain:

Operational efficiency—fewer tools and frameworks, less duplication
Investor readiness—clean audit trails, documented controls and processes that work
Market trust—quality and compliance proof baked in to win and retain customers

The good news is your business can run lean and stay secure.

You don’t need a CISO to lead on risk—just smart, integrated processes. — Photo by Andrea Piacquadio on Pexels.com

So enough talk, what’s the fix? Here’s how you do it

Step 1: Identify Overlapping Risks

Bring together your Quality, IT, Compliance, and Security folks—yes, even if that’s just two people with five jobs—and map out shared risk areas:

Trade secret risks: Who has access to research, models, or source code—and what happens when they resign?
Outbound comms risks: Can someone email a healthcare provider or investor with an unapproved claim?
Supplier risks: Are third-party vendors accessing your R&D environment or pushing code into your stack?
Data risks: Are IP files, calibration logs, or clinical datasets being handled securely?

Spoiler alert: the same systems and workflows touch all of these. The only thing that changes is who’s watching and why. We can leverage this!

Step 2: Build Integrated, Actionable Processes

Expand your existing QMS workflows—incident logs, CAPA, document control—to cover your information security and fraud risks, such as:

Departing employee sends IP to Gmail? Log it as a deviation. Raise a CAPA. Trigger access review. Investigate. Retrain.
Email flagged with unauthorised claim to an HCP? Route through the same CAPA process as any product defect.
Security incident in supplier data flow? Link it to your QMS audit trail and generate a risk-rated action plan.

If your business runs on the cloud, you probably already have systems to manage these, even if you’re paying for them but they’re not configured. Let’s make them work harder.

Unlocking New Uses for your SIEM: Beyond Cybersecurity

Step 3: Align Your Systems to Real Business Needs

Think like an SMB: use what you already have. Forget vendor feature lists. Start with those core requirements your business actually needs:

Secure document management
Workflow orchestration (escalations, approvals, logging)
Audit trails that regulators and enterprise buyers can follow
Real-time alerting for policy violations or unusual activity
Case management for incidents and corrective actions
Dashboards and management analytics across all domains

Here are some use cases to demonstrate how all this might work in practice:

Microsoft Purview + Sentinel: Classify sensitive research data, enforce retention policies, and monitor emails to detect regulatory violations and IP risks.
GCP Chronicle + Workflows: Detect insider threats, trigger automated reviews, sync results with your QMS and HR systems.
AWS GuardDuty + Step Functions: Scan S3 buckets for unclassified IP, auto-trigger CAPAs in your QMS.
Digital QMS platforms: These must integrate with your SIEM, cloud, ERP, HR, and research platforms. No integration = no scale.

The result? One process. One system. Many benefits.

Step 4: Monitor, Automate, and Expand

Use your existing monitoring stack—not just for cyber, but for compliance, fraud, and regulatory use cases:

Microsoft Purview: Classify IP, research data, or regulated content and flag outbound emails that contain unapproved medical claims.
Splunk or Elastic: Detect download spikes, file movements, or unusual access patterns.
SIEM + QMS: Auto-trigger a CAPA or risk log entry when a critical security alert is detected.

Now you’re using the same stack to:

Prevent insider threats
Catch regulatory breaches, possibly before they happen
Monitor fraud risk
Strengthen IP protection
Prepare for inspections, audits and regulatory approvals

This is where the ROI multiplies.

The Final Word – Strength and Opportunity

SMBs always run lean. But lean doesn’t mean exposed.
You already have:

A QMS
Cloud, email, and monitoring tools
Data and IP worth protecting

All you need is to connect the dots.
Not with more tools. Not with more people.
With smarter, integrated processes that do more with less.

This isn’t about adding compliance for compliance’s sake. It’s about:

Avoiding lawsuits and insider breaches
Scaling your business without scaling your risk
Impressing investors and enterprise buyers with how secure—and smart—you operate

That’s how you build a credible, defensible, and investment-ready business—without losing your edge.

Continuous Control Monitoring: Your SMB Security Game Changer

Posted on June 3, 2025 by Paul Curwell

Paul Curwell

6–9 minutes

3 Key Takeaways

Trade secret theft costs SMBs an average of $2.6 million per incident—but 90% of these losses could be prevented using continuous control monitoring tools you already own in Microsoft 365, Google Cloud, or AWS.
Investors and enterprise customers now demand real-time security evidence—continuous control monitoring gives you the proof they need, while manual audits leave you vulnerable and unconvincing.
Your existing cloud platform includes powerful insider threat detection—you just need to activate features that most SMBs never touch, transforming your security from reactive hope to proactive protection.

In 2019, a US biotech company lost proprietary drug formulas when a disgruntled employee downloaded files and tried to sell them to competitors. The theft delayed FDA submissions, spooked investors, and triggered costly litigation.

The tragedy? This breach could have been prevented with built-in monitoring capabilities that were sitting unused in their IT stack.

Here’s the problem I see everywhere: SMBs implement security controls but never prove they’re working. You have policies, procedures, and technology—but zero real-time visibility into whether they’re actually protecting your business.

From Frameworks to Reality: The Assurance Gap

Last week, I wrote about the three SMB risk management frameworks that knowledge-intensive businesses need: SMB1001, AS 8001, and ASIO’s Secure Innovation guidance. The response was overwhelmingly positive, but it also highlighted a critical gap.

The 3 SMB Risk Management frameworks you need to protect your business

You understand what controls you need. The challenge is proving those controls actually work—without breaking the budget on audits and compliance teams.

Here’s where the numbers get scary: trade secret theft costs the US economy over $300 billion annually, with SMBs losing an average of $2.6 million per incident. Meanwhile, 95% of successful breaches involve insider threats or human error—risks that continuous monitoring can catch before they destroy your business.

This is where continuous control monitoring (CCM) becomes your secret weapon. Instead of periodic manual audits, CCM gives you real-time evidence that your security controls are operating as intended.

What Continuous Control Monitoring Actually Does

CCM automates three critical functions that manual processes struggle with:

Real-time validation: Confirms your controls are working right now, not just when an auditor visits
Early detection: Flags control failures before they become incidents or breaches
Evidence generation: Produces the documentation investors, customers, and regulators actually want to see

The best part? Your existing cloud platform already includes powerful CCM capabilities that most SMBs never activate.

Your CCM Implementation Guide

Here’s how to implement continuous monitoring for the most critical SMB security controls using tools you likely already own:

Risk Area	Microsoft 365 Tools	GCP Tools	AWS Tools
Access Controls & Identity	– Microsoft Defender for Identity, – Azure AD PIM	– Google Cloud IAM, – Security Command Center	– AWS IAM, – GuardDuty
Insider Threat Detection	– Microsoft Insider Risk Management	– Security Command Center, – Event Threat Detection	– Amazon Detective, – GuardDuty
Data Protection & IP	– Microsoft Purview, – Custom DLP policies	– Custom DLP, – Data Loss Prevention	– Macie, – Custom GuardDuty rules
Third-Party & Supply Chain Risk	– Vendor Risk Management in Compliance Manager	– BeyondCorp, – Access Context Manager	AWS Config, Security Hub
Fraud & Corruption	– Microsoft Purview, Insider Risk Management	– Chronicle, – Access Transparency	– AWS CloudTrail, – Macie
Compliance Reporting	– Microsoft Compliance Manager – Audit logs	– Security Health – Analytics	– AWS Config, – Inspector
Executive Dashboards	– Power BI – Compliance reporting	– Looker, – Security Dashboards	– AWS QuickSight – Security reports

How to Use This Framework

Choose your column based on your existing cloud provider
Start with high-impact areas like insider threat detection and IP protection
Configure automated alerts for control failures or suspicious activities
Create executive dashboards that show control effectiveness in real-time
Document your monitoring for investor presentations and customer audits

Advanced CCM Strategies That Actually Work

Once you have basic monitoring in place, you can implement more sophisticated approaches:

Behavioral Analytics: Use machine learning in tools like Microsoft Insider Risk Management or AWS GuardDuty to detect unusual patterns that might indicate insider threats or compromised accounts.
Cross-Platform Integration: Connect monitoring across different systems to get a complete picture. For example, correlate login anomalies with unusual file access patterns.
Custom Alerting Rules: Create specific alerts for your business context. A research company might monitor for unusual access to databases outside business hours, while a technology firm might focus on code repository access patterns.
Automated Response: Configure automatic responses to certain events—like temporarily disabling accounts that show suspicious behavior or requiring additional authentication for sensitive data access.

