We often overlook criminology when combating insider threats, fraud and sabotage

Posted on May 20, 2025 by Paul Curwell

Paul Curwell

5–7 minutes

Key Takeaways:

You can’t fix insider fraud or sabotage with firewalls alone—these are people problems, not just process problems, so you need to consider perpetrator motive in your control design.
Behavioural science and criminological theory offer practical ways to design smarter, cheaper, and more effective controls.
Mapping threat types to motivations is the secret sauce to stopping expensive mistakes—before they hit your bottom line.

Why this matters to your business

If you think trade secrets theft, sabotage, or internal fraud is something that happens to “other companies,” let me burst that bubble. These threats are not random—they’re often deeply personal. And they’re expensive. The Association of Certified Fraud Examiners (ACFE) estimates that internal fraud alone costs businesses 5% of annual revenue. For a $100M business, that’s a $5M hole—every year.

And that’s just the financial side. The reputational cost? The loss of trust with investors or research partners? The delay to your product launch because someone leaked your IP to a competitor? That stuff doesn’t show up on a balance sheet… until it does.

So how do we stop it?

Let’s talk motive (yes, like in crime dramas)

We often forget security and fraud actors have different motivations. Some actors are in it for profit. Others want revenge, power, or validation. If you treat all threats the same—say, by rolling out the same boring training module to every department—you’re wasting money and creating a false sense of security.

This first table helps you step back and align your controls to the actual psychology of your adversary.

Table 1: Motivation-Based Threat Profiling

Threat Type	Key Motivations	Relevant Theory	Considerations for Control Design
Organised Crime	Profit, group objectives	Routine Activity Theory	Target hardening, threat intel, supply chain vetting
Insider Threats	Revenge, stress, entitlement	Control Theory	Strengthen social bonds, build fair culture, early intervention
Nation-State Actors	Money, Ideology, Coercion, Ego (MICE)	MICE Theory	Access controls, vetting, protective security

man sitting on snowy park bench in winter — Photo by Amirhossein Bolourian on Pexels.com

How to use this:
When assessing security risks, we often fail to ask “What is the likely motive”. If your AI is being stolen by an employee, that’s an insider threat, not a problem with cyber criminals. The control response (culture, access rights, change monitoring) needs to reflect that nuance.

Behavioural theory helps at every risk stage

Here’s the bit I wish someone had told me 10 years ago: criminological theories don’t just help you after something goes wrong—they help you design better systems from the start. I use these theories for risk indentification, design risk treatments, and frame executive dialogue.

Table 2: How Behavioural Theory Supercharges Risk Management

Risk Stage	How Theories Help
Risk Identification	Reveal root causes and hidden risk signals
Control Design	Tailor controls to motivations (not just compliance)
Risk Assessment	Improve likelihood and impact estimates
Monitoring & Review	Spot early warning signs and behavioural red flags
Training & Awareness	Shift from checkbox compliance to ethical behaviour reinforcement

Applying the critical-path approach to insider risk management

How to use this:
When you’re building your next fraud control or insider risk program, don’t start with a control library—start with questions. What kinds of pressures might lead someone to rationalise stealing research data? Where are the opportunities? Who might feel disengaged or unfairly treated? These insights help you focus resources where they’ll have the most impact—without overengineering.

Choosing the right theory for the job

Criminological theory might sound academic, but it’s just a lens—a way to make better sense of why risks materialise. I often get asked, “Which theory should I use?”. The answer is: it depends, which is helpful-unhelpful. Here’s a guide I use in consulting to help organisations focus their resources.

Table 3: Best-Fit Theories for Common Security Risks

Risk Area	Relevant Theories	Why It Matters
Espionage	MICE (Money, Ideology, Compromise or Coercion, Ego), Routine Activity, Swiss Cheese	Explains varied motives, layered failures, and access points
Trade Secrets / IP Theft	Routine Activity, Crime Opportunity, MICE	Focuses on access, motivation, and weak controls
Internal Fraud / Corruption	Fraud Triangle, Routine Activity, Control Theory	Addresses personal pressure, weak oversight, and cultural cues
Sabotage	Opportunity Theory, Strain Theory	Tied to frustration, injustice, and lack of guardianship
Workplace Violence	Strain, Social Learning, Routine Activity	Driven by grievance, modeled behaviour, and opportunity
Supply Chain Diversion	Crime Pattern Theory, Opportunity Theory	Helps pinpoint vulnerable choke points and recurring loss patterns

HUMINT cycle and the recruitment of insiders

How to use this:
Say your business is about to enter a new research partnership with a university or foreign lab. You’re worried about losing your IP or trade secrets. Start by applying MICE Theory to understand potential risks on the other side: Are their staff well-paid? Are there ideological risks? How vulnerable is your business partner or their employees to coercion or bribery? Then combine that with Crime Opportunity Theory to assess access and controls.

You don’t need to become a criminologist—but bringing these concepts into boardroom discussions will make your risk strategies more intelligent and effective.

What you should do next

Reassess your threat profiles – If your risk registers don’t account for behavioural motivations, rewrite them.
Train your teams on motive-driven threats – Stop relying on bland compliance modules. Teach managers how to spot early red flags.
Map controls to theories, not hunches – Don’t throw money at controls that don’t match the motive. Use behavioural theory to guide investment.
Get smarter about culture – Your culture is your first control. Build fairness, transparency, and connection before a bad day turns into a $10M incident.

One final (uncomfortable) truth

You can’t patch human vulnerability like you patch software. Your best firewall is a culture that understands why people do the wrong thing—and a strategy that uses that insight to get ahead of the next crisis.

So, if you’re ready to move beyond checkbox security and build a behavioural-led risk strategy, let’s talk. I’ve got frameworks, models, and a whole lot of lessons learned the hard way.

Combatting Adaptive Threats: Control Assurance Strategies

Posted on May 13, 2025 by Paul Curwell

Paul Curwell

7–10 minutes

3 Key Takeaways

Security and fraud controls decay over time—especially when facing smart, persistent human adversaries who adapt faster than your processes do.
Mapping the criminal business process helps build typologies, essential for designing detection logic to embed into your fraud, insider threat, and SIEM systems.
You must monitor control decay continuously using early indicators and adaptive analytics—not just wait for losses or incidents to show you’ve failed.

The Adversarial Evolution Challenge

Fraud and security controls face a unique challenge: they’re not defending against random failures or faulty processes—they’re up against people. Adaptive, intelligent, persistent people.

Think of it like this: you lock your doors. But if someone really wants in and watches you long enough, they’ll figure out where the spare key is. That’s what control decay looks like when your adversary is watching, learning, and evolving. Over time, even the best-designed controls wear thin against determined adversaries—especially when those adversaries have motivation, time, and community support.

This constant pressure creates a cycle where:

Controls lose effectiveness as attackers discover workarounds.
Fraudsters evolve their TTPs (tactics, techniques, and procedures) to sidestep your latest defences.
Control bypass techniques get shared in underground forums, speeding up the learning curve for others.
Every successful breach becomes a repeatable blueprint—one your analytics may not be trained to detect.

The Real Cost of Ignoring Control Decay

In 2023, reported global losses from fraud hit US$485 billion, with insider threat incidents costing an average of US$16.2 million each. And those figures only capture what’s been detected and disclosed.

Control decay is especially dangerous in environments that depend on digital platforms (e.g. eCommerce, online banking), protecting trade secrets, and product protection. Supply chains and distirbution are particularly vulnerable. Third parties may have weaker controls, creating backdoors into your systems. And when fraud or insider threats go unnoticed, they erode trust and value, fast.

Security and Fraud threats are carried out by people: Adaptive, intelligent, persistent adversaries.

From Static to Smart: Rethinking Controls

Many organisations treat security and fraud controls as one-time investments—set them, test them, and move on. That mindset doesn’t work against adaptive human threats.

Controls decay like milk, not wine. Even when controls are automated, humans are still involved—approving actions, ignoring alerts, or skipping procedures. Over time, fatigue and complacency creep in, creating gaps that adversaries can exploit. That’s why it’s essential to continuously reassess the effectiveness of your defences, a process known as ‘control assurance’.

Mapping the Criminal Business Process

Before you can improve detection, you need to understand the steps an adversary must take to succeed. That’s where mapping the criminal business process comes in.

This means reverse-engineering the steps an adversary would take to achieve their goal—whether that’s stealing research data, committing payment fraud, or accessing protected systems. By mapping out their “workflow,” you can identify where to disrupt them.

Key disruption opportunities include:

Reconnaissance – How do they learn about your systems, people, or gaps?
Access – What path do they use to gain entry (e.g., phishing, credential reuse)?
Evasion – How do they stay under the radar?
Monetisation – What do they do with what they’ve taken?
Exit strategy – How do they cover their tracks?

This process forms the backbone for building targeted detection strategies.

Typologies: Turning Adversary Tactics into Detection Models

Once you understand the criminal business process, you can develop typologies. These are structured descriptions of how specific threats play out in your context—complete with behavioural indicators, red flags, and contextual cues.

Typologies aren’t just lists of “bad behaviours.” They are comprehensive models that describe how specific threats manifest within a particular context. A typology outlines the sequence of actions, behavioural indicators, contextual factors, and potential red flags associated with a particular threat scenario:

They aggregate indicators, sequences, and behaviours that point to fraud or compromise.
They include the context—industry, access levels, timing—that makes them relevant.
They support prioritised detection by translating threats into models your systems can monitor.

Developing typologies involves analyzing real-world cases to identify common patterns and methods used by adversaries. One effective approach is Comparative Case Analysis (CCA), which compares multiple incidents to extract shared characteristics and inform the development of robust typologies.

Comparative Case Analysis: A powerful tool for typology development

Click to find out more about Comparative Case Analysis

From Typologies to Detection: Using Analytics to Catch Adaptation

Once established, these typologies serve as the foundation for designing analytics-based detection models. By translating the insights from typologies into detection logic, organizations can proactively monitor for activities that align with known threat patterns, enabling earlier identification and response to potential incidents.

“Typologies” Sound Boring – But They Could Save Your Business Millions

Click to find out more about typologies

Data analytics helps you identify these early signs of attacker adaptation—well before a control fails outright. By building detection around these patterns, you shift from reactive incident response to proactive defence.

Anomaly Detection – Spot subtle changes in normal activity before a bypass is successful.
Clustering & Pattern Discovery – Uncover organised campaigns or repeated techniques across cases.
Temporal & Spatial Analysis – Track when and where new threats emerge or evolve.
Simulations & Wargaming – Test how your controls stand up to evolving TTPs (modus operandi) in different organisational contexts or business processes (inclusive of internal control points).
Threat Intelligence Integration – Correlate public vulnerabilities or attack trends with what’s happening in your own data.

Measuring and Monitoring Control Decay

You can’t improve what you’re not measuring. Most businesses track breaches and incidents—but that’s too late. Control decay needs earlier signals.

The goal is to monitor signs that controls are being weakened, tested, or circumvented—even if the attacker hasn’t succeeded yet. These metrics give you early warning that your system is becoming vulnerable.

Bypass Detection Rate – How often are adversaries getting around your controls?
Control Learning Curve – How fast are attackers adapting after implementation?
Adaptation Indicators – Are there new methods or patterns in failed attempts?
Control Evasion Techniques – What are the latest tricks being used to slip past detection?
TTP Evolution Tracking – How are known techniques changing over time?
Reconnaissance Patterns – Is someone repeatedly probing or testing your systems?
“Low and Slow” Attacks – Are there stealthy signs of gradual testing or exploitation?
Correlation with Vulnerability Disclosures – Do public CVEs line up with spikes in suspicious activity?

Fraud and security controls decay over time in the face of threats

Countering Control Decay with Adaptive Analytics

Now that you’re watching for decay, you need to build controls that respond to it. Static rules can’t keep up with adversaries that are constantly learning and evolving.

This is where adaptive analytics come in. By layering behavioural insights, detection flexibility, and external intelligence, you can keep your controls sharp and responsive.

Control Variation – Don’t apply identical rules across environments—vary thresholds and triggers to make it harder to game the system.
Adaptive Rule Sets – Let your system adjust thresholds when probing is detected.
Behavioural Baselines – Define “normal” for each user or system, and refresh those profiles regularly.
Interdependent Control Effectiveness – Evaluate how your layers of control interact—do they actually reinforce each other?
Simulate Responses – Use testing and wargames to anticipate how controls would respond to emerging tactics.
Threat Intelligence Integration – Don’t just collect external threat data—use it to shape detection models and control tuning in real time.

Alert management and insider risk continuous monitoring systems

Click to find out more about how to build insider threat detection capability

TL;DR: The Threat Is Human, and So Is the Weakness

Your adversaries are human, which means they’re persistent, curious, and adaptive. They’ll keep pushing until they find a way through.

But the people inside your organisation—who operate, review, and respond to controls—are also human. And humans get bored, distracted, and desensitised. That’s how control decay happens, both technically and culturally.

The big mistake is waiting for a loss to act. Losses are lagging indicators—they tell you your controls already failed. The real win is spotting decay before the breach. That means checking your data constantly for signs that someone’s testing your system or that your team has stopped paying attention.

Wondering what to do next? Start by looking at your risks and controls, and doing some data analytics on key processes, products or information against historical incidents and near misses to understand what’s going on. Then identify indicators of control decay, and build dashboards to monitor the. And don’t forget to look at them regularly!

Unlocking New Uses for your SIEM: Beyond Cybersecurity

Posted on May 6, 2025 by Paul Curwell

Paul Curwell

7–11 minutes

3 key takeaways:

Most companies are sitting on powerful analytics platforms like SIEMs—but rarely use them beyond cyber.
There’s untapped potential to apply these tools to fraud, insider threat, IP protection, and compliance monitoring.
With the right strategy, businesses can reduce compliance costs, improve visibility, and make better investment decisions.

Why this matters

Today’s risk environment demands more from businesses than ever before. Whether you’re protecting sensitive R&D, complying with complex regulations, or trying to prevent fraud, the traditional playbook is falling short. Organisations invest millions in security analytics. Frequently though, use of these tools happens in a silo, begging the question “can’t they do more?”. That’s a missed opportunity.

Many organisations already own high-powered Security Information and Event Management (SIEM) and observability platforms to give rich, real-time operational insights. In most businesses, there is no use of these tools outside of cybersecurity. That’s where this story begins.

The landscape: SIEMs, observability tools, and everything in between

The tooling landscape in most medium-to-large enterprises is complex, but it’s also full of hidden potential. From security teams running SIEMs to engineers monitoring application performance, there are multiple systems collecting, storing, and analysing valuable data. The challenge is most businesses don’t fully understand how these platforms differ—or how they complement one another.

Let’s unpack the main types of platforms:

Security Information and Event Management (SIEM) – These platforms are the backbone of many security operations centres. SIEMs like Splunk, Sentinel, and Elastic collect and correlate security events to find and respond to threats in real time. They’re also critical for compliance reporting, audit trails, and forensic investigations.
Observability platforms – Tools like Datadog, New Relic, and OpenTelemetry provide deep insights into how systems are operating. Used by DevOps and Site Reliability Engineers, they collect metrics and logs to monitor system health, performance, and prevent outages.
Data lakes and warehouses – These centralised platforms are great for long-term storage and complex data queries. However, they often lack the speed or alerting capability needed for real-time risk response.
BI dashboards and analytics tools – Platforms like Power BI and Tableau provide strong visualisation for decision-making. They focus on historical data, not real-time detection.
Log management platforms – Tools like ELK store data for troubleshooting, but don’t get integrated into business processes.
Application Performance Monitoring (APM) tools – Focus on user experience and technical metrics but often miss the business context needed for enterprise insights.
Custom threat intelligence platforms – Powerful in capable hands, but often resource-intensive to maintain and inaccessible to non-technical teams.

Understanding how these tools work—and where they overlap—opens up new opportunities for extending their use into fraud, compliance, and continuous monitoring.

Non-cyber use cases hiding in plain sight

What became clear through my research is that many businesses are unknowingly sitting on a goldmine of data. This data can improve resilience, situational awareness and decision quality, resulting in reduced losses. Many tools already have access to the underlying telemetry. The gap is that organisations don’t translate their use cases into language or workflows these systems can use to solve business or compliance problems.

Here are a few real-world examples of how some organisations are using their existing telemetry platforms to solve non-security problems:

Fraud detection – One financial services firm used their SIEM to detect behavioural anomalies in user logins and transaction data. This helped identify fraudulent activity faster and reduce false positives in fraud alerts.
IP protection – A biotech set up observability pipeline alerts to detect unusual access patterns to protected research environments. This gave them a chance to intervene before valuable data walked out the door.
Insider threat monitoring – A large enterprise integrated HR systems with SIEM logs to flag when high-risk employees (e.g. those about to exit the company) accessed sensitive files, enabling pre-emptive action.
Physical security integration – A logistics company ingested building access logs into their SIEM to monitor for suspicious after-hours activity. This provided near real-time visibilty of threats in zones containing high-value or regulated assets.
Regulatory compliance – A US health services provider configured automated alerts to detect improper access to patient records. This streamlining HIPAA compliance and reporting, easing the burden on their audit teams.

These examples aren’t outliers. They represent what’s possible when organisations look beyond the traditional cyber perimeter and align technology with broader business risks.

Alert management and insider risk continuous monitoring systems

Trade-offs and tricky bits

Of course, extending the use of SIEMs and observability platforms isn’t without its challenges. These are powerful tools, but were built with specific users and functions in mind. Repurposing them for broader use requires careful planning, stakeholder alignment, and a realistic view of limitations.

Metric	Considerations
Cost vs return	SIEM platforms, in particular, can become prohibitively expensive as more data sources are added. Every additional log source or telemetry stream can drive up ingestion costs, licensing fees, and infrastructure requirements. Businesses need to balance the value of added insights against escalating costs.
Expertise and resourcing	Many of these platforms are complex and require specialist skills to configure and manage. Cyber teams are often already overstretched, they don’t have capacity. Asking them to support fraud, compliance, or operational use cases often requires cross-skilling or additional resources.
Data governance and privacy	Aggregating sensitive business data—such as HR records, payroll, or personnel movements—can raise privacy concerns. Any use needs to be aligned with data protection laws such as Australia’s Privacy Act, or the GDPR in Europe.
Tool mismatch and workflow gaps	Observability platforms are fast, lightweight, and built for performance. But they’re not designed for legal defensibility, long-term retention, or audit-ready compliance reporting. SIEMs, on the other hand, are great for that. But, they can lack the ease of use or responsiveness that observability tools provide.
Redundancy and duplication	Without coordination, multiple teams end up collecting and analysing the same data using different tools. This can lead to inefficiency and potential confusion around ownership and accountability. Worst case for regulatory compliance, you generate contradictory records which is a red flag to an inspector.

Table: Benefits and Challenges

Yes, there are challenges, but the opportunities are too great to ignore. Now’s the time for risk and compliance leaders seeking smarter, scalable approaches to assurance to speak to the CIO.

Crafting Security Business Cases for Executive Buy-in

Real compliance benefits—if you play it right

Compliance is a growing cost centre for many organisations. Increasingly, fraud and protective security is becoming a regulated compliance program. Take Australia’s Privacy Act, Scams Protection Framework Act and Security of Critical Infrastructure Act as two examples. Teams are under pressure to meet complex compliance obligations, conduct audits, investigate incidents, and coordinate a response. Given most responses increasingly relate to compliance obligations, there’s a regulatory imperative to get this right. They’re often using manual processes and disconnected systems to do this, taking time, effort and higher chance of errors.

This is where SIEM and observability platforms can play a much bigger role. By automating key controls organisations can reduce the manual workload on compliance and audit teams. Examples include detecting access to sensitive data, validating privileged user activity, or monitoring export-controlled environments. The result? Improved productivity, cost control, and compliance. Dashboards and real-time alerts eliminate the need for manual reviews, reduce investigation time, and improve coordination across the business.

These platforms also provide strong evidence for legal and regulatory inquiries. For example, access logs and alert histories makes it easier to prove data segregation or show controls were in place. This supports compliance SOX, the Privacy Act, or Australia’s Security of Critical Infrastructure Act (SOCI).

These tools allow compliance teams to shift from reactive policing to proactive risk reduction. In turn, this makes them more efficient, more strategic, and more valuable to the business.

Developing an compliance obligation register for your business

What business leaders need to do next

This isn’t just a technology issue—it’s a business opportunity. Executives should be asking how they can leverage their existing technology investments to solve new problems.

Here’s a five-step path to get started:

Audit your existing tools – Inventory the telemetry and analytics platforms already in use. Identify whether you have a SIEM, an observability platform, or both. Are you using these to good effect?
Map broader risks – Work with fraud, HR, IP, and compliance stakeholders to identify high-impact, high-cost business risks. Identify use cases that benefit from automation and real-time monitoring.
Engage privacy and legal early – Involving these teams from the outset. This helps prevent delays later and ensures any solution aligns with data protection laws and internal governance frameworks.
Pilot a use case – Choose one low-risk, high-impact use case (e.g. unusual access to critical systems) and configure alerts or dashboards using existing tools. Track the cost, value, and effort involved.
Build the business case – Quantify what value these solution will save in hours, cost or loss reduction, or productivity. Present this in a way that links directly to business strategy and financial performance.

If you’re already paying for the Ferrari, why are you only using it for trips to the supermarket? With a little tuning and creativity, you can unlock value across new use cases without buying yet another tool.

The Hidden Threat to Your Bottom Line: How Sales Fraud is Bleeding Your Business Dry

Posted on April 8, 2025 by Paul Curwell

Paul Curwell

5–8 minutes

Key Takeaways:

Fraud costs companies 5% of annual revenue, with economic downturns increasing fraud risks
Sales teams present unique fraud vulnerabilities through returns schemes, revenue manipulation, and commission fraud
Implementing targeted controls like commission clawbacks and automated monitoring can protect your revenue and reputation

Introduction

Let’s face it – while you’re busy watching your supply chain for external threats, your sales team might be quietly bleeding your company dry. As someone who’s spent years investigating corporate fraud cases, I’ve seen firsthand how sales fraud schemes can fly under the radar while causing massive financial damage. In today’s shaky economic climate (thanks, tariffs), fraud is on the rise, and your sales department is particularly vulnerable.

The Costly Reality of Sales Fraud

Did you know that companies lose a whopping 5% of annual revenue to fraud? That’s billions collectively wasted across industries. What’s more alarming is that according to fraud experts, 55% observed increased fraud during economic downturns – precisely the environment we’re navigating now.

For business leaders and finance chiefs, this isn’t just a financial headache—it’s a direct attack on your business strategy and profitability. While you’re focused on protecting your trade secrets and IP protection from outside threats, your greatest insider threat might be sitting in your sales department.

Six Common Sales Fraud Schemes Killing Your Profits

1. Returns Fraud with Kickbacks

This scheme is particularly sneaky. A salesperson encourages customers to purchase excess inventory (often with unauthorized discounts) to inflate sales figures. Later, the customer returns the excess inventory, but the salesperson keeps their commission. Meanwhile, your inventory numbers and forecasting are completely thrown off.

Red Flags to Watch For:

Large sales orders followed by significant returns
Sales spikes near reporting periods (quarter-end) that reverse shortly after
High return rates for specific salespeople compared to others
Unusual relationships between sales staff and certain customers

In 2022, a global electronics distributor discovered a senior salesperson colluding with a key customer on bulk orders at steep discounts. After commissions were paid, the customer returned over 60% of the inventory. Pretty clever scam, right?

2. Revenue Recognition Fraud

This scheme involves manipulating revenue figures or pocketing unrecorded revenue. For example, an employee might issue a credit note and split the refund with a customer. For technology companies especially, recording revenue too early can artificially inflate performance metrics.

Red Flags to Watch For:

Customer receipts missing for completed sales
Same person handling both invoicing and payment collection
Unusual timing of revenue recording (especially at quarter-end)
Differences between contract terms and recorded revenue

Channel stuffing fraud – a distribution problem

3. Credit Note Manipulation

Your sales team might be issuing unauthorized credit notes to steal funds or hide theft. Without proper oversight, this fraud can continue for months or even years before anyone notices.

Red Flags to Watch For:

Credit notes issued without proper approval
Unusual patterns or increased frequency in credit note issuance
Credit notes that lack supporting documentation
Certain employees processing a disproportionate number of credit notes

4. Inventory Fraud

This classic scheme involves stealing stock via false sales or diverting goods in transit. In 2022, an employee at an Australian parts supply company altered supplier bank details to divert payments while covering up inventory theft through falsified invoices. Their research showed this could be prevented with better automated fraud detection tools.

Red Flags to Watch For:

Negative inventory entries or unexplained stock differences
Frequent cancellations of sales transactions
Differences between physical inventory counts and system records
Unusual shipping or delivery patterns

inventory in a warehouse — Photo by Tiger Lily on Pexels.com

5. Discount and Pricing Manipulation

In Asia, employees were caught receiving kickbacks for granting unauthorized discounts. This not only hurts your profits but can disrupt your entire pricing strategy and market positioning.

Red Flags to Watch For:

Discounts disproportionately benefiting specific customers
Patterns of excessive discounts tied to one salesperson
Discounts offered without proper approval or documentation
Unusual changes in profit margins across similar sales

6. Commission Fraud

Consider this simple example: if a salesperson fraudulently changes their commission rate from 10% to 20% on $1,000,000 in sales, that’s $100,000 straight out of your pocket. Multiply that across your sales team and years of operation, and you’re looking at potentially huge losses.

Red Flags to Watch For:

Cash skimming from sales that go unrecorded
Creating fake sales to inflate commission numbers
Differences between sales data and bank deposits
One salesperson consistently outperforming peers by unusual margins

Software vs. Physical Products: Different Risks

The selling of software brings its own unique fraud risks. While physical product fraud often involves inventory theft and returns, software sales fraud typically involves revenue manipulation and more complex schemes.

For software subscription companies, a common scheme involves selling discounted multi-year subscriptions to partners who later cancel most licenses after commissions are paid. One company discovered a regional manager had colluded with a reseller to inflate sales figures and split the commission.

For physical products, fraud detection may be easier due to inventory checks you can see and touch. Software fraud, however, can be harder to detect since the product isn’t physical. For instance, in 2021, a software company found that a sales manager sold discounted multi-year subscriptions to a partner who later canceled over 70% of the licenses within six months. The manager received commissions based on gross sales but wasn’t penalized for cancellations.

Returns Fraud – a risk for eCommerce companies

Protect Your Bottom Line: Four Action Steps

Implement Commission Clawbacks: Tie commissions to net sales (gross sales minus returns) and implement penalties for canceled subscriptions or returned goods. This single control can eliminate much of the motivation for fraud.
Create Stricter Approval Processes: Require manager approval for large discounts, bulk orders, or unusual contract terms. This creates accountability and transparency. For credit notes, implement a two-person approval system that prevents a single employee from handling the entire process.
Leverage Data Analysis: Monitor return rates by salesperson, product line, and customer using tracking tools. Look for patterns of excessive discounts followed by high return rates. Modern analysis can flag unusual activities long before traditional audits would catch them.
Conduct Regular Internal Audits: Focus on high-risk areas such as discounts, bulk orders, refunds, and return transactions. Surprise audits are particularly effective at catching ongoing fraud schemes.

Call to Action

Stop leaving your revenue vulnerable to insider threats. Review your sales controls today and implement these four steps to protect your bottom line. The economic landscape is already challenging enough without letting sales fraud drain your profitability. In my experience, most companies discover fraud only after significant damage has been done. Don’t wait for your technology investments and research efforts to be undermined by preventable financial losses. As business leaders, we can’t afford to overlook this hidden danger in our sales departments. Take action now before your next earnings report reveals the damage.

Crafting Security Business Cases for Executive Buy-in

Posted on March 25, 2025 by Paul Curwell

Paul Curwell

6–9 minutes

Key Takeaways:

Here’s the bottom line: Executives don’t fund security initiatives; they fund outcomes. A strong business case is essential to get their support.
Focus on Impact, Not Activity: Executives care about how your proposal boosts business outcomes, not your list of security tasks.
Show Value Beyond Compliance: Prove that security investments enable growth, reduce risk, and give your company a competitive edge.
Quantify Risks and Benefits: Use statistics and real-world examples to demonstrate how security measures can save money or prevent significant losses.

What’s the Real Deal with Business Cases for Security?

Let’s be real: writing a business case for security, fraud, or IP protection can feel like trying to convince your dog to do your taxes—it’s tough and often gets ignored. Unlike departments that directly generate revenue, these functions are often viewed as “cost centers.” But the truth is, they’re vital for preventing catastrophic losses. Think about it: how much would a major data breach, insider threat, or IP theft cost your company? Exactly. That’s where your business case comes in.

If you want executives to take your proposal seriously (and fund it), you need more than just a list of security threats or the need for more budget. You need to speak their language. Executives want to know how your proposal will reduce risk, drive growth, and improve profitability. If your business case doesn’t hit those marks, expect a polite nod and zero budget. So how do you get the green light? You need to answer these seven crucial questions in your security business case.

an exhausted woman reading documents — Photo by Mikhail Nilov on Pexels.com

7 Key questions executives care about – linking security to strategic outcomes

The challenge is proving that security isn’t just about checking boxes or avoiding fines—it’s about tangible business outcomes: protecting revenue, improving customer trust, and enabling expansion into new markets. If you can’t connect security investments to these results, your proposal won’t make it past the trash can. So, let’s dive into the key questions executives are really asking when reviewing your case.

Question 1: What’s the Impact?

Executives want to know how your security investment will improve business resilience, customer trust, or revenue. Security isn’t just about defending against threats; it’s about keeping the lights on, ensuring smooth operations, and even opening new markets. Can your proposal do that? If not, it’s not going to get approved.