Financial Activities

 

 

https://sm.asisonline.org/Pages/Business-Theft-and-Fraud--Detection-and-Prevention.aspxBook Review - Business Theft and Fraud: Detection and PreventionGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a43444652017-07-17T04:00:00ZJames R. Youngblood, CPP. Reviewed by Paul Barnard, CPP<p>​<strong>Business Theft and Fraud: Detection and Prevention.  CRC Press; crcpress.com; 338 pages; $79.95.</strong></p><p>More than two-thirds of employee theft cases occur in small business operations, and more than half of victimized businesses have fewer than 25 employees. These statistics, from <em>Business Theft and Fraud: Detection and Prevention</em> help explain why even the smallest organizations need to know how to detect and prevent fraud and theft.<br><br>With experience in the military, law enforcement, and the private sector, and degrees in financial management and criminal justice, author James Youngblood, CPP, has the appropriate credentials to write a definitive book on the subject. He understands the differences between the operations of small and large businesses, and he offers techniques to thwart theft in all types of organizations.</p><p>For instance, background investigations for potential employees are important for all organizations Small companies may be hindered from conducting adequate background investigations due to budgetary restrictions, time constraints, and reduced applicant pools. Large organizations have greater monetary resources for background checks, are able to distribute the workload until replacement help is acquired, and usually attract more applicants for various reasons.</p><p>In any case the insider threat is a primary concern of the text. Other timely topics include the protection of brand integrity and brandjacking, the sale of bogus or counterfeit brand name merchandise, cybersecurity, technology-based fraud, data breaches, and ransomware. Encompassing a breadth of information for those concerned with theft and fraud, this book explains such important concepts as how to identify sales underreporting, track sales by shifts, and educate employees to be aware of computer scams. Throughout the work the thread of internal theft and shrinkage is prevalent.</p><p>Some suggestions to enhance the utility and flow of the book include using a linear presentation of information for easier understanding. Chapters of few pages could be consolidated with other relevant chapters, and many sub-topics could be combined. For example, both chapters 4 and 5 deal with financial statements: consolidation of these might be more effective. While some sub-headings are presented as questions, others are statements, possibly creating some confusion. The explanatory endnotes might better be incorporated into the text, while a bibliography would help readers find further resources in some subject areas.</p><p>The overall visual presentation is professional with quality materials and clear typeset. Two appendixes list organized retail crime associations and examples of phishing emails, and there is an extensive index. This book is recommended for security and business management professionals as well as loss prevention practitioners desiring a roadmap for the detection and prevention of business theft and fraud. It could also be used as a primary or supplemental textbook in college courses focusing on internal and external theft and fraud, as well as cyber issues.</p><p><em>Reviewer: Paul D. Barnard, CPP, CISM (Certified Information Security Manager), SFPC (Security Fundamentals Professional Certification) is an adjunct professor in loss prevention and security management programs. He has been a member of ASIS International since 1975</em></p>

Financial Activities

 

 

https://sm.asisonline.org/Pages/Business-Theft-and-Fraud--Detection-and-Prevention.aspx2017-07-17T04:00:00ZBook Review - Business Theft and Fraud: Detection and Prevention
https://sm.asisonline.org/Pages/Accesos-Bajo-Control.aspx2017-06-01T04:00:00ZAccesos bajo Control
https://sm.asisonline.org/Pages/Teller-Trouble.aspx2017-03-01T05:00:00ZTeller Trouble
https://sm.asisonline.org/Pages/Access-to-Bank-On.aspx2017-01-01T05:00:00ZAccess to Bank On
https://sm.asisonline.org/Pages/Access-Under-Control.aspx2015-08-10T04:00:00ZAccess Under Control
https://sm.asisonline.org/Pages/Diebold’s-Responsive-Banking-Concept-Enhances-ATM-Security-and-Service.aspx2014-12-02T05:00:00ZDiebold’s Responsive Banking Concept Enhances ATM Security and Service
https://sm.asisonline.org/Pages/fincen-releases-culture-compliance-guidance-financial-institution-leaders-0013620.aspx2014-08-14T04:00:00ZFinCEN Releases 'Culture of Compliance' Guidance for Financial Institution Leaders
https://sm.asisonline.org/migration/Pages/fincen-releases-culture-compliance-guidance-financial-institution-leaders-0013620.aspx2014-08-14T04:00:00ZFinCEN Releases 'Culture of Compliance' Guidance for Financial Institution Leaders
https://sm.asisonline.org/Pages/Banking-on-a-Security-Upgrade.aspx2014-02-01T05:00:00ZBanking on a Security Upgrade
https://sm.asisonline.org/Pages/cybersecurity-money-laundering-are-top-threats-facing-financial-industry-2014-0013072.aspx2014-01-07T05:00:00ZCybersecurity, Money Laundering Are Top Threats Facing the Financial Industry in 2014
https://sm.asisonline.org/Pages/Virtual-Money-Real-Crime.aspx2014-01-01T05:00:00ZVirtual Money, Real Crime
https://sm.asisonline.org/Pages/using-economics-fight-terrorists-0013004.aspx2013-12-13T05:00:00ZUsing Economics to Fight Terrorists
https://sm.asisonline.org/Pages/visa-discusses-efforts-prevent-fraudulent-transactions-0012832.aspx2013-10-17T04:00:00ZVisa Discusses Efforts to Prevent Fraudulent Transactions
https://sm.asisonline.org/Pages/data-brokers-0012627.aspx2013-08-01T04:00:00ZFTC Warns Data Brokers
https://sm.asisonline.org/migration/Pages/dunbar-digital-armor-announces-partnership-with-nasdaq-0012531.aspx2013-06-13T04:00:00ZDunbar Digital Armor Announces Partnership with NASDAQ
https://sm.asisonline.org/Pages/top-10-performing-security-industry-stocks-february-0012386.aspx2013-05-01T04:00:00ZTop 10 Performing Security Industry Stocks for February
https://sm.asisonline.org/Pages/top-10-performing-security-industry-stocks-january-0012327.aspx2013-04-01T04:00:00ZTop 10 Performing Security Industry Stocks for January
https://sm.asisonline.org/Pages/Banking-on-Security.aspx2013-03-01T05:00:00ZBanking on Security
https://sm.asisonline.org/Pages/top-10-performing-security-industry-stocks-december-0012009.aspx2013-03-01T05:00:00ZTop 10 Performing Security Industry Stocks for December
https://sm.asisonline.org/Pages/presidio-combats-fraud-with-ironkey-0011372.aspx2013-01-01T05:00:00ZPresidio Combats Fraud with IronKey