What security policies do small and medium sized businesses need?

Implementation Roadmap: From Zero to Hero

Ready to start implementing? Here’s a simple roadmap to start improving your risk management:

Week 1-2: Assessment and Quick Wins

Audit your current cloud platform subscriptions to identify unused monitoring capabilities
Enable basic logging and alerting for high-risk activities (admin access, data downloads, unusual login patterns)
Set up executive dashboards in Power BI, Looker, or QuickSight

Week 3-4: Core Control Monitoring

Configure monitoring for the controls required by your chosen frameworks
Test alert thresholds to reduce false positives while catching real issues
Create incident response procedures for different alert types

Month 2: Integration and Refinement

Connect monitoring systems across platforms for comprehensive visibility
Implement behavioral analytics for insider threat detection
Train your team on interpreting alerts and responding appropriately

Unlocking New Uses for your SIEM: Beyond Cybersecurity

Month 3+: Continuous Improvement

Regular review of monitoring effectiveness and alert accuracy
Quarterly reports for investors and board members showing control performance
Updates to monitoring rules based on business changes and threat evolution

The Business Case: Why CCM Matters Beyond Compliance

Implementing CCM isn’t just about ticking compliance boxes—it’s about building a competitive advantage that directly impacts your bottom line:

For Investors: When you can show real-time dashboards of your security posture and historical data proving your controls work, you differentiate yourself from competitors who only have policies and procedures. This translates to higher valuations and faster funding rounds.

49% of Private Equity deals fail because of undisclosed data breaches

For Enterprise Customers: Large buyers increasingly require evidence of active security monitoring before they’ll trust you with contracts. CCM gives you the documentation and assurance they need, opening doors to bigger deals and longer-term partnerships.

For Research and Commercialisation: Patent offices and licensing partners want proof you’ve taken reasonable steps to protect your IP. Your monitoring logs provide that evidence, strengthening your position in disputes and negotiations.

For Operational Efficiency: Instead of wondering whether security measures are working, your team gets immediate feedback and can focus on real issues rather than false alarms. This means faster response times and better resource allocation.

Your Next Move: Stop Playing Risk Roulette

The difference between SMBs that attract serious investment and those that struggle isn’t just their innovation—it’s their ability to demonstrate they’re trustworthy stewards of that innovation.

You don’t need a security team. You don’t need expensive new tools. But you do need to prove your controls work.

Whether you’re seeking patents, winning government contracts, or raising capital from investors who understand modern risks, you must demonstrate active, continuous protection of your IP and operations.

Start this week:

Audit your current cloud subscriptions to identify unused monitoring capabilities
Enable basic logging and alerting for your most sensitive research and technology data
Create a simple dashboard that shows your security posture in real-time
Document your monitoring approach for investor presentations and customer audits

The frameworks give you the roadmap. Continuous control monitoring gives you the evidence. Your existing cloud platform gives you the tools.

The only question left is: will you activate them before the next insider threat walks out with your trade secrets?

Ready to implement continuous monitoring but need guidance on where to start? I’ve helped dozens of SMBs activate these capabilities without breaking their budgets—drop me a line to discuss your specific situation.

The 3 SMB Risk Management frameworks you need to protect your business

Posted on May 27, 2025 by Paul Curwell

Paul Curwell

5–8 minutes

Key Takeaways:

Small-medium businesses (SMBs) in innovative sectors face unique risk management challenges—IP theft, insider threats, and foreign interference aren’t just “big company problems.”
Implementing three SMB risk management frameworks—SMB1001 (Gold/Platinum), AS 8001:2021, and ASIO’s Secure Innovation guidance—gives you a best-practice program without reinventing the wheel.
For SMBs, this approach isn’t just smart risk management—it boosts investment appeal, protects your supply chain, and helps you scale with confidence.

If you’re a founder or executive at a knowledge-intensive SMB—think biotech, medtech, software, deeptech or advanced manufacturing—then I’ve got news for you: your biggest threat might not be a cyber breach. It might be someone inside your business walking out with your IP and handing it to a foreign competitor.

Yeah. Grim.

The worst part? Most SMBs don’t even realise they’re a target—until it’s too late.

In my last post, I argued for collapsing insider threat, fraud, and integrity risk programs into one integrated workforce risk model. Today, I’ll show you how to go even further—by adding cybersecurity and innovation security to the mix using three standards already built for SMBs.

Spoiler alert: you don’t need a bespoke program or a 100-page strategy deck. Just plug and play with SMB1001, AS 8001, and ASIO’s Secure Innovation guidance.

Why You Need a Whole-of-Business Risk Lens

Innovative SMBs are juicy targets.

You’ve got valuable research data, intellectual property, and commercialisation plans. You’re agile, fast-growing, and often working with overseas partners. That’s a goldmine for corporate spies, fraudsters, and even state-backed actors.

Don’t believe me? Ask the Australian startups quietly briefed by ASIO on foreign interference. Or look at the biotech company that lost its trade secrets in what started as a “friendly” joint venture.

Here’s the “triple threat” that innovation-driven SMBs face:

Cyber Security breaches that expose your R&D and IP.
Insider Threats from employees, researchers, or suppliers with too much access.
Fraud and Integrity failures that destroy trust, attract regulators, and scare off investors.

Three Standards. One Smart Strategy.

You can cover all these risks by combining three existing frameworks. Here’s how they work together:

1. SMB1001 (Gold or Platinum) – Your Cyber Backbone

Designed specifically for SMBs, SMB1001 provides cyber maturity models from Bronze to Diamond. For high-growth and innovation-focused businesses, Gold and Platinum are the sweet spot.

Gold gives you:

Cybersecurity policies for staff and contractors
Acceptable use rules (no, your intern shouldn’t be crypto mining on the R&D server)
Background checks, access reviews, incident response plans, cyber awareness training

Platinum adds:

External audits
Continuous monitoring and automated alerts
Integration with HR and procurement
Real-world testing like penetration and social engineering simulations

These controls are critical—but they don’t explicitly cover fraud, integrity, or culture.

An image of SMB1001:2025 cover. — SMB1001 produced by Dynamic Standards International

Which brings us to…

2. AS 8001:2021 – The Fraud, Corruption & Insider Threat Muscle

This standard fills the governance and integrity gap.

It requires:

A fraud and corruption control policy, code of conduct, and clear accountability
Whistleblower protections and reporting channels
Regular controls testing and board-level reporting
A leadership culture that promotes ethical behaviour

But protecting IP, innovation, and research requires one more layer…

3. ASIO’s Secure Innovation Guidance – Your National Security Overlay

This free advisory framework from ASIO (yes, the spy agency) focuses on protecting Australian innovation.

It recommends:

Security risk assessments tailored to IP, R&D, and commercialisation
Vetting foreign collaborators, investors, and suppliers
Government engagement for threat intelligence and support
Building a “secure innovation” culture, driven by leadership

Most businesses never think to ask: Could this partnership be a risk? But in today’s landscape, that’s not paranoia—it’s smart due diligence.

Secure Innovation Placemat Download

What This Means for You

To fully protect your people, assets, and innovation pipeline, you need all three:

SMB1001 covers your cyber baseline
AS 8001 strengthens your workforce and governance controls
ASIO’s Secure Innovation addresses foreign interference, IP protection, and national security threats

Table: Comparison of Coverage by SMB Risk Management Framework

Risk Area / Obligation	SMB1001 (Gold/Platinum)	AS 8001:2021	ASIO Secure Innovation
Cybersecurity policies & access controls	✅ Fully covered	❌ Not covered	✅ Covered
Fraud, corruption, and integrity policies	⚠️ Partial (cyber only)	✅ Fully covered	✅ Covered in context
Supplier / third-party risk	✅ Covered	✅ Covered	✅ Covered
Insider threat / workforce risk monitoring	⚠️ Basic logging only	✅ Covered	✅ Covered + vetting
Whistleblower / confidential reporting	❌ Not required	✅ Required	✅ Strongly encouraged
Board / leadership risk reporting	❌ Not specified	✅ Required	✅ Expected
Controls assurance / testing	⚠️ Basic requirements	✅ Required	✅ Strongly encouraged
Innovation / IP risk assessment	❌ Not covered	❌ Not covered	✅ Core focus
Foreign collaboration / Counter Foreign Interference	❌ Not included	❌ Not included	✅ Core focus
Security culture / tone from the top	⚠️ Cyber awareness only	✅ Required	✅ Essential
Engagement with government for threat intel	❌ Not included	❌ Not included	✅ Strongly recommended

Mapping of the three standards against my core integrated workforce program requirements

✅ = Fully covered ⚠️ = Partially covered ❌ = Not covered

Think of it this way:

SMB1001 is your body armour
AS 8001 is your immune system
ASIO Secure Innovation is your early warning radar

How to Build It Without Melting Down

You don’t need a 10-person security team. Start small. Be practical.

Here’s 9 Steps to Get You Started:

Map your current controls to each framework. Gaps will show themselves quickly.
Update your policies: Include anti-fraud, IP protection, acceptable use, and supplier conduct.
Close quick wins: Add a code of conduct, whistleblower channel, and leadership reporting.
Create a cross-functional risk committee: HR, IT, Finance, Legal, Commercial—all in one room.
Run an integrated risk assessment: Cover cyber, insider threat, fraud, integrity, innovation/IP, and foreign partnerships.
Train your people: Cyber training is great—but also teach secure innovation and fraud red flags.
Engage with government early: ASIO Outreach and ACSC are there to help, not to audit.
Review and test regularly: Dashboards and audit trails go a long way with investors and boards.
Vetting is non-negotiable: Screen staff, partners, and suppliers—especially around your R&D and IP.

But Where’s the Value? What You Get in Return

Investor confidence: Series B investors and enterprise customers want to know your IP is protected.
Culture clarity: One integrated program = clear expectations, fewer grey zones.
Operational edge: You de-risk your go-to-market, protect innovation, and improve scalability.

Oh—and you avoid being front-page news.

Crafting Security Business Cases for Executive Buy-in

Final Word

You’re building the future. Don’t let it get stolen, leaked, or sabotaged by someone you missed on a risk register.

You don’t need to reinvent the wheel. You need structure, culture, and clarity.

When you combine SMB1001, AS 8001, and ASIO’s Secure Innovation guidance, you’re building more than a compliance program. You’re building resilience. You’re protecting growth.

And you’re doing it with a framework that scales as you do.

So don’t wait for the “oh crap” moment. Start building your secure workforce risk program now.

Your investors, your board, and your future self will thank you.

We often overlook criminology when combating insider threats, fraud and sabotage

Posted on May 20, 2025 by Paul Curwell

Paul Curwell

5–7 minutes

Key Takeaways:

You can’t fix insider fraud or sabotage with firewalls alone—these are people problems, not just process problems, so you need to consider perpetrator motive in your control design.
Behavioural science and criminological theory offer practical ways to design smarter, cheaper, and more effective controls.
Mapping threat types to motivations is the secret sauce to stopping expensive mistakes—before they hit your bottom line.

Why this matters to your business

If you think trade secrets theft, sabotage, or internal fraud is something that happens to “other companies,” let me burst that bubble. These threats are not random—they’re often deeply personal. And they’re expensive. The Association of Certified Fraud Examiners (ACFE) estimates that internal fraud alone costs businesses 5% of annual revenue. For a $100M business, that’s a $5M hole—every year.

And that’s just the financial side. The reputational cost? The loss of trust with investors or research partners? The delay to your product launch because someone leaked your IP to a competitor? That stuff doesn’t show up on a balance sheet… until it does.

So how do we stop it?

Let’s talk motive (yes, like in crime dramas)

We often forget security and fraud actors have different motivations. Some actors are in it for profit. Others want revenge, power, or validation. If you treat all threats the same—say, by rolling out the same boring training module to every department—you’re wasting money and creating a false sense of security.

This first table helps you step back and align your controls to the actual psychology of your adversary.

Table 1: Motivation-Based Threat Profiling

Threat Type	Key Motivations	Relevant Theory	Considerations for Control Design
Organised Crime	Profit, group objectives	Routine Activity Theory	Target hardening, threat intel, supply chain vetting
Insider Threats	Revenge, stress, entitlement	Control Theory	Strengthen social bonds, build fair culture, early intervention
Nation-State Actors	Money, Ideology, Coercion, Ego (MICE)	MICE Theory	Access controls, vetting, protective security

man sitting on snowy park bench in winter — Photo by Amirhossein Bolourian on Pexels.com

How to use this:
When assessing security risks, we often fail to ask “What is the likely motive”. If your AI is being stolen by an employee, that’s an insider threat, not a problem with cyber criminals. The control response (culture, access rights, change monitoring) needs to reflect that nuance.

Behavioural theory helps at every risk stage

Here’s the bit I wish someone had told me 10 years ago: criminological theories don’t just help you after something goes wrong—they help you design better systems from the start. I use these theories for risk indentification, design risk treatments, and frame executive dialogue.

Table 2: How Behavioural Theory Supercharges Risk Management

Risk Stage	How Theories Help
Risk Identification	Reveal root causes and hidden risk signals
Control Design	Tailor controls to motivations (not just compliance)
Risk Assessment	Improve likelihood and impact estimates
Monitoring & Review	Spot early warning signs and behavioural red flags
Training & Awareness	Shift from checkbox compliance to ethical behaviour reinforcement

Applying the critical-path approach to insider risk management

How to use this:
When you’re building your next fraud control or insider risk program, don’t start with a control library—start with questions. What kinds of pressures might lead someone to rationalise stealing research data? Where are the opportunities? Who might feel disengaged or unfairly treated? These insights help you focus resources where they’ll have the most impact—without overengineering.

Choosing the right theory for the job

Criminological theory might sound academic, but it’s just a lens—a way to make better sense of why risks materialise. I often get asked, “Which theory should I use?”. The answer is: it depends, which is helpful-unhelpful. Here’s a guide I use in consulting to help organisations focus their resources.

Table 3: Best-Fit Theories for Common Security Risks

Risk Area	Relevant Theories	Why It Matters
Espionage	MICE (Money, Ideology, Compromise or Coercion, Ego), Routine Activity, Swiss Cheese	Explains varied motives, layered failures, and access points
Trade Secrets / IP Theft	Routine Activity, Crime Opportunity, MICE	Focuses on access, motivation, and weak controls
Internal Fraud / Corruption	Fraud Triangle, Routine Activity, Control Theory	Addresses personal pressure, weak oversight, and cultural cues
Sabotage	Opportunity Theory, Strain Theory	Tied to frustration, injustice, and lack of guardianship
Workplace Violence	Strain, Social Learning, Routine Activity	Driven by grievance, modeled behaviour, and opportunity
Supply Chain Diversion	Crime Pattern Theory, Opportunity Theory	Helps pinpoint vulnerable choke points and recurring loss patterns

HUMINT cycle and the recruitment of insiders

How to use this:
Say your business is about to enter a new research partnership with a university or foreign lab. You’re worried about losing your IP or trade secrets. Start by applying MICE Theory to understand potential risks on the other side: Are their staff well-paid? Are there ideological risks? How vulnerable is your business partner or their employees to coercion or bribery? Then combine that with Crime Opportunity Theory to assess access and controls.

You don’t need to become a criminologist—but bringing these concepts into boardroom discussions will make your risk strategies more intelligent and effective.

What you should do next

Reassess your threat profiles – If your risk registers don’t account for behavioural motivations, rewrite them.
Train your teams on motive-driven threats – Stop relying on bland compliance modules. Teach managers how to spot early red flags.
Map controls to theories, not hunches – Don’t throw money at controls that don’t match the motive. Use behavioural theory to guide investment.
Get smarter about culture – Your culture is your first control. Build fairness, transparency, and connection before a bad day turns into a $10M incident.

One final (uncomfortable) truth

You can’t patch human vulnerability like you patch software. Your best firewall is a culture that understands why people do the wrong thing—and a strategy that uses that insight to get ahead of the next crisis.

So, if you’re ready to move beyond checkbox security and build a behavioural-led risk strategy, let’s talk. I’ve got frameworks, models, and a whole lot of lessons learned the hard way.

Combatting Adaptive Threats: Control Assurance Strategies

Posted on May 13, 2025 by Paul Curwell

Paul Curwell

7–10 minutes

3 Key Takeaways

Security and fraud controls decay over time—especially when facing smart, persistent human adversaries who adapt faster than your processes do.
Mapping the criminal business process helps build typologies, essential for designing detection logic to embed into your fraud, insider threat, and SIEM systems.
You must monitor control decay continuously using early indicators and adaptive analytics—not just wait for losses or incidents to show you’ve failed.

The Adversarial Evolution Challenge

Fraud and security controls face a unique challenge: they’re not defending against random failures or faulty processes—they’re up against people. Adaptive, intelligent, persistent people.

Think of it like this: you lock your doors. But if someone really wants in and watches you long enough, they’ll figure out where the spare key is. That’s what control decay looks like when your adversary is watching, learning, and evolving. Over time, even the best-designed controls wear thin against determined adversaries—especially when those adversaries have motivation, time, and community support.

This constant pressure creates a cycle where:

Controls lose effectiveness as attackers discover workarounds.
Fraudsters evolve their TTPs (tactics, techniques, and procedures) to sidestep your latest defences.
Control bypass techniques get shared in underground forums, speeding up the learning curve for others.
Every successful breach becomes a repeatable blueprint—one your analytics may not be trained to detect.

The Real Cost of Ignoring Control Decay

In 2023, reported global losses from fraud hit US$485 billion, with insider threat incidents costing an average of US$16.2 million each. And those figures only capture what’s been detected and disclosed.

Control decay is especially dangerous in environments that depend on digital platforms (e.g. eCommerce, online banking), protecting trade secrets, and product protection. Supply chains and distirbution are particularly vulnerable. Third parties may have weaker controls, creating backdoors into your systems. And when fraud or insider threats go unnoticed, they erode trust and value, fast.

Security and Fraud threats are carried out by people: Adaptive, intelligent, persistent adversaries.

From Static to Smart: Rethinking Controls

Many organisations treat security and fraud controls as one-time investments—set them, test them, and move on. That mindset doesn’t work against adaptive human threats.

Controls decay like milk, not wine. Even when controls are automated, humans are still involved—approving actions, ignoring alerts, or skipping procedures. Over time, fatigue and complacency creep in, creating gaps that adversaries can exploit. That’s why it’s essential to continuously reassess the effectiveness of your defences, a process known as ‘control assurance’.

Mapping the Criminal Business Process

Before you can improve detection, you need to understand the steps an adversary must take to succeed. That’s where mapping the criminal business process comes in.

This means reverse-engineering the steps an adversary would take to achieve their goal—whether that’s stealing research data, committing payment fraud, or accessing protected systems. By mapping out their “workflow,” you can identify where to disrupt them.

Key disruption opportunities include:

Reconnaissance – How do they learn about your systems, people, or gaps?
Access – What path do they use to gain entry (e.g., phishing, credential reuse)?
Evasion – How do they stay under the radar?
Monetisation – What do they do with what they’ve taken?
Exit strategy – How do they cover their tracks?

This process forms the backbone for building targeted detection strategies.

Typologies: Turning Adversary Tactics into Detection Models

Once you understand the criminal business process, you can develop typologies. These are structured descriptions of how specific threats play out in your context—complete with behavioural indicators, red flags, and contextual cues.

Typologies aren’t just lists of “bad behaviours.” They are comprehensive models that describe how specific threats manifest within a particular context. A typology outlines the sequence of actions, behavioural indicators, contextual factors, and potential red flags associated with a particular threat scenario:

They aggregate indicators, sequences, and behaviours that point to fraud or compromise.
They include the context—industry, access levels, timing—that makes them relevant.
They support prioritised detection by translating threats into models your systems can monitor.

Developing typologies involves analyzing real-world cases to identify common patterns and methods used by adversaries. One effective approach is Comparative Case Analysis (CCA), which compares multiple incidents to extract shared characteristics and inform the development of robust typologies.

Comparative Case Analysis: A powerful tool for typology development

Click to find out more about Comparative Case Analysis

From Typologies to Detection: Using Analytics to Catch Adaptation

Once established, these typologies serve as the foundation for designing analytics-based detection models. By translating the insights from typologies into detection logic, organizations can proactively monitor for activities that align with known threat patterns, enabling earlier identification and response to potential incidents.

“Typologies” Sound Boring – But They Could Save Your Business Millions

Click to find out more about typologies

Data analytics helps you identify these early signs of attacker adaptation—well before a control fails outright. By building detection around these patterns, you shift from reactive incident response to proactive defence.

Anomaly Detection – Spot subtle changes in normal activity before a bypass is successful.
Clustering & Pattern Discovery – Uncover organised campaigns or repeated techniques across cases.
Temporal & Spatial Analysis – Track when and where new threats emerge or evolve.
Simulations & Wargaming – Test how your controls stand up to evolving TTPs (modus operandi) in different organisational contexts or business processes (inclusive of internal control points).
Threat Intelligence Integration – Correlate public vulnerabilities or attack trends with what’s happening in your own data.

Measuring and Monitoring Control Decay

You can’t improve what you’re not measuring. Most businesses track breaches and incidents—but that’s too late. Control decay needs earlier signals.

The goal is to monitor signs that controls are being weakened, tested, or circumvented—even if the attacker hasn’t succeeded yet. These metrics give you early warning that your system is becoming vulnerable.

Bypass Detection Rate – How often are adversaries getting around your controls?
Control Learning Curve – How fast are attackers adapting after implementation?
Adaptation Indicators – Are there new methods or patterns in failed attempts?
Control Evasion Techniques – What are the latest tricks being used to slip past detection?
TTP Evolution Tracking – How are known techniques changing over time?
Reconnaissance Patterns – Is someone repeatedly probing or testing your systems?
“Low and Slow” Attacks – Are there stealthy signs of gradual testing or exploitation?
Correlation with Vulnerability Disclosures – Do public CVEs line up with spikes in suspicious activity?

Fraud and security controls decay over time in the face of threats

Countering Control Decay with Adaptive Analytics

Now that you’re watching for decay, you need to build controls that respond to it. Static rules can’t keep up with adversaries that are constantly learning and evolving.

This is where adaptive analytics come in. By layering behavioural insights, detection flexibility, and external intelligence, you can keep your controls sharp and responsive.

Control Variation – Don’t apply identical rules across environments—vary thresholds and triggers to make it harder to game the system.
Adaptive Rule Sets – Let your system adjust thresholds when probing is detected.
Behavioural Baselines – Define “normal” for each user or system, and refresh those profiles regularly.
Interdependent Control Effectiveness – Evaluate how your layers of control interact—do they actually reinforce each other?
Simulate Responses – Use testing and wargames to anticipate how controls would respond to emerging tactics.
Threat Intelligence Integration – Don’t just collect external threat data—use it to shape detection models and control tuning in real time.

Alert management and insider risk continuous monitoring systems

Click to find out more about how to build insider threat detection capability

TL;DR: The Threat Is Human, and So Is the Weakness

Your adversaries are human, which means they’re persistent, curious, and adaptive. They’ll keep pushing until they find a way through.

But the people inside your organisation—who operate, review, and respond to controls—are also human. And humans get bored, distracted, and desensitised. That’s how control decay happens, both technically and culturally.

The big mistake is waiting for a loss to act. Losses are lagging indicators—they tell you your controls already failed. The real win is spotting decay before the breach. That means checking your data constantly for signs that someone’s testing your system or that your team has stopped paying attention.

Wondering what to do next? Start by looking at your risks and controls, and doing some data analytics on key processes, products or information against historical incidents and near misses to understand what’s going on. Then identify indicators of control decay, and build dashboards to monitor the. And don’t forget to look at them regularly!

Unlocking New Uses for your SIEM: Beyond Cybersecurity

Posted on May 6, 2025 by Paul Curwell

Paul Curwell

7–11 minutes

3 key takeaways:

Most companies are sitting on powerful analytics platforms like SIEMs—but rarely use them beyond cyber.
There’s untapped potential to apply these tools to fraud, insider threat, IP protection, and compliance monitoring.
With the right strategy, businesses can reduce compliance costs, improve visibility, and make better investment decisions.

Why this matters

Today’s risk environment demands more from businesses than ever before. Whether you’re protecting sensitive R&D, complying with complex regulations, or trying to prevent fraud, the traditional playbook is falling short. Organisations invest millions in security analytics. Frequently though, use of these tools happens in a silo, begging the question “can’t they do more?”. That’s a missed opportunity.

Many organisations already own high-powered Security Information and Event Management (SIEM) and observability platforms to give rich, real-time operational insights. In most businesses, there is no use of these tools outside of cybersecurity. That’s where this story begins.

The landscape: SIEMs, observability tools, and everything in between

The tooling landscape in most medium-to-large enterprises is complex, but it’s also full of hidden potential. From security teams running SIEMs to engineers monitoring application performance, there are multiple systems collecting, storing, and analysing valuable data. The challenge is most businesses don’t fully understand how these platforms differ—or how they complement one another.

Let’s unpack the main types of platforms:

Security Information and Event Management (SIEM) – These platforms are the backbone of many security operations centres. SIEMs like Splunk, Sentinel, and Elastic collect and correlate security events to find and respond to threats in real time. They’re also critical for compliance reporting, audit trails, and forensic investigations.
Observability platforms – Tools like Datadog, New Relic, and OpenTelemetry provide deep insights into how systems are operating. Used by DevOps and Site Reliability Engineers, they collect metrics and logs to monitor system health, performance, and prevent outages.
Data lakes and warehouses – These centralised platforms are great for long-term storage and complex data queries. However, they often lack the speed or alerting capability needed for real-time risk response.
BI dashboards and analytics tools – Platforms like Power BI and Tableau provide strong visualisation for decision-making. They focus on historical data, not real-time detection.
Log management platforms – Tools like ELK store data for troubleshooting, but don’t get integrated into business processes.
Application Performance Monitoring (APM) tools – Focus on user experience and technical metrics but often miss the business context needed for enterprise insights.
Custom threat intelligence platforms – Powerful in capable hands, but often resource-intensive to maintain and inaccessible to non-technical teams.

Understanding how these tools work—and where they overlap—opens up new opportunities for extending their use into fraud, compliance, and continuous monitoring.

Non-cyber use cases hiding in plain sight

What became clear through my research is that many businesses are unknowingly sitting on a goldmine of data. This data can improve resilience, situational awareness and decision quality, resulting in reduced losses. Many tools already have access to the underlying telemetry. The gap is that organisations don’t translate their use cases into language or workflows these systems can use to solve business or compliance problems.

Here are a few real-world examples of how some organisations are using their existing telemetry platforms to solve non-security problems:

Fraud detection – One financial services firm used their SIEM to detect behavioural anomalies in user logins and transaction data. This helped identify fraudulent activity faster and reduce false positives in fraud alerts.
IP protection – A biotech set up observability pipeline alerts to detect unusual access patterns to protected research environments. This gave them a chance to intervene before valuable data walked out the door.
Insider threat monitoring – A large enterprise integrated HR systems with SIEM logs to flag when high-risk employees (e.g. those about to exit the company) accessed sensitive files, enabling pre-emptive action.
Physical security integration – A logistics company ingested building access logs into their SIEM to monitor for suspicious after-hours activity. This provided near real-time visibilty of threats in zones containing high-value or regulated assets.
Regulatory compliance – A US health services provider configured automated alerts to detect improper access to patient records. This streamlining HIPAA compliance and reporting, easing the burden on their audit teams.

These examples aren’t outliers. They represent what’s possible when organisations look beyond the traditional cyber perimeter and align technology with broader business risks.

Alert management and insider risk continuous monitoring systems

Trade-offs and tricky bits

Of course, extending the use of SIEMs and observability platforms isn’t without its challenges. These are powerful tools, but were built with specific users and functions in mind. Repurposing them for broader use requires careful planning, stakeholder alignment, and a realistic view of limitations.

Metric	Considerations
Cost vs return	SIEM platforms, in particular, can become prohibitively expensive as more data sources are added. Every additional log source or telemetry stream can drive up ingestion costs, licensing fees, and infrastructure requirements. Businesses need to balance the value of added insights against escalating costs.
Expertise and resourcing	Many of these platforms are complex and require specialist skills to configure and manage. Cyber teams are often already overstretched, they don’t have capacity. Asking them to support fraud, compliance, or operational use cases often requires cross-skilling or additional resources.
Data governance and privacy	Aggregating sensitive business data—such as HR records, payroll, or personnel movements—can raise privacy concerns. Any use needs to be aligned with data protection laws such as Australia’s Privacy Act, or the GDPR in Europe.
Tool mismatch and workflow gaps	Observability platforms are fast, lightweight, and built for performance. But they’re not designed for legal defensibility, long-term retention, or audit-ready compliance reporting. SIEMs, on the other hand, are great for that. But, they can lack the ease of use or responsiveness that observability tools provide.
Redundancy and duplication	Without coordination, multiple teams end up collecting and analysing the same data using different tools. This can lead to inefficiency and potential confusion around ownership and accountability. Worst case for regulatory compliance, you generate contradictory records which is a red flag to an inspector.

Table: Benefits and Challenges

Yes, there are challenges, but the opportunities are too great to ignore. Now’s the time for risk and compliance leaders seeking smarter, scalable approaches to assurance to speak to the CIO.

Crafting Security Business Cases for Executive Buy-in

Real compliance benefits—if you play it right

Compliance is a growing cost centre for many organisations. Increasingly, fraud and protective security is becoming a regulated compliance program. Take Australia’s Privacy Act, Scams Protection Framework Act and Security of Critical Infrastructure Act as two examples. Teams are under pressure to meet complex compliance obligations, conduct audits, investigate incidents, and coordinate a response. Given most responses increasingly relate to compliance obligations, there’s a regulatory imperative to get this right. They’re often using manual processes and disconnected systems to do this, taking time, effort and higher chance of errors.

This is where SIEM and observability platforms can play a much bigger role. By automating key controls organisations can reduce the manual workload on compliance and audit teams. Examples include detecting access to sensitive data, validating privileged user activity, or monitoring export-controlled environments. The result? Improved productivity, cost control, and compliance. Dashboards and real-time alerts eliminate the need for manual reviews, reduce investigation time, and improve coordination across the business.

These platforms also provide strong evidence for legal and regulatory inquiries. For example, access logs and alert histories makes it easier to prove data segregation or show controls were in place. This supports compliance SOX, the Privacy Act, or Australia’s Security of Critical Infrastructure Act (SOCI).

These tools allow compliance teams to shift from reactive policing to proactive risk reduction. In turn, this makes them more efficient, more strategic, and more valuable to the business.

Developing an compliance obligation register for your business

What business leaders need to do next

This isn’t just a technology issue—it’s a business opportunity. Executives should be asking how they can leverage their existing technology investments to solve new problems.

Here’s a five-step path to get started:

Audit your existing tools – Inventory the telemetry and analytics platforms already in use. Identify whether you have a SIEM, an observability platform, or both. Are you using these to good effect?
Map broader risks – Work with fraud, HR, IP, and compliance stakeholders to identify high-impact, high-cost business risks. Identify use cases that benefit from automation and real-time monitoring.
Engage privacy and legal early – Involving these teams from the outset. This helps prevent delays later and ensures any solution aligns with data protection laws and internal governance frameworks.
Pilot a use case – Choose one low-risk, high-impact use case (e.g. unusual access to critical systems) and configure alerts or dashboards using existing tools. Track the cost, value, and effort involved.
Build the business case – Quantify what value these solution will save in hours, cost or loss reduction, or productivity. Present this in a way that links directly to business strategy and financial performance.

If you’re already paying for the Ferrari, why are you only using it for trips to the supermarket? With a little tuning and creativity, you can unlock value across new use cases without buying yet another tool.

Worker mistreatment: The hidden threat to your business

Posted on April 29, 2025 by Paul Curwell

Paul Curwell

4–7 minutes

3 Key Takeaways:

Insider threats often come from employees who feel mistreated—fairness isn’t a “nice to have,” it’s your frontline defence.
70% of insider fraud and sabotage cases showed warning signs that were ignored.
Building a fair, supportive culture pays off in better IP protection, stronger supply chain integrity, and lower employee turnover.

Mistreating or ignoring employees creates insider threats

Let me ask you a question: would you ever hand your trade secrets to a stranger and hope for the best? Of course not. But every day, organisations do something just as risky—they mistreat or ignore employees who already have access to their crown jewels: your research, your technology, your commercialisation strategy, your client data.

I’ve spent my career working in risk, fraud, insider threat, and IP protection. I’ve seen firsthand how resentment—often fuelled by unfair treatment—turns smart, capable employees into ticking time bombs. And yet, most businesses still treat fairness like it’s an HR initiative rather than a core part of their operational defence strategy.

Here’s why that thinking will cost you—and what to do instead.

The real cost of unfairness

Let’s talk numbers, because nothing says “this matters” like hard data:

According to the 2023 Verizon Data Breach Investigations Report, over 20% of all data breaches involved insiders (some studies claim this figure is up to 60%!). The average cost of an insider incident? $15.38 million, according to Ponemon’s latest research. That’s not including the reputational damage, lost clients, or regulatory fines.
Worryingly, in 70% of insider threat cases, there were obvious warning signs—employees showing declining performance, acting out, or repeatedly raising concerns that went unresolved. In other words, most of these incidents were entirely avoidable. It makes you wonder what their managers were doing…

Case in point? In 2020, a former engineer at GE was convicted of stealing trade secrets to help a Chinese company replicate their turbine engine designs. Investigators found he felt overlooked and undervalued—classic workplace grievance turned commercial espionage.

gray airplane propeller — Photo by Pixabay on Pexels.com

Why fairness works (and spy software alone doesn’t)

We love our shiny tools—endpoint monitoring, behavioural analytics, supply chain risk dashboards. All great. But none of them will stop Barry from Accounts if he feels betrayed, mistreated, or ignored.

Why? Because fairness builds trust. Trust reduces resentment. And trust is the bedrock of any sustainable risk posture.

Fairness in business isn’t just a moral checkbox. It’s a strategy.

Let’s break it down:

Fair treatment reduces motivation for malicious acts. People don’t wake up one day and decide to sell trade secrets to a competitor—they get there through a slow burn of perceived injustice.
Grievance procedures are part of your security controls, not just HR fluff. If employees don’t trust that they’ll be treated fairly, they’ll act out—or leave, taking your IP with them.
Consistent rewards and transparent decisions—especially around promotions, performance feedback, or project allocation—go a long way in building psychological safety.

Want better security? Start with a little humanity.

Mitigating risks from workplace sabotage

Turn complaints into competitive advantage

Instead of seeing grievances as annoyances, treat them as intel. A well-handled complaint is your early-warning radar system.

So here’s a few approaches to consider:

Listen like you mean it. Most people don’t need to win the battle—they just want to be heard and respected.
Act quickly. Delays in resolving issues amplify frustration. Slow grievance handling = fast trust erosion.
Follow through. Saying “we’ll look into it” without doing anything? That’s just passive-aggressive gaslighting. If you can’t fix it, explain why.

And don’t forget your supply chain. One disgruntled contractor with access to your research data can do more damage than a nation-state hacker. (Looking at you, SolarWinds.)

6 steps to improving security and integrity culture in the workplace

What fairness gets you (besides fewer lawsuits)

When organisations embed fairness into their operations, magical things happen:

Lower fraud and insider threat risk. Fewer reasons for sabotage, more eyes and ears helping you protect your IP.
Higher employee retention. You don’t have to constantly re-train staff who leave because they’re fed up.
More engaged teams. People work harder and smarter when they’re not plotting your downfall. Shocking, I know.

Best of all? It’s a competitive differentiator. Investors and partners don’t just want strong financials—they want to see that your people (and your technology) are protected. Fairness and trust are part of your brand.

a frustrated barry from accounts — Photo by Nathan Cowley on Pexels.com

Call To Action: Don’t wait for Barry to snap

So what now?

Ask yourself (and your leadership team):

Do your employees trust your grievance process?
Are you treating people fairly—especially when it comes to promotions, discipline, or resource allocation?
Have you connected fairness and trust-building to your broader IP protection, insider threat, or commercialisation strategies?

If any of that feels like a “hmm, not really,” then you’ve got work to do. The good news? You don’t need a fancy new tech stack to fix this. You just need to give a damn.

Because trust isn’t a vulnerability. It’s your strongest security control.

And Barry from Accounts? He just wants a bit of respect—and maybe fewer passive-aggressive all-staff emails.

Want help building a culture that protects your research, your people, and your bottom line? Reach out. Let’s make insider threats one less thing you have to worry about.

Battling Industrial Espionage: TSCM Strategies for Deeptech

Posted on April 22, 2025 by Paul Curwell

Paul Curwell

5–7 minutes

Key Takeaways:

The deeptech competitive landscape is supercharging industrial espionage, with AI, semiconductors, and fusion energy as primary targets
Technical Surveillance Countermeasures (TSCM) now requires a dual approach covering both traditional bugs and compromised personal devices
Companies lose an estimated $500 billion annually to trade secret theft, with a 1,300% increase in semiconductor-related espionage cases since 2014

The Silent War for Innovation

I’ve spent the last decade advising companies on protecting their intellectual property, and I can tell you with absolute certainty: we’re in the middle of an unprecedented espionage arms race. The battleground? Your company’s deeptech innovations. The weapons? Everything from traditional listening devices to the smartwatch on your chief researcher’s wrist.

Anthropic’s recent update to their Responsible Scaling Policy highlights this shift, incorporating advanced Technical Surveillance Countermeasures (TSCM) to protect their AI trade secrets from increasingly sophisticated threats. They’re not being paranoid—they’re being prudent. Let me show you why your company should follow suit.

The Competitive Deeptech Landscape

The stakes in today’s innovation race extend far beyond simple market share. We’re seeing three critical battlegrounds emerge:

First, hardware sovereignty has become a national security concern.

Semiconductor independence drives geopolitical power, with AI infrastructure demands accelerating the race.
This isn’t just business—it’s realpolitik playing out in corporate boardrooms.

Second, energy constraints present both challenges and opportunities.

Nuclear fusion research has become intertwined with AI advancement, with ML algorithms accelerating materials science breakthroughs.
Energy constraints—such as limited electricity supply, high energy costs, or insufficient grid infrastructure—have a significant impact on the pace and scope of AI advancement for both countries and businesses.

Third, data frontiers represent the new oil.

Real-world biological, medical, and sensor data are becoming essential for training next-generation AI models.
Companies with unique datasets enjoy a 2-3x valuation premium compared to competitors with similar technology but inferior data.

These converging forces create perfect conditions for industrial espionage on an unprecedented scale.

Recent Security Incidents: When Theory Becomes Reality

The semiconductor industry provides the clearest examples of modern corporate espionage:

Case 1: From 2016-2020, a nation state-backed company orchestrated what I consider the perfect modern heist againt a competitor (the Original Equipment Manufacturer, OEM). The nation-state backed company recruited three OEM engineers with 200-300% salary increases, who walked out with IP valued between $400 million and $8.75 billion. The files were hidden on air-gapped laptops, making them undetectable until authorities raided the competitor’s offices.

Case 2: Even more concerning is what happened at another company, where nation-state backed hackers maintained access for 2.5 years, steadily exfiltrating chip designs used in Apple Pay and automotive systems. The victim firm only discovered the breach after significant damage was already done.

Case 3: Perhaps most alarming is company 3’s experience—this firm faces thousands of security incidents annually, including successful thefts of extreme ultraviolet lithography blueprints, technology that costs billions to develop and represents the cutting edge of semiconductor manufacturing.

These aren’t isolated incidents—they represent a systematic campaign to shortcut R&D timelines and undermine technological leadership.

How is confidential information compromised?

TSCM’s Dual Role in Modern Security

Technical Surveillance Countermeasures (TSCM) have traditionally focused on detecting physical bugs and wireless transmitters in sensitive spaces. This remains essential—but wildly insufficient in today’s threat landscape.

Modern TSCM must address two distinct but interconnected domains:

Traditional Counter-Eavesdropping:

Regular facility sweeps using spectrum analyzers and non-linear junction detectors
Physical security red-teaming to test facility vulnerabilities
Event-specific sweeps after high-risk meetings or suspected breaches

Cyber-Physical Convergence Threats:

Employee devices infected with malware that turns smartphones into always-on microphones
Wearables with speech-to-text capabilities silently uploading sensitive conversations
Supply chain implants that create hardware backdoors in seemingly innocent peripherals

Threat Vector	Example	Impact
Compromised devices	Malware turning smartphones into always-on mics	Real-time conversation monitoring
Wearables	Speech-to-text enabled smartwatches/glasses	Silent data exfiltration
Supply chain implants	Tampered peripherals with hardware backdoors	Persistent network access

Anthropic’s approach includes all of the above, plus deception technologies like honeypot model weights to identify and trace information leakage.

An Effective Information Security Strategy for 2025

Your company’s approach to protecting trade secrets must evolve beyond traditional cybersecurity and physical security silos. Here’s what works:

Integrated Defence Systems: Combine physical TSCM sweeps with network traffic analysis and endpoint monitoring. The segregated security approaches of the past create dangerous blind spots.
Zero-Trust Device Policies: Use of clearly designated zones where personal devices are prohibited is increasingly normal. This isn’t surveillance—it’s survival. The Princeton Plasma Physics Laboratory now requires all personal electronics be secured in Faraday pouches before entering research zones.
Supply Chain Verification: As the company in Case 3 discovered, vendor security (supply chain security) is your security. Implement hardware authentication mandates and binary authorisation frameworks for all incoming equipment and software.
Insider Threat Programs: Case 1 illustrates how easily employees can become vectors for IP theft. Modern insider threat programs should focus on behavioral analytics rather than punitive measures, identifying unusual data access patterns before information walks out the door.
Deception Technology: Following Anthropic’s example, plant convincing but subtly incorrect information in non-critical systems. When this data appears elsewhere, you’ve identified a leak.

A robust security program does not funciton in silos – it needs to present a holistic, complete treatment of the risk and address the particular threats faced by the respective organisation.

The Rising Threat of Cyber-Enabled Economic Espionage: What Business Leaders Need to Know

Conclusion: Security as Competitive Advantage

The commercialisation of deeptech innovations increasingly depends not just on who develops the technology first, but who can keep it secure long enough to bring it to market. While the FBI reports a 1,300% increase in industrial espionage cases since 2014, the companies succeeding in this environment aren’t necessarily the ones with the best technology—they’re the ones that can actually keep that technology secret.

An integrated approach to trade secret protection isn’t just good security practice—it’s a strategic business advantage. In an era where a single breakthrough in AI, semiconductors, or fusion energy could be worth billions, effective TSCM isn’t a cost center—it’s an investment in your company’s future.

The days of treating physical security, cybersecurity, and insider threats as separate domains are over. If you’re not addressing all three simultaneously, you might as well be posting your research on Twitter.

Your competitors have already figured this out. Have you?

The Rising Threat of Cyber-Enabled Economic Espionage: What Business Leaders Need to Know

Posted on April 15, 2025 by Paul Curwell

Paul Curwell

4–6 minutes

Key Takeaways:

Cyber espionage operations targeting private firms have quadrupled since 2015, putting billions in IP at risk.
Supply chains, research partnerships, and extended networks are prime targets for cyber espionage.
Businesses must proactively assess vulnerabilities, strengthen cybersecurity, and enforce IP protection measures.

Why You Need to Read This

Imagine spending millions—maybe even billions—on cutting-edge research, only to have a cybercriminal lift it with a few clicks. That’s not paranoia; it’s happening every day. In 2023, the FBI’s Internet Crime Complaint Center (IC3) received 880,418 complaints, with potential losses exceeding $12.5 billion. And guess what? Many of those attacks weren’t targeting individuals but businesses like yours.

Cyber-enabled economic espionage is the new frontier of corporate theft, and if you think your company is too small or too secure to be a target, think again. Let’s dive into how it happens, why it matters, and—most importantly—what you can do about it.

Understanding the Problem

The Allure of IP Theft

Why spend billions on R&D when you can just steal it? That’s the mindset of many cybercriminals, especially those backed by state actors or large-scale industrial espionage networks. Trade secrets, proprietary research, and emerging technology are goldmines for competitors who want to leapfrog years of innovation at your expense. In recognition of this evolving threat, Australia introduced economic espionage laws in 2018.

Australia’s economic espionage laws: what this means for ‘trade secrets’ protection after 2018

R&D Intensive Industries Are Prime Targets

Industries like biotech, advanced manufacturing, and digital services are especially vulnerable. These businesses rely on intellectual property (IP) protection to maintain their competitive edge. However, the very nature of research and commercialisation often means working with external partners—many of whom have their own security weaknesses.

black and white wooden sign behind white concrete — Photo by Tim Mossholder on Pexels.com

How It Happens: The Weakest Links in Your Business

Supply Chain Vulnerabilities

Your company might have airtight security, but what about your suppliers? Contract manufacturers, third-party vendors, and even research collaborators could be the weakest link. Hackers often exploit these gaps to gain access to proprietary designs and processes.

Targeting Your Extended Network

You’d expect your employees to be careful with sensitive data, but what about your law firm, auditor, or cloud service provider? These entities handle confidential information yet may lack the robust security protocols necessary to protect it.

Case Study: The Coca-Cola Breach of 2009

If you need proof that one weak link can sink a major corporation, look no further than Coca-Cola’s 2009 cyber disaster. While in the middle of a $2.4 billion acquisition of Huiyuan Juice Group, hackers infiltrated Coca-Cola’s systems (BBC, 2012).

Here’s how it played out:

A malicious email was sent to Coca-Cola’s deputy president for the Pacific region.
The email contained malware that installed keyloggers and remote access tools.
Hackers gained full control of Coca-Cola’s internal servers and workstations.
Sensitive data, including internal emails and financial documents, were compromised for over a month.
The FBI eventually uncovered the breach and informed Coca-Cola.
Coca-Cola kept the attack secret for three years, but the damage was already done—the acquisition collapsed within days of the attack.

Moral of the story? A single email was enough to jeopardise a multi-billion-dollar deal.

selective focus photography of red coca cola can lot on box — Photo by Craig Adderley on Pexels.com

The Global Context

Cybersecurity Maturity Varies Across Economies

Some countries treat IP theft as a serious crime; others turn a blind eye—or even encourage it. Research shows there’s a big cultural element to IP crime. Emerging economies, hungry for technological advancement, often have weaker cybersecurity laws and enforcement, making it easier for bad actors to operate with impunity.

Public R&D Funding at Risk

Governments spend billions funding research, yet much of that investment ends up benefiting foreign competitors due to lax security. If your company benefits from public R&D grants, you need to ensure those innovations stay protected—or risk giving away your competitive advantage.

What You Can Do: Actionable Steps for Business Leaders

1. Assess Your Risk Profile

Identify your most valuable trade secrets and research assets.
Map out all potential vulnerabilities in your supply chain and partnerships.
Conduct regular security audits to stay ahead of threats.

2. Strengthen Cybersecurity Defences

Train employees to recognise phishing and social engineering attempts.
Implement multi-factor authentication (MFA) across all systems.
Enforce encryption policies for all sensitive data, including backups.

3. Perform Due Diligence on Partners

Vet vendors and third-party providers before sharing sensitive data.
Establish clear cybersecurity requirements in all contracts.
Monitor access to shared research and proprietary information.

4. Leverage Government Resources

Engage with cybersecurity initiatives like the FBI’s IC3 and the Australian Cyber Security Centre (ACSC).
Join industry-specific information-sharing networks to stay informed. If you’re in Australia, checkout the Department of Home Affairs’ Trusted Information Sharing Networks (TISN).
Apply for grants and resources aimed at improving business security.

Conclusion

Cyber-enabled economic espionage isn’t some abstract, distant problem—it’s happening now, and businesses that fail to take it seriously risk losing everything. Over the past five years, IC3 received 3.79 million complaints, totaling $37.5 billion in reported losses.

The bottom line? You can’t afford to ignore this. Take action today, assess your risks, and make cybersecurity a business priority—because the cost of doing nothing is far greater than the investment in protecting your future.

The Hidden Threat to Your Bottom Line: How Sales Fraud is Bleeding Your Business Dry

Posted on April 8, 2025 by Paul Curwell

Paul Curwell

5–8 minutes

Key Takeaways:

Fraud costs companies 5% of annual revenue, with economic downturns increasing fraud risks
Sales teams present unique fraud vulnerabilities through returns schemes, revenue manipulation, and commission fraud
Implementing targeted controls like commission clawbacks and automated monitoring can protect your revenue and reputation

Introduction

Let’s face it – while you’re busy watching your supply chain for external threats, your sales team might be quietly bleeding your company dry. As someone who’s spent years investigating corporate fraud cases, I’ve seen firsthand how sales fraud schemes can fly under the radar while causing massive financial damage. In today’s shaky economic climate (thanks, tariffs), fraud is on the rise, and your sales department is particularly vulnerable.

The Costly Reality of Sales Fraud

Did you know that companies lose a whopping 5% of annual revenue to fraud? That’s billions collectively wasted across industries. What’s more alarming is that according to fraud experts, 55% observed increased fraud during economic downturns – precisely the environment we’re navigating now.

For business leaders and finance chiefs, this isn’t just a financial headache—it’s a direct attack on your business strategy and profitability. While you’re focused on protecting your trade secrets and IP protection from outside threats, your greatest insider threat might be sitting in your sales department.

Six Common Sales Fraud Schemes Killing Your Profits

1. Returns Fraud with Kickbacks

This scheme is particularly sneaky. A salesperson encourages customers to purchase excess inventory (often with unauthorized discounts) to inflate sales figures. Later, the customer returns the excess inventory, but the salesperson keeps their commission. Meanwhile, your inventory numbers and forecasting are completely thrown off.

Red Flags to Watch For:

Large sales orders followed by significant returns
Sales spikes near reporting periods (quarter-end) that reverse shortly after
High return rates for specific salespeople compared to others
Unusual relationships between sales staff and certain customers

In 2022, a global electronics distributor discovered a senior salesperson colluding with a key customer on bulk orders at steep discounts. After commissions were paid, the customer returned over 60% of the inventory. Pretty clever scam, right?

2. Revenue Recognition Fraud

This scheme involves manipulating revenue figures or pocketing unrecorded revenue. For example, an employee might issue a credit note and split the refund with a customer. For technology companies especially, recording revenue too early can artificially inflate performance metrics.

Red Flags to Watch For:

Customer receipts missing for completed sales
Same person handling both invoicing and payment collection
Unusual timing of revenue recording (especially at quarter-end)
Differences between contract terms and recorded revenue

Channel stuffing fraud – a distribution problem

3. Credit Note Manipulation

Your sales team might be issuing unauthorized credit notes to steal funds or hide theft. Without proper oversight, this fraud can continue for months or even years before anyone notices.

Red Flags to Watch For:

Credit notes issued without proper approval
Unusual patterns or increased frequency in credit note issuance
Credit notes that lack supporting documentation
Certain employees processing a disproportionate number of credit notes

4. Inventory Fraud

This classic scheme involves stealing stock via false sales or diverting goods in transit. In 2022, an employee at an Australian parts supply company altered supplier bank details to divert payments while covering up inventory theft through falsified invoices. Their research showed this could be prevented with better automated fraud detection tools.

Red Flags to Watch For:

Negative inventory entries or unexplained stock differences
Frequent cancellations of sales transactions
Differences between physical inventory counts and system records
Unusual shipping or delivery patterns

inventory in a warehouse — Photo by Tiger Lily on Pexels.com

5. Discount and Pricing Manipulation

In Asia, employees were caught receiving kickbacks for granting unauthorized discounts. This not only hurts your profits but can disrupt your entire pricing strategy and market positioning.

Red Flags to Watch For:

Discounts disproportionately benefiting specific customers
Patterns of excessive discounts tied to one salesperson
Discounts offered without proper approval or documentation
Unusual changes in profit margins across similar sales

6. Commission Fraud

Consider this simple example: if a salesperson fraudulently changes their commission rate from 10% to 20% on $1,000,000 in sales, that’s $100,000 straight out of your pocket. Multiply that across your sales team and years of operation, and you’re looking at potentially huge losses.

Red Flags to Watch For:

Cash skimming from sales that go unrecorded
Creating fake sales to inflate commission numbers
Differences between sales data and bank deposits
One salesperson consistently outperforming peers by unusual margins

Software vs. Physical Products: Different Risks

The selling of software brings its own unique fraud risks. While physical product fraud often involves inventory theft and returns, software sales fraud typically involves revenue manipulation and more complex schemes.

For software subscription companies, a common scheme involves selling discounted multi-year subscriptions to partners who later cancel most licenses after commissions are paid. One company discovered a regional manager had colluded with a reseller to inflate sales figures and split the commission.

For physical products, fraud detection may be easier due to inventory checks you can see and touch. Software fraud, however, can be harder to detect since the product isn’t physical. For instance, in 2021, a software company found that a sales manager sold discounted multi-year subscriptions to a partner who later canceled over 70% of the licenses within six months. The manager received commissions based on gross sales but wasn’t penalized for cancellations.

Returns Fraud – a risk for eCommerce companies

Protect Your Bottom Line: Four Action Steps

Implement Commission Clawbacks: Tie commissions to net sales (gross sales minus returns) and implement penalties for canceled subscriptions or returned goods. This single control can eliminate much of the motivation for fraud.
Create Stricter Approval Processes: Require manager approval for large discounts, bulk orders, or unusual contract terms. This creates accountability and transparency. For credit notes, implement a two-person approval system that prevents a single employee from handling the entire process.
Leverage Data Analysis: Monitor return rates by salesperson, product line, and customer using tracking tools. Look for patterns of excessive discounts followed by high return rates. Modern analysis can flag unusual activities long before traditional audits would catch them.
Conduct Regular Internal Audits: Focus on high-risk areas such as discounts, bulk orders, refunds, and return transactions. Surprise audits are particularly effective at catching ongoing fraud schemes.

Call to Action

Stop leaving your revenue vulnerable to insider threats. Review your sales controls today and implement these four steps to protect your bottom line. The economic landscape is already challenging enough without letting sales fraud drain your profitability. In my experience, most companies discover fraud only after significant damage has been done. Don’t wait for your technology investments and research efforts to be undermined by preventable financial losses. As business leaders, we can’t afford to overlook this hidden danger in our sales departments. Take action now before your next earnings report reveals the damage.

About Paul Curwell

My 3 Key Takeaways

Let’s Talk About the Boring Stuff That Could Kill Your Business – Quality & Security

Your QMS Doesn’t Have to Just Cover Compliance—It’s Commercial Defence

Integrate Quality and Security to Create Your Advantage

So enough talk, what’s the fix? Here’s how you do it

Step 1: Identify Overlapping Risks

Step 2: Build Integrated, Actionable Processes

Step 3: Align Your Systems to Real Business Needs

Here are some use cases to demonstrate how all this might work in practice:

Step 4: Monitor, Automate, and Expand

The Final Word – Strength and Opportunity

Further Reading

3 Key Takeaways

From Frameworks to Reality: The Assurance Gap

What Continuous Control Monitoring Actually Does

Your CCM Implementation Guide

How to Use This Framework

Advanced CCM Strategies That Actually Work

Implementation Roadmap: From Zero to Hero

The Business Case: Why CCM Matters Beyond Compliance

Your Next Move: Stop Playing Risk Roulette

Start this week:

Further Reading:

Why You Need a Whole-of-Business Risk Lens

Three Standards. One Smart Strategy.

1. SMB1001 (Gold or Platinum) – Your Cyber Backbone

2. AS 8001:2021 – The Fraud, Corruption & Insider Threat Muscle

3. ASIO’s Secure Innovation Guidance – Your National Security Overlay

What This Means for You

Table: Comparison of Coverage by SMB Risk Management Framework

How to Build It Without Melting Down

Here’s 9 Steps to Get You Started:

But Where’s the Value? What You Get in Return

Final Word

Further Reading:

Key Takeaways:

Why this matters to your business

Let’s talk motive (yes, like in crime dramas)

Table 1: Motivation-Based Threat Profiling

Behavioural theory helps at every risk stage

Table 2: How Behavioural Theory Supercharges Risk Management

Choosing the right theory for the job

Table 3: Best-Fit Theories for Common Security Risks

What you should do next

One final (uncomfortable) truth

Further Reading:

3 Key Takeaways

The Adversarial Evolution Challenge

The Real Cost of Ignoring Control Decay

From Static to Smart: Rethinking Controls

Mapping the Criminal Business Process

Typologies: Turning Adversary Tactics into Detection Models

From Typologies to Detection: Using Analytics to Catch Adaptation

Measuring and Monitoring Control Decay

Countering Control Decay with Adaptive Analytics

TL;DR: The Threat Is Human, and So Is the Weakness

Further Reading:

3 key takeaways:

Why this matters

The landscape: SIEMs, observability tools, and everything in between

Non-cyber use cases hiding in plain sight

Trade-offs and tricky bits

Real compliance benefits—if you play it right

What business leaders need to do next

Further Reading

Mistreating or ignoring employees creates insider threats

The real cost of unfairness

Why fairness works (and spy software alone doesn’t)

Turn complaints into competitive advantage

What fairness gets you (besides fewer lawsuits)

Call To Action: Don’t wait for Barry to snap

Further Reading

Key Takeaways:

The Silent War for Innovation

The Competitive Deeptech Landscape

Recent Security Incidents: When Theory Becomes Reality

TSCM’s Dual Role in Modern Security

Traditional Counter-Eavesdropping:

Cyber-Physical Convergence Threats: