Business Email Compromise – persistent threat or consistently mismanaged?

Posted on August 27, 2023 by Paul Curwell

Paul Curwell

4–6 minutes

What is Business Email Compromise (BEC)?

I remember working in banking when BEC first happened – according to Google, this was around 2013. In our bank security department, we worked out how the fraud scheme worked, quickly developed internal controls and process improvements to reduce our vulnerabilities, and effectively treated the risk. So why in 2023, ten years later, are business owners still falling victim to BEC and other scams? More concerning, some executives only hear about BEC when they have become a victim – so what is BEC and how does it happen?

BEC is a type of fraudulent email scheme (scam) – more specifically a cybercrime – where fraudsters attack a company’s internal processes or functions. Most commonly, I come across BEC in relation to invoicing scams or banking transactions, but there are also other less common variations. Criminals use phishing techniques, which involve well crafted or deceptive emails, and in some cases other social engineering tactics as well, to convince an employee or manager that they are legitimate.

an exhausted woman reading documents — Photo by Mikhail Nilov on Pexels.com

At times, these emails may even be combined with other channels such as phone calls to reinforce the sense of urgency, build trust and rapport with the victim. A simple ‘BEC attack example’ involves 4 phases – research & reconnaisance, targeting, attack, escape – as illustrated below:

Here’s an example how BEC could play out:

BEC is still happening – why?

As a cybercrime / online fraud, the simple TTP (Tactics, Techniques, Procedures) employed by criminals mean and the ensuing response by workers means BEC is still going strong. According to the Australian Competition & Consumer Commission (ACCC) ‘Targeting scams 2022‘ report:

In 2022, Australian’s reported $569million in losses to ScamWatch, a 76% increase on the previous year
The volume of incidents has decreased – but the value of incidents has increased (average losses have increased by 224% since 2020)
Losses from False Billing scams totalled $24million in 2022

These statistics demonstrate the size of this problem. Clearly, businesses need to do more to manage fraud, cybersecurity and scam risks.

Why is BEC still this prominent? Simple – because it works.
For criminals, fraudsters and scammers, it’s quick, cheap and profitable.

People are too busy to stop and think about what they are doing or take process shortcuts, to trusting of what happens online due to poor security awareness or inadequate fraud awareness training, or because the way the scammer delivers their ‘attack’ email is so well crafted it gets the recipient on the hook easily and convinces them it’s legitimate.

For managers, its important to realise that BEC has a strong nexus to your Insider Risk Management program – BEC scams cannot succeed without a wilful, complacent or ignorant insider.

Applying the critical-path approach to insider risk management

A strong Trusted Insider program should be mutually reinforced and supported by a strong security culture, where all staff (including contractors and casuals, not just employees) understand and embrace the importance of security to your business. If security awareness is low and you have a poor security culture, employees and contractors can be complacent or even ignorant of the risk.

6 steps to improving security and integrity culture in the workplace

How to prevent BEC and other scams?

Who typically gets targeted? Because BEC frauds primarily target the invoicing process, staff in accounts and procurement are most likely to be targeted, as well as potential line managers, executives and their assistants.

1. Up your game – improve culture and awareness

Whilst all staff in your organisation should have some level of fraud and security awareness, staff in these roles should have a high level of understanding about BEC, it’s various forms, and how prolific it is.

2. Identify, assess and manage the risk

Too often, I find organisations which haven’t stopped to think about how fraud and security issues can materialise in their business. Business need to perform a detailed security risk assessment to understand how and where they may be vulnerable to cybersecurity or fraud compromise. Any security or fraud risk assessments should be regularly updated to reflect changes in the business and its operations.

3. Review your business processes and internal controls

Frauds and scams differ from violent crimes in that they exploit a business process. To succeed, criminals must complete a particular task, often in a specific order. For a business, each of these tasks is a vulnerability unless you have sufficient internal control coverage to mitigate these risks.

In practice, I find overlaying a process map of the scam or fraud from the criminals (external) perspective onto the internal business process helps identify gaps (vulnerabilities). This is often done in Red Teaming and other Security Assurance activities.

Further Reading

Australian Competition and Consumer Commission (2023). ACCC calls for united front as scammers steal over $3bn from Australians, www.accc.gov.au
Australian Federal Police (2022). Global sting targeting Business Email Compromise schemes is a warning for Australians, www.afp.gov.au
Curwell, P. (2022). Applying the critical-path approach to insider risk management
Curwell, P. (2023). 6 steps to improving security and integrity culture in the workplace

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

What security policies do small and medium sized businesses need?

Posted on August 20, 2023 by Paul Curwell

Paul Curwell

4–5 minutes

Policies play an essential role in coporate governance – even for SMBs

One of the topics I’ve always been interested in is how we can uplift the resilience of Small and Medium Sized Businesses (SMBs). Whilst SMBs are the engine rooms of our economy, they typically have immature information security and fraud protection capabilities despite facing the same threats as large organisations. In fact, the 2020 Australian Cyber Security Centre (ACSC) survey showed that 65% of Australian SMBs surveyed spend less than A$999.00 on their security! It’s no wonder they fall victim to phishing, ransomware, data breaches and other exploits. Like having a good security culture, and tone from the top, policies are another essential.

6 steps to improving security and integrity culture in the workplace

OK, so the topic of policies can be quite dry – many of us don’t get excited by reading our company policies. Some of us might even fall asleep. However, they play a key role in setting expectations for staff, customers and suppliers. Corporate Governance is all about how businesses are organised, managed and governed. It comprises the principles, practices and structures that help inform decisions, operations, and conduct.

Policies are formal statements that outline guidelines, principles or rules governing the behaviour, actions and decisions of staff and management within an organisation. Whilst SMBs don’t need a comprehensive policy library like you would find in an ASX100 company, there are a few security policies which are essential.

white and red boats on lake — Photo by Gilberto Olimpio on Pexels.com

What are the main security policies every SMB should have?

When it comes to security policies for small to medium-sized businesses (SMBs), there are several key ones that can make a significant impact. See below for details:

Information Security Policy: This policy establishes guidelines for protecting sensitive information, data, and assets. It covers data classification, access controls, encryption, password standards, and safe data disposal.
Acceptable Use Policy: This outlines how employees can use company resources like computers, networks, and the internet. It helps prevent misuse and establishes boundaries to ensure productive and secure usage.
BYOD (Bring Your Own Device) Policy: As remote work becomes more common, this policy addresses the use of personal devices for work purposes. It should outline security requirements for these devices to ensure they don’t compromise sensitive data.
Incident Management Policy: This policy should address what to do in relation to a broad range of incidents, such as cyberattacks, natural disasters, and equipment failures. It outlines how to respond promptly and effectively to minimise disruptions.
Remote Work Policy: With the rise of remote work, this policy addresses the security measures needed for employees working outside the office. It should cover secure connections, data storage, and device security.
Access Control Policy: This policy defines who has access to what data and systems. Implementing least privilege principles ensures that employees only have the access necessary for their roles.