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/Drafting-a-Blueprint-for-Security.aspxDrafting a Blueprint for Security<p>​<span style="line-height:1.5em;">Immediately upon concluding the construction of a secure-asset facility 10 years ago, project management hit a major setback: the security manager. Instead of working with the design team and project manager in the initial phases of the project, the security manager waited until the new facility was already erected to determine where security cameras needed to be placed.</span></p><p>“All of a sudden, we’re moving cameras and changing openings and sleeves in the wall for wiring because [the security manager] had difficulty reading blueprints,” says Rick Lavelle, PSP, principal architect and owner of Creador Architecture, of the experience. Instead of admitting that he had this difficulty, the security manager waited until he could see the facility three-dimensionally, causing delays and increasing project costs.</p><p>“Then he’d step in and really do his job that would have been helpful to have earlier in the process,” Lavelle explains.</p><p>To help prevent security professionals from becoming similar setbacks in construction projects, Security Management sat down with Lavelle; Mark Schreiber, CPP, principal consultant for Safeguards Consulting and chair of the ASIS International Security Architecture and Engineering Council; Rene Rieder, Jr., CPP, PSP, associate principal at Ove Arup & Partners; and J. Kelly Stewart, managing director and CEO of Newcastle Consulting, for their tips on navigating the document and project management process.​</p><h4>1. Know Your Team</h4><p>Like almost any project that involves numerous people, it’s crucial to understand that a construction project is a team effort that requires team members to understand the process and communicate with each other.</p><p>“We emphasize...know who your team is, align with your team, and communicate with your team as much as possible because that will support a central project,” Schreiber explains. </p><p>And this team can be quite large, including top executives at the company, the project manager, the facility operations manager, the facility engineer, the security manager, security consultants, architects and designers, engineers, and general consultants—just to name a few. The council encourages team members to construct a simple diagram to help keep track of everyone.</p><p>While it may take a while, identifying the team and communicating with them helps ensure that security is included in construction project discussions from the very beginning—something that doesn’t always happen automatically. </p><p>“I was fairly surprised to learn early on in one of [the first classes I taught] that most of the project is completed—and sometimes is built—when the security manager gets a roll of drawings and they say, ‘Give us a security plan,’” Lavelle says.  </p><p>To change this, he explains that security needs to “know the relationships within their own companies that they need to develop so that doesn’t happen to them, [and that they make sure] they’re brought in earlier in the process. That leads to a much more successful implementation of anybody’s security plan.”</p><p>Lavelle also recommends that security leads work with the IT department during the project. “Getting IT, security, and the facilities people together on one team and having them all have the same direction, you’ll probably have the most effective security program that’s possible,” he explains.​</p><h4>2. Know Your Goals</h4><p>A construction project is rarely initiated just to meet a security need. It’s typically instigated to meet some other operational need, such as to increase manufacturing capacity. So the security department must ensure that its goals for the project—whether it’s introducing a new CCTV system or implementing its existing access control system—align with the overarching goals for the new facility.</p><p>“Just because they now have been given the green light to do an improvement for their facility doesn’t mean that they can go in and put every possible technology, every possible countermeasure that they’ve been dreaming about for years in,” Schreiber says. “They have to work within the goals of that project.”</p><p>This means that once the goals for the facility are outlined, the security department needs to specify its own project goals, providing a way to measure those goals, ensuring that goals are attainable and relevant to the overall project, identifying the starting functional requirements, and making sure they meet time and budgetary constraints. In the case of a new manufacturing plant, for example, CCTV might be attractive to other departments as well, such as quality management or logistics, creating a stronger case for the technology and getting these departments to share the expense.</p><p>By going through this process, security professionals can make sure that their goals are aligned with the overall project goals, enabling them to have success, Schreiber adds. “Whereas the more they stray away, they’re going to essentially be spinning their wheels, wasting effort, and possibly jeopardizing credibility.”​</p><h4>3. Know Your Documents</h4><p>For most security professionals, being part of a construction project is not routine. Nor is the process of reading project manuals, floor plans, elevations, and other drawing plans. But understanding what these documents are and how they come together to represent a construction project is key to the success of the project “because if the documents are correct, then you have a sound project for development,” Stewart says.</p><p>That’s because the documents work together as a guide detailing the design of the project, the technology that will be installed, and where exactly those installations will take place in the final construction. </p><p>And while discussing changes or where technology should be installed in the final project, security directors can communicate with design professionals and architects—regardless of their drawing skills, Lavelle adds. A quick visual representation of the camera and access control location can be helpful. </p><p>While these discussions are taking place, it’s important to document changes throughout the process and review them with the project team after each step is completed. “It’s arduous, but it’s a necessary evil because if you skip a step, you’ll forget something or something will fall through the cracks,” Stewart explains.</p><p>After the construction project is completed, it’s important to continue to keep track of its documentation and make sure it’s up to date so it reflects the current facility. In one case, Stewart took over as a director of security for a company that hadn’t documented the many changes to its system over the years. </p><p>“I actually had to bring in a security consultant and architect to figure out where all the stuff was,” he says. “There were drawings that were going back 20 years, which had nothing to do with the current system.”​</p><h4>4. Know Your Chain of Command</h4><p>In an ideal world, once the initial security goals for the project are outlined and plans are designed to implement them, nothing would change. “But truthfully, it never works that way,” Lavelle says. And when changes or problems occur, it’s critical to know who in the project team you need to talk to about implementing a solution. </p><p>As the project goes further along, you spend less time with the design team and more time with the general contractor, Lavelle explains. This means that security directors need to understand the roles and responsibilities of those involved in the project, and who they need to speak to about changes throughout the process.</p><p>For instance, some construction projects can take more than 18 months to complete, and during that time technology may change or new company policies may be implemented. The security needs for the project may shift, but it might not be appropriate to seek executive approval for the change.</p><p>“Going back to the CEO or the CFO who approved the project costs in the beginning may not be appropriate if you’re halfway through construction,” Lavelle says. Instead, security directors will likely need to go to the facility or project manager, or even their direct supervisor, to have the changes approved.</p><p>Most security professionals have never been involved in a construction project. For them, this is a “once in their career” experience, Rieder says. Following the steps outlined above can help smooth the way. However, if a project seems overwhelming security professionals need to reach out to peers or experts for help and advice.</p><p><em>​The Security Architecture and Engineering Council is sponsoring an educational session on the <a href="https://www.asisonline.org/Education-Events/Education-Programs/Classroom/Pages/Security-Document-and-Project-Management-Process.aspx" target="_blank">security document and project management process​</a> in October.</em><br></p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/How-to-Protect-PII.aspxHow to Protect PII<p>​<span style="line-height:1.5em;">If you are an employee, a student, a patient, or a client, your personally identifiable information (PII) is out there—and prime for hacking. In October, the U.S. Government Accountability Office (GAO) added protecting the privacy of PII to