Additional policies, covering topics such as physical security and vendor / third party security standards may also be appropriate. They complement your business’ employment, code of conduct, and other workplace policies.

booth branding business buy — Photo by Pixabay on Pexels.com

Start as you mean to finish

When running any business, there is always so many things to do. Marketing, sales, customer engagement, product – the list goes on. Governance and Risk Management take a bit of a back seat, especially in smaller organisations. They typically only become more important as organisations grow and management has time to focus on these issues. However, policies and risk management really need to be considered earlier for three reasons:

Policies – even simple ones – add value to a business. They improve governance, ensure staff adopt the desired behaviours, and improve management outcomes.
Provide clear and consistent advice to staff around BYOD and Remote Working – data loss and data breaches are becoming increasingly common. Remote working and BYOD arrangements are a key vulnerability. Whilst technical controls are available to mitigate some risks, a policy that clearly sets out what is expected of staff and in which circumstances is essential. This helps manage risk effectively.
Well-governed suppliers are more attractive to buyers – due to their size, SMBs are unlikely to have robust supplier assurance programs which contractually oblige suppliers to meet certain standards. However, they are likely to sell their products or services to larger companies. Having good governance and standards in place demonstrates reliability, quality and integrity. Suppliers can put faith in this and it might just win you that next contract!

Further Reading

Australian Cyber Security Centre (2020). Australian Cyber Security Centre (ACSC) survey, https://www.cyber.gov.au/
Australian Cyber Security Centre (2023). Small Business Cyber Security Guide, https://www.cyber.gov.au/
Curwell, P. (2023). 6 steps to improving security and integrity culture in the workplace
Curwell, P. (2022). Building your supplier integrity framework

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers, experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Returns Fraud – a risk for eCommerce companies

Posted on August 13, 2023 by Paul Curwell

Paul Curwell

5–8 minutes

What is Returns Fraud?

Returns fraud is a deceptive practice where customers purchase a product from a retailer so as to either temporarily ‘borrow’ the item, or to obtain a refund or store credit. Returns Fraud involves deception on the part of customers, who seek to return a product under ‘false pretences’. Common returns fraud typologies include:

Online returns fraud – where customers make a false claim in order to obtain a refund or store credit. Typically, these customers claim that they did not make the purchase (when buying using a credit card), that the goods did not arrive, or that the goods which arrived were faulty, damaged or did not match the description when purchased. Many customers do not return these products whilst also claiming a refund, meaning they actually keep the goods and profit from the refund.
Product substitution with lower cost items – customers purchase a high-quality item from one store / brand, and a similar but low quality item from another store. They may remove product tags or labels, or place the substitute product in the high quality product’s packaging before returning. Often returned goods are not properly scrutinised, or may be returned to third party service providers, and by the time the fraud is detected it is too late.
Product substitution with counterfeit items – this typology is the same as with lower cost items above, except the substituted product is a counterfeit item. This creates issues for retailers if the counterfeit item is repackaged and released for resale without proper inspection, and can result in brand damage or create consumer safety issues.
Wardrobing – a common problem especially for online retailers, consumers purchase items of clothing for a specific event (such as a party), use the item of clothing, then return it for a refund or exchange without declaring this use to the retailer.
Use of fraudulent receipts – some consumers alter or forge sales receipts and use these along with often substituted or second hand goods to attempt a refund without having purchased the item. Physical retailers without robust returns processes, who do not verify information on receipts against their records, or who place returned items to one side to process in quiet periods, are particularly vulnerable.

Returns Fraud can be perpetrated by external parties (i.e. opportunistic individuals and actual customers), employees (i.e. trusted insiders), and external parties in collusion with trusted insiders.

elegant male outfits on dummies in modern boutique — Photo by Andrea Piacquadio on Pexels.com

How does Returns Fraud impact retailers?

If not properly managed, Returns Fraud can have significant implications for retailers and may even send struggling businesses to the wall. Returns Fraud will impact profits, operating costs and brand in the market. Examples of the impact of Returns Fraud on retailers include:

Increased Operating Costs – Retailers may need to employ additional staff to manage and process returns, as well as spending more on loss prevention or fraud protection programs. In some cases, specialist expertise may be required, particularly for high value or complex disputes which retailers are not equipped to handle.
Card Scheme penalties – Card Schemes such as Visa and Mastercard apply financial penalties to retailers (merchants) where a customer disputes a transaction, such as in the case of ‘online returns fraud’ (above).
Customer Experience and Trust – Retailers who implement stringent policies risk frustrating or offending legitimate customers, resulting in complaints, negative ratings online, or refusal to deal with the brand again. Balancing customer experience with retail security is a huge challenge.
Returned Inventory Management – The ‘reverse supply chain’ is challenging for any retailer, but it needs proper attention to mitigate risks of substituted, damaged, soiled, or counterfeit product being accepted, repackaged, and resold as legitimate by a retailer with potentially disastrous results.
Financial losses – As mentioned in my previous post ‘Product Security is fundamental to Product Management‘ (see “Security and integrity risks need to factor in pricing decisions“, link below), once a product has been stolen or diverted a retailer needs to sell significantly more product units to recover those losses. Over time, these losses erode revenue and impact profit margins, potentially making the business unviable.

Often overlooked, Product Security is fundamental to Product Management

The challenge with Returns Fraud, as with any other security program, is the need to balance the inherent risk of Returns Fraud with customer service and customer experience. Some retailers have accepted a high incidence of Returns Fraud, only to find it has eventually sent the business bankrupt as word gets around the retailer is an easy target and the incidence of fraud increases.

Three simple steps to mitigating Returns Fraud risk

Recent media reporting indicates the incidence of Returns Fraud is increasing worldwide, particularly wardrobing and online returns fraud; however, there are three steps businesses can take to mitigate the risk:

Return policies – Policies must be clear, legal, compliant with card scheme rules (for credit card payments), and transparent to allow consumers to understand retailer expectations and conditions of sale. Policies should be displayed prominently on the website and in-store, and customers should acknowledge conditions of sale in writing prior to payment. Evidence that a customer has read and acknowledged these policies should be retained by retailer systems and processes in the event of a legal dispute.
Using data analytics for fraud detection – data is essential for detecting unusual patterns or behaviours indicative of returns fraud. Provided the required data is collected, typologies can be developed and dashboards built to quickly facilitate detection. Examples of indicators retailers might look for in their typologies include customers who frequently return items (analysed data should include customer name, address, phone number, or email address to identify common purchases using fictitious names); returns of specific products or product categories within 48-72 hours after purchase; and returns of ‘prestigious’ items which consumers might not be able to afford. Early detection, proper investigation, and collection of evidence is crucial to minimising a loss.
Build high levels of employee awareness and a strong security culture – Employees are one of the most important elements of any security or fraud program. Poor awareness of fraud and security creates ignorance of the risk, preventing staff from being able to recognise problems and respond in a timely manner. Staff should be trained both on commencement and periodically (at least annually) throughout their employment, with targeted training being undertaken in response to new trends or criminal tactics. Further information on improving security culture can be found below.

6 steps to improving security and integrity culture in the workplace

As you can see, the risk of Returns Fraud is real and must be properly understood, assessed and managed by retailers to mitigate unplanned losses and vulnerabilities. Failure to properly consider and plan for Returns Fraud in any retail business is likely to result in substantial financial loss, legal disputes, and brand damage, and may even send the business into insolvency.

Often overlooked, Product Security is fundamental to Product Management

Posted on August 6, 2023 by Paul Curwell

Paul Curwell

6–9 minutes

Products are core to modern business strategy

If you read Ellen Merryweather’s (of Product School.com) post of January this year (refer Further Reading), you may get the sense that product management is coming of age. A focus on products for businesses can provide stickier customers, unlock access to non-traditional markets, and generate annuity revenue rather than single transactions. These days, I find there are two main categories of products:

Products in their own right – such as medicines, or items of clothing and auto parts (e.g. tyres)
Products that are bundled with services – we see this with cloud-based software solutions, as well as products connected to the Internet of Things (IoT)

Increasingly, physical products are incorporating connections to the IoT to provide after-sales services such as device updates or performance monitoring. Unlike services which are transactional, products have a finite lifespan both in terms of their operations (how many times they can be used, or will last) and from a market perspective before they are imitated by competitors, superseeded, or in the case of patented products when the patent expires. This means there is a target window in which to generate Return on Investment.

vehicle headrest monitor — Photo by Mike Bird on Pexels.com

Product security and integrity risks are varied

There are a range of fraud, security and integrity risks which impact products, many of which are specific to products and indusries. If not properly managed, product risks can have material implications on profitability and reputation, including:

Revenue loss or margin shrinkage due to theft, fraud and abuse by customers, staff and suppliers
Consumer safety / law issues including product safety and product recall
IP risks including patent, trademark (counterfeiting) and copyright infringements, and the tort of ‘passing off’
Commercial risks arising from brand damage, competition etc
Geopolitical risks – such as trade embargoes, disruptions and material shortages
Information and cyber risks – data theft, privacy breaches, cyber attacks, malware
Supply chain and distribution risks – including end user fraud, distributor fraud, and product diversion
After market risks – such as parallel imports, grey market products, resold products etc.

Despite this risk landscape, I find it’s rare to see product management or product strategy frameworks that clearly articulate the importance of product risk management and the role of product managers in this. Contemporary product protection programs need to address cybersecurity, fraud, insider threats, supply chain security, and product integrity issues such has tampering to mitigate these and other fraud and security threats.

lake with mountain view — Photo by Ian Beckley on Pexels.com

Inherent risks mean security & integrity has a place in product development

When they materialise, fraud and security threats can have a range of direct and indirect impacts which affect product manufacturers, their suppliers and distributors, and customers (end users). Examples here include unplanned losses which erode product margin, sales or resales by unauthorised distributors which financially impact and poison relationships with authorised suppliers, and warranty and returns frauds by customers which compounds financial loss with additional expenses such as staff handling time.

Consideration of security related issues is fundamental to realising both the return on investment into designing and releasing a product, and to maintaining the confidence of regulators and consumers that a product does what it says it will.

To properly consider and mitigate these problems, I would argue that starting with a product risk assessment is an essential first step. Product managers need to assess and quantify fraud, security and integrity risks during the New Product Development (NPD) process. What is NPD? This is a 6-stage process that runs from concept to design, prototyping, and market, as illustrated below:

The C-I-A triad of information security provides three risk categories that can be used as a starting point for product risk identification irrespective of whether the product is tangible (e.g. a computer chip or bottle of wine) or intangible (e.g. software):

Confidentiality – has the ability to keep sensitive information secret
Integrity – making sure your product is trustworthy, has not been tampered with, and is authentic, conforming, and reliable
Availability – making sure the product servicable as and when expected

When we think about integrity and products I almost find it easier to think about it from two perspectives: seller and buyer. Supply Chain Integrity, which focuses on Provenance, Authenticity, and Traceability, is increasingly important for buyers where there are consumer safety or critical infrastructure protection considerations. In regulated industries, sellers (manufacturers) may need to consider how their products (and supply chains) may be compromised in order to make their products more attractive to buyers:

Supply chain integrity and security: what are the risks? (Part I)

Product Security and Integrity is more than cybersecurity

In my experience, it is common to see product security programs focus exclusively on cybersecurity; however, this one-dimensional approach fails to understand the true nature of security threats. Security theory relies upon the concept of ‘security in depth’ – the use of multiple, complementary controls of many types (e.g. system, people, financial, physical security) which are mutually reinforcing and provide layers of redundancy to protect the asset.

Focusing on one layer (e.g. cybersecurity) at the expense of all others just encourages criminals to achieve the same objective via other means. Examples of the varied security programs required at different stages of NPD include information protection programs and prototype security:

Prototype product protection: a step by step guide

Security and integrity risks need to factor in pricing decisions

Understanding how to factor security and integrity risks into product pricing requires an understanding of how products are priced. Typically, a product is priced using a method which calculates total cost of inputs to create (and sell) your product, plus a profit margin – the article from Shopify (referenced in Further Reading below) provides a great introduction to product pricing and strategy.

Importantly, calculating the cost to produce and sell a product differs from your pricing strategy – for example, you may have a product which is cheap to product but can be sold at a very high margin, either because of some unique factor, market demand, or limited supply. Conversely, you may wish to quickly gain a large market share for first mover advantage or to displace competitors, in which case you may be prepared to cut your margin.

So what sort of security and integrity programs might you need to cost?

Product security and integrity controls including anti-counterfeit packaging, tamper evident features and anti-theft measures
Cybersecurity features such as Identity and Access Management, data encryption, network security and cyber threat intelligence, particularly if connected to the Internet of Things
Fraud protection features to mitigate the way opportunistic and organised fraudsters can abuse your product, such as via warranty fraud
Supply chain integrity and security including distribution frauds, product diversion and returns fraud. Whilst not product security per se, this add to the costs of goods sold
Market Surveillance to consider security threats such as counterfeiting and gray market activity as well as consumer safety and quality issues

black dslr camera on white surface — Photo by Pixabay on Pexels.com

Some product managers include an additional ‘charge’ for fraud or security issues in the product cost. This effectively acts as an insurance mechanism, with the aggregated charges on sales not affected by fraud or security underwriting those that are. Obviously the ability to do this depends on many supply demand factors in the market.

If you didn’t appreciate the importance of managing security and integrity risks inherent in product development and product management, hopefully you will now. As you can see, product risk has brings material considerations that need to be a feature of any product management framework.

Graph or Social Network Analysis – what’s the difference?

Posted on July 29, 2023 by Paul Curwell

Paul Curwell

Common terminology sows the seeds of confusion

If you’re someone who has been involved in fraud protection, Anti-Money Laundering, Counter-Proliferation, Sanctions Evasion, anticounterfeiting (the list goes on) – basically any sort of investigation of networks, you will likely have come across concepts such as graph, link analysis, and network analysis. However, when you start to write use cases for your organisation and develop your functional requirements for technology, this starts to get messy. For those new to this area, the figure below provides an illustration of what social network analysis is:

Illustration of a social network in analyst notebook — Social Network Analysis illustration, US Dept. of Justice (2016)

Unfortunately, the terminology we use every day is the source of much confusion amongst business users (investigators, intelligence analysts, security & fraud professionals), data scientists and technologists alike, making it hard to understand the actual problem which needs to be solved by technology. To understand this space, there are three main concepts to get your head around:

Network Analytics: Is a term that has its origins in computer science and ICT, and is used to help model, monitor and assess the health and performance of computer networks
Graph Analytics: Also known as ‘Graph Technology’, this term actually refers to a type of database – the Graph Database – which stores data in the form of a ‘graph’ or network. Graph is heavily used today in the newly emerged field of Data Science.
Social Network Analysis: Also known as ‘link analysis’, ‘network analysis’, and a variety of other names, this methodology has been around since the 1970’s and stems from the social sciences. It uses algorithms and other methods to model and depict the behaviours of groups of entities (e.g. people, objects), attributes (e.g. the characteristics of objects, such as a person’s name), and the relationships (connections) between them. This is important as Entities typically exist as ‘networks’ in society.

The three concepts outlined above, each a distinct academic discipline, can be applied to three simple User Personas, as outlined below:

User	Use Case
IT Departments	Use network analytics to assess and manage the health of your IT and OT (operational technology – such as SCADA systems) networks
Data Scientists, Data Engineers	Use Graph Databases to facilitate complex modelling, analysis, and other data management related tasks
Intelligence Analytsts, Investigators, Risk & Compliance Officers	Perform social network analysis to understand threat networks, such as criminal networks, organised fraud syndicates, or illicit corporate structures to assist in their identification, targeting and disruption

Three illustrative user personas for graph and social network analysis

Despite often using terminology interachangeably, we are actually referring to three distinct concepts which cause confusion when co-mingled.

What is a graph exactly?

A basic graph – whether we are talking about the way data is visualised within a graph database or as part of social network analysis – is depicted by nodes (entities) and edges (links or relationships). Fraud teams use enhanced depictions of ‘graphs’ to enrich a data with more information. Graphs (social networks) can be queried to return matching results, such as showing all individuals who are connected to a specific address in some way (e.g. home, work, family connections).

For data scientists, one attractiveness of a graph database is that large networks can be more efficiently searched or analysed compared to a Relational Database (RDBM) such as SQL Server or Teradata. There are numerous use cases for graph databases, including:

Entity Resolution – to determine whether two entities are actually the same based on various attributes
Knowledge Graphs – to help answer questions or find the answer to something
Product Recommendation Engines – for customers of eCommerce stores to suggest other products purchased by similar customers
Master Data Management
ICT network infrastructure monitoring
Fraud detection

Examples of graph databases on the market today include those produced by Neo4j, TigerGraph, AWS Neptune, Microsoft Cosmos, and many others.

Why is Social Network Analysis important for countering threat networks?

The term “Threat Network” is used by the U.S. Government when discussing any type of hostile actor (even lone actors are typically part of some social network). Examples include organised crime, nation states, organised fraud syndicates, counterfeiting syndicates, and industrial espionage networks. Without going into too much detail here, every threat network has a number of common roles which are required to achieve its objective.

Let’s say a consumer fraud ring is running a boilerroom scam to defraud elderly investors. The network needs people to manage its finances, communications, recruitment, targeting to spot vulnerable investors, scammers to actually defraud them, and managers and leaders to coordinate the scheme. This concept is illustrated below in relation to drug production and trafficking:

Organisational structure showing roles within a typical organised crime network — Illustration of various roles within a threat network (JP 3-25)

Social Network Analysis allows for visualisation of relationships and structures of all parties involved in the network, providing the ability to overlay additional information such as functions in the network. Social Science algorithms, such as Betweenness and Centrality, can be applied to social network data to identify key players or connections. These threat network vulnerabilities can then be targeted, such as through arrests or new internal controls, to disrupt threat actor activites. This concept is illustrated below:

Illustration of how a network can be disbanded (disrupted) with effective targeting — Illustration of how disrupting a network can render it ineffective (JP 3-25)

How can I perform Social Network Analysis?

Interestingly, you do not need a ‘graph database’ to perform Social Network Analysis. What you do need though is a suitable user interface for business users (e.g. investigators) which allows them to query, analyse, and interact with their data to achieve an outcome – such as identifying key players in a fraud ring. Without a suitable interface, business users will be unable to exploit the data effectively rendering it useless.

Fraud and law enforcement teams have used Social Network Analysis for decades. You can do simple Social Network Analysis on paper or a whiteboard without the use of software – this is where the term ‘link analysis’ originated from. Whilst pinboards are useful for Hollywood movies and simple networks, analysts today are swamped in data making software essential.

man in gray long sleeve suit holding a pen - social network analysis with paper and a pinboard — Photo by cottonbro studio on Pexels.com

In the late 1990’s or early 2000’s, the popular software known as Analyst Notebook was developed and is still in use today. These days, there is a proliferation of thick client and browser based software which performs this function, including Maltego, Linkurious, Palantir, Quantexa, and RipJar.

As outlined here, there is a distinct difference between the concepts of network analysis, graph and social network analysis. Each has its own use cases, methodologies, user groups and supporting software. Understanding this landscape, and how all the pieces fit together, is essential to building any sort of threat intelligence or detection analytics capability.

What are the main e-Commerce frauds targeting online stores?

Posted on July 23, 2023 by Paul Curwell

Paul Curwell

Three challenges in eCommerce Fraud Protection

One of my side hustles is lecturing postgraduate university students on financial crime intelligence – this is all about how to identify and detect fraud and illicit activity in your data. I regularly tell my students (and clients) that fraud is really a ‘process-based crime’ – it arises because of internal control gaps in your business processes which equate to vulnerabilities for your business, and opportunities for fraudsters and criminals.

shoes in boxes on shelf — Photo by Stanislav Kondratiev on Pexels.com

Different types of fraud arise at different points in the eCommerce process. Every fraud scheme has its own unique characteristics, which means we can prevent and detect it! From my perspective, there are three challenges in eCommerce fraud protection:

Detecting customer profiles or transactions which are highly likely to be fraudulent with a low false positive rate (see here for explanation); and,
Detecting the fraud in time to avoid incurring a loss (this is particularly hard with realtime payments, outourced and / or automated fulfilment); and,
Striking the right balance between enough loss prevention measures to mitigate the risk (your ‘risk appetite’) and too many controls (which makes for a bad customer experience, impacting sales conversions and customer retention).

To illustrate this for eCommerce, I have used the four-phased eCommerce marketing lifecycle promoted by SmartInsights.com and overlaid where different fraud schemes can arise:

Three categories of eCommerce fraud schemes

Let’s deep dive into the three main eCommerce fraud schemes:

Account related frauds

Some eCommerce fraud schemes revolve around a users identity or account. Examples of ways in which this may happen, either at account creation or account login include:

Phishing – social engineering attempts to compromise users and their accounts
Credential stuffing – attempts to use credentials stolen from another breach to login
Account takeover – where a user’s account credentials or browser session is hijacked
Identity theft – a victim’s identity is stolen and used to obtain loans, goods, etc.

Payment Frauds

The second category of eCommerce frauds revolves around the payment or transaction itself, including:

Use of stolen / purchased credit card details
Card testing – where criminals place small charges on a card to see if it is valid which could be disputed by the cardholder
Chargeback fraud – shopper makes a purchase on their own card, then requests a chargeback after receiving the goods
Refund Scams – shopper purchases something and ask for a refund before the product is delivered
Payment frauds – including card present and card not present transactions

black payment terminal — Photo by energepic.com on Pexels.com

Loss Prevention

The final category of eCommerce frauds is perpetrated by a user post-payment. Common fraud typologies include:

Change of address scams – delivery address is changed after payment but before shipping so goods are not sent to cardholders residence
Returns fraud – consumer receives goods, uses it, and sends it back (effectively ‘renting’)
Product diversion – where goods are basically stolen by trusted insiders (employers, contractors, suppliers)

Did you know that organised fraud, product diverters and shoplifting rings typically target specific products over others?

Products that are CRAVED are at greatest risk.

I have provided more information on which products are most likely to be targeted by organised fraud, product diversion and shoplifting rings in my article “product security risk assessments for tangible goods”.

Product security risk assessments for tangible goods

Identifying your core business activities, systems and processes is key to understanding and managing your risk profile. I will review how to do this in a future article, but if you are looking for somewhere to start try www.juliantalbot.com and this article on ‘risk appetite and risk tolerance‘.

Further Reading

Curwell, P (2021). Product security risk assessments for tangible goods
Curwell, P. (2022). Alert management and insider risk continuous monitoring systems
Curwell, P. (2023). Towards a taxonomy for product diversion
Manoukian, J. (2016). Risk appetite and risk tolerance: what’s the difference?
Julian Talbot – https://www.juliantalbot.com/
SmartInsights (n.d.). Lifecycle Marketing Model in Digital Marketing for the Ecommerce Sector, https://www.smartinsights.com/ecommerce-lifecycle-marketing/

SOCI Act 101 – Operational Information explained

Posted on July 15, 2023 by Paul Curwell

Paul Curwell

Understanding SOCI is inherently complex

I’ve said it before and I’ll say it again – Australia’s Security of Critical Infrastructure Act, or SOCI for short, is a big, complex piece of legislation comprising the Act itself, supported by (5) legislative instruments (Rules) which provide more guidance on implementation. Anyone who claims the legislation is simple really hasn’t read it!

Working with legislation like this is likely to be completely new for many Australian executives and security professionals unless they have prior experience in highly regulated industries or in regulatory compliance.

If you are new to compliance or would like to understand how to build an ISO 37301:2021 Compliance Obligation Register, have a read of this article I wrote in March 2023:

Developing an compliance obligation register for your business

Each time I read the legislation I pick up something new – this often requires my flicking back and forth throughout the various documents and sections of the Act to cross-reference each obligation or definition and understand its intent.

With legislation like this, you only start to understand it’s nuances as you apply it to real world examples, decomposing each element of a critical asset and applying the legislative tests to determine the appropriate treatment.

Developing a compliant CIRMP whilst minimising unnecessary costs and the impact on a critical infrastructure operators business, workforce and supplier ecosystem is the challenge.

SOCI creates two key documents

Information or data (as opposed to information system security) is a domain of SOCI, just like Personnel referenced in my previous article on Critical Workers:

Who are SOCI Act Critical Workers?

Under SOCI, there are effectively two key documents which relate to information and information protection:

Register of Critical Infrastructure Assets – this Register is not public and is maintained by the Secretary of Home Affairs. It comprises information on specific critical assets and beneficial ownership and control information for every piece of Australian critical infrastructure.
Critical Infrastructure Risk Management Plan (CIRMP) – all Reporting Entities are required to have a complete RMP by six months after the day of commencement of the Rules, or 18 August 2023.

The Register needs to include your Operational Information

Operational Information is different to Sensitive Operational Information under SOCI. Divn 2 (19) of the Act requires Responsible Entities to provide an initial version of their Operational Information to the Department for inclusion in the Register.

Under s26 of the Act, should a Notifiable Event arise then an updated version of the Responsible Entities’ Operational Information must be provided to Home Affairs. Presumably, this information will enable the Australian Government to rapidly perform a damage assessment and to support any crisis or national security response that may be required.

big waves under cloudy sky — Photo by GEORGE DESIPRIS on Pexels.com

Under SOCI, Operational Information related to a Critical Infrastructure Asset means:

The asset’s location and a description of the area the asset services;
Information about each organisation that is the Responsible Entity for (or an operator of) the asset, comprising: the entity’s name, business registration number, head office or principal place of business address, and country of incorporation or formation
Information about the CEO (or equivalent) comprising their full name and citizenship(s),
A description of the arrangements under which each operator operates the asset (or a part of the asset), including details of any control system of the asset if it is managed by a separate body;
A description of the arrangements under which data prescribed by the rules relating to the asset is maintained;
Information prescribed by the Rules for the purposes of this paragraph (see below)

The ‘information prescribed by the Rules‘ referenced above is currently only defined in Division 2.2 of the Security of Critical Infrastructure (Definitions) Rules (LIN 21/039) 2021, where Operational Information comprises six categories:

Personal Information for at least 20,000 people (as defined in the Privacy Act 1998)
Sensitive Information (as defined in the Privacy Act 1998)
Critical Infrastructure Asset related Research and Development information
Information on systems needed to operate the Asset
Information about risk management (including security) and business continuity / crisis management / operational resilience about the Asset
Other sector-specific information as defined in 2.2 (17) (1) (vi) of these Rules

How is confidential information compromised?

For any of the above Operational Information, Responsible Entities must provide a description of the arrangements for the Department’s Register that comprises:

The name of the entity that maintains the data; and
If that entity is not the responsible entity for the asset (e.g. Microsoft, Google etc), the entity’s business registration number, head office or principal place of business address, and country of incorporation; and,
The address where the data is held (e.g. where computers or servers holding the data are located) and whether the computers or servers are part of a cloud service; and if using a cloud service—the name of the cloud service (e.g. Microsoft) and the kind of data that the entity maintains in these computers / servers / cloud environment.

What is Sensitive Operational Information?

Sensitive Operational Information is only mentioned in the CIRMP Rules in relation to identifying Material Risks to a Critical Infrastructure asset. These Rules list six examples of what would be constitute sensitive information:

Layout diagrams
Schematics
Geospatial information
Configuration information
Operational constraints or tolerances information
Data that a reasonable person would consider to be confidential or sensitive about the asset

The above category of information is primarily technical in nature – such as pertaining to engineering or ICT applications – but is focused on minimising the disclosure of information about a critical infrastructure asset’s vulnerabilities, particularly where this information is stored, transmitted or processed outside of Australia.

In business, confidential information is a critical asset

6 steps to improving security and integrity culture in the workplace

Posted on July 8, 2023 by Paul Curwell

Paul Curwell

Workplace Culture – a curious concept

Culture is a funny concept: It is neither tangible nor permanent, but rather develops and evolves over time and is a reflection of the members of that ‘tribe’. Organisations, groups and communities can all develop unique intrinsic cultures as a results of the collective actions, behaviours, norms and values of that organisation.

The fact that culture is not a tangible thing makes nurturing a ‘good’ culture hard for leaders to achieve, and very easy to destroy. Good workplace cultures can become self-perpetuating, attracting others of similar visions and values and contributing to a highly engaged workforce. In his 2013 article in the Harvard Business Review, Michael Watkins provides a great discussion on organisational culture, outlining different perspectives on what it is and how it permeates the modern workplace.

Culture is recognised as being one of the most important components of successful companies. According to James L. Heskett, culture “can account for 20-30% of the differential in corporate performance when compared with ‘culturally unremarkable’ competitors”, making understanding it essential for all leaders (HBR, 2013).

people sitting on chair — Photo by Rene Asmussen on Pexels.com

Seven dimensions of security culture

When applied to security, the concept of organisational culture is no different. According to Perry Carpenter in Forbes Magazine (2021), there are seven dimensions to security culture. I have taken Carpenter’s seven dimensions and adapted it to provide more context for risk leaders:

Attitudes: Employees have a positive view of security and understand why it exists. A positive culture of reporting security incidents is established
Behaviours: Employees conduct themselves in a manner that positively impacts overall security. Innocent, unintentional security breaches or accidents are not punished or perpetrators ostracised
Cognition: Employees know about security and have a high level of awareness of threats and security programs
Communication: Security is communicated clearly and regularly, with key messages being enforced in ways which are easily understood by all and which resonate with the workforce
Compliance: Employees comply with security policies voluntarily, not because they have to
Norms: Being conscious of security and the need for it, as well as the expected behaviours, becomes part of the organisation’s fabric. Employees who go against these norms are counselled by peers, not security, compliance or management
Responsibilities: Employees understand their security obligations and take them seriously. They know what to do and when, and comply with these rules and expectations

How does your organisation compare in relation to these seven dimensions? What about your previous employers? Reflecting and thinking critically about what we do and how we behave as leaders makes us think what else can we do better, and potentially enhance our culture in the process.

people sitting on green grass waving their hands — Photo by RDNE Stock project on Pexels.com

Six things leaders can do to improve security and integrity culture

Despite achieving a good security culture being hard to achieve, leaders need not despair. There are things we can do to improve security culture, it just takes time and effort. Listed below are six things I would encourage leaders to do to build or improve your security and integrity culture:

‘Tone from the top’ – what senior leaders say and do matters as just like pets or children, behaviours will be replicated. Leaders should continually demonstrate the importance of security and integrity within the business, and not just pay lip service.
Awareness training – regular training on security and integrity is important in the workplace. People need to know how they are expected to behave, and to understand the organisations policies and accepted practices. Ideally, not all training would be computer-based as people need time to talk through scenarios and learn from peers such as via interactive, discussion based forums.
Risk is part of the organisation’s DNA – thinking about risk does not mean being discouraging staff from taking risks. Taking risks is an important element of creativity and innovation, but ideally risk taking would be measured to avoid taking risks from which organisations or staff cannot recover. Thinking about what could go wrong (or right) and ways in which adverse consequences or likelihoods can be mitigated or proactively managed should ideally be part of the organisation’s cultural fabric.
Penalties are not applied for accidents, near misses or unintentional incidents – rather, a constructive approach that focuses on continuous improvement and lessons learned should be taken. Inquiries into organisations with poor risk culture found that poor organisational cultures are those where blame is apportioned, messengers are blamed, and where subordinates are too scared to tell the truth to senior management for fear of repecussions. Leaders cannot fix problems they know nothing about.
Staff feel comfortable speaking up about their peers – in my previous post on the critical path method and insider risk management, I spoke about the need for organisations to identify workers who are struggling (and may pose a security or integrity risk to the organisation by virtue of their situation). Peers who have a concern about a co-worker should ideally be able to confidentially raise these concerns without worry that the struggling co-worker will be fired or penalised, but rather supported.
Treating people fairly – where problems or allegations do arise, the workforce must know they will be treated fairly and that the principles of natural justice will be applied to the investigation and resolution of incidents.

Further Reading

Laker, J., Broadbent, J., and Samuel, G. (2018). Prudential Inquiry into the Commonwealth Bank of Australia (CBA) Final Report, Australian Prudential Regulatory Authority, www.apra.gov.au
Carpenter, P. (2021). The Importance Of A Strong Security Culture And How To Build One, Forbes Magazine, www.forbes.com
Coleman, J. (2013). Six components of a great corporate culture, 6 May 2013, Harvard Business Review, https://hbr.org/2013/05/six-components-of-culture
Curwell, P. (2022). Applying the critical-path approach to insider risk management
Watkins, M. D. (2013). What is Organizational Culture?, 15 May 2013, Harvard Business Review, https://hbr.org/2013/05/what-is-organizational-culture

Who are SOCI Act Critical Workers?

Posted on July 2, 2023 by Paul Curwell

Paul Curwell

A recap on Australia’s SOCI Act

In 2022, Australia’s 2018 Security of Critical Infrastructure Act (SOCI Act or SOCI) was amended to strengthen the security and resilience of critical infrastructure. The number of industry sectors and asset classes deemed critical was expanded to eleven, and new legislative obligations were introduced for all Responsible Entities under SOCI.

Responsible Entities for a critical infrastructure asset are the bodies with ultimate operational responsibility for an asset.

A CIRMP is a Critical Infrastructure Risk Management Plan, as set out in the CIRMP Rules.

SOCI is a large, complex piece of legislation comprising the Act plus 5 Legislative Instruments (Rules). The CIRMP Rules, which became law on 17 February 2023, also require compliance with one of 5 accepted information security frameworks (although further time has been granted for organisations to complete these cybersecurity uplifts). To comply, Responsible Entities have 6 months to develop a CIRMP (i.e., by 18 August 2023).

In my opinion the focus of SOCI on uplifting national resilience is much needed in Australia and should be applauded, although it is noted that interpreting SOCI requires careful reading and research. Implementation is complicated by changes to legislation during the parliamentary processes which affects relevance of the guidance material.

scenic photo of water dam during daytime — Photo by Frans van Heerden on Pexels.com

How is a ‘critical worker’ defined?

Part 1, Divn 2, Section 5 of the SOCI Act

The term ‘Critical Worker’ means an individual, where the following conditions are satisfied:

(a) the individual is an employee, intern, contractor or subcontractor of the responsible entity for a critical infrastructure asset to which Part 2A applies (i.e., the asset is subject to a CIRMP);

(b) the absence or compromise of the individual:

(i) would prevent the proper function of the asset; or

(ii) could cause significant damage to the asset; as assessed by the responsible entity for the asset;

Meeting all elements of the above test is required to be deemed a ‘Critical Worker’. Note that Element (b) applies both an insider threat and business continuity lens to identify those who could prevent the asset’s operation or cause significant damage.

Whilst not linked to personnel in the legislation, the way in which potential risk events could cause significant damage would ideally be via risk assessment based on residual risk ratings determined by the Responsible Entity.

What steps do I need to take to manage ‘Personnel Hazards’ under the Rules?

Identifying Critical Workers is only the start of the Personnel risk management process. Appropriate security measures and access controls must be implemented to ensure only Critical Workers who have passed the AusCheck (or comparable) processes gain access. Responsible Entities must also take reasonable steps to minimise or eliminate trusted insider risks (insider threats), including during the offboarding process.

Section 9 Personnel hazards

(1) For paragraph 30AH(1)(c) of the Act, for personnel hazards, a responsible entity must establish and maintain a process or system in the entity’s CIRMP:

(a) to identify the entity’s critical workers; and

(b) to permit a critical worker access to critical components of the CI asset only where the critical worker has been assessed to be suitable to have such access; and

(i) arising from malicious or negligent employees or contractors; and

(ii) arising from the off-boarding process for outgoing employees and contractors.

Conceptually, getting your head around the idea that some positions in an organisation pose higher risks than others can take time. Some months ago, I wrote this primer on understanding high risk roles which may assist.

Understanding High Risk Roles

The High Risk Role concept is only one element of what SOCI calls Personnel Hazards. Whilst not mentioned in SOCI, a Personnel Security Risk Assessment is a broader activity used by the UK’s National Protective Security Agency and which provides the level of traceability and scruitiny needed to identify, assess and mitigate Personnel Hazards.

What is a Personnel Security Risk Assessment?

What are the implications for employers?

Employers of Critical Workers need to confront the fact that some employees or contractors (or those of their suppliers) may not pass the AusCheck process. Three options are likely for each individual:

Employees (or employees of a critical supplier) who meet the ‘critical worker’ test voluntarily submit to the AusCheck process, with no impacts to employee engagement or employment contracts
Employees (or employees of a critical supplier) with existing employment contracts object to participating in AusCheck along the grounds of ‘conscientious objections’ or the suspicion they may fail
Employees (or employees of a critical supplier) fail the AusCheck process

Conceivably, managing the legal, financial and workplace relations implications of people who object to, or fail, the AusCheck process could be onerous, especially for industries which have not historically employed rigorous workforce screening.

Designing your workforce screening program

Real dilemmas are likely to be encountered by smaller Responsible Entities’ whose operations are not big enough to separate their critical and non-critical operations. This may mean those employers cannot move employees who fail or object to AusCheck into non-critical worker roles as there may not be any available. One thing is clear: Employers need to be proactive and focus on what this could mean for their workforce as early as possible. Every new employment contract issued before August that does not adequately address this issue may need future remediation.

Counterfeits can compromise your Supply Chain Integrity

Posted on June 12, 2023 by Paul Curwell

Paul Curwell

How counterfeiting threatens Supply Chain Integrity

Counterfeiting has been prevalent throughout the global industrial era, and given its profitability and the low risk of conviction for offenders it is not going away anytime soon. Unfortunately, there have been numerous examples of public and private organisations which unknowingly procure counterfeit, fraudulent, substituted or substandard products in their supply chain – two such examples include:

June 2020: U.S. Air Force pilot 1st Lt. David Schmitz died when his parachute didn’t deploy from a malfunctioning ejection seat, which the US Air Force later found may have contained up to ten counterfeit and faulting resistors and semiconductor chips
March 2021: Police in China and South Africa seized thousands of fake doses of Covid-19 vaccine, with Interpol warning this represented only the “tip of the iceberg” globally. Police raided the manufacturing premises, arresting ~80 suspects and seizing over 3,000 fake vaccines

As the above examples show, it is all too easy for counterfeit materials to enter the supply chain of even the world’s largest organisations. Critical Infrastructure operators, such as those falling under the purview of Australia’s Security of Critical Infrastructure Act 2018, have a requirement to use high quality parts and components produced by reputable manufacturers to an engineer’s specifications, whilst in life sciences, fraudulent or substandard medicines frequently cause premature death or serious injury.

flight flying airplane jet — Photo by Pixabay on Pexels.com

How do sub-standard parts enter a supply chain?

Before we explore this further, we need to remember there are two perspectives here: (1) what a manufacturer can do to ensure their products are not counterfeited or compromised between the factory and the end user, and (2) what end users can do to ensure they do not introduce compromised product into their inventory or operations. The second option is the focus of this post.

Sub-standard, counterfeit or fraudulent parts / components / products (also referred to as ‘non-conforming‘ materials) can enter the supply chain in at least four ways, including:

Supplier intentionally introduces non-conforming material, perhaps for profit or because they are unable to obtain the conforming item and do not want to risk their relationship with the buyer
Supplier unintentionally introduces non-conforming material as a result of inadequate or complacent internal practices and procedures
Corrupt or malicious insider compromises the supply chain for gain or profit, or,
As a result of foreign interference by a nation state actor against an adversary

Given these vectors for introducing non-conforming materials, how can organisations protect their supply chain integrity? The answer is developing an Anti-Counterfeit Management Plan, otherwise known as a Material Authenticity Assurance Plan (MAAP), which based on AS6174 published by SAE International can be developed in five main steps.

woman in black shirt holding a hand sanitizer bottle — Photo by Anna Tarazevich on Pexels.com

Step 1 – Assess the risk posed by sourcing counterfeit product

I have previously written about the concept of security risk management and the fact that we can’t treat all problems to the same standard: Risk management decisions must be based on risk appetite and focused on using a business’s limited resources to protect the most critical assets.

For a buyer, the risk of counterfeit parts is largely a quality control issue as long as there are multiple qualified suppliers in a given market. However, for products requiring specific know-how or capability, or where Intellectual Property licensing applies, different sourcing considerations are required.

The first step in managing supply chain integrity issues arising from counterfeits involves identifying those areas where the business impact of compromise is greatest. This allows sourcing managers to modify their approach and policies to compensate for potential risks. One example of criticality tiering by product can be found below:

Impact / Criticality	Type of product
HIGH	LIfe dependent applications
	Safety critical applications
	Mission critical applications
	Applications where field work / repair is impossible
MEDIUM	Reclaimed / Refurbished parts
	Application critical
	Product is accessible for field repair
	Short product life expectancy
LOW	Non-critical applications

AS6174 – SAE International

man in black jacket standing beside black car — Photo by Andrea Piacquadio on Pexels.com

Step 2 – Identify which sources provide the greatest assurance

Budget is always a finite issue in any organisation, and it is not always possible (or necessary) to buy the best of everything. Where multiple suppliers exist it makes good business sense to buy the highest quality items (typically the most expensive) for those areas which are the most critical either to your business’ operations or to life and safety.

So how do you determine this? SAE International provides useful guidance here, ranking the main types of ‘source’ in order of those which provide the greatest level of confidence that their materials will be high quality (and therefore the lowest risk of non-conformance):

Confidence Level (non-conformance risk)	Product / Component Source
HIGH (LOW risk)	OEM or Certified Manufacturer
	Authorised Distributor
	Original Manufacturer or Contract Manufacturer
MEDIUM	Vetted or pre-qualified Independent Distributor (e.g. verified quality, reputation)
	Unknown Independent Distributor (e.g. quality, reputation not asessed)
	Unknown source
LOW (VERY HIGH risk)	Vendor is subject to adverse reporting from industry participants (i.e. other buyers have reported purchasing non-confirming product from this seller)

AS6174 – SAE International

Step 3 – Develop your organisation’s product assurance processes

The risk of sourcing non-conforming material is omnipresent for any critical industry or life sciences organisation, so undertaking assurance on your suppliers and any parts / components / software purchased from them is an ongoing activity for the life of your operations.

For physical products, there are four ways to obtain this assurance which can be used in isolation or in combination depending on the risk profile:

Document and packaging inspection – before opening the package, inspect for obvious tampering, spelling errors, typographic issues, missing or damaged holograms, peeling labels, amended dates, etc.
Visual Inspection – remove the product / part / component from the packaging. Does it match the expected style, form and quality of what was ordered?
Non-Destructive Testing – involves radiological, acoustic, thermographic and optical techniques to verify conformance without damaging the component / part / product.
Destructive Testing – usually used as a last resort these options involve analytical chemistry, deformation and metallurgical tests, exposure tests, and functional tests which will likely damage the component / part / product.

Further information can be found here. Irrespective of whether fraudulent, substandard or counterfeit, non-conforming materials identified should always be removed from circulation within the organisation’s inventory or operations, and either retained as evidence for legal and associated purposes, securely destroyed or returned to the supplier (depending on your policies and obligations).

top view photo of white keyboard — Photo by Olena Bohovyk on Pexels.com

Step 4 – Plan for contingencies

It is a fact of life that manufacturers stop producing products / components due to factors such as shortages in raw materials, financial solvency, or simply product strategy decisions. Buyers who require parts or components to support an extended operational life of say two to three decades need to implement plans to mitigate these risks.

Contingencies include purchasing additional inventory, regular engagement with manufacturers to obtain advanced notice of production changes, finding contract manufacturers, or sourcing alternative components.

Step 5 – Document your Product Assurance Framework

To ensure consistency and proper governance some sort of framework is required to set out your organisation’s policies, risk appetite, roles and responsibilities, regulatory compliance obligations, key risks and controls, staff awareness training and product assurance program.

A documented provides a mechanism to ensure consistent implementation throughout the organisation, and a mechanism to continuously improve as well as benchmark historical performance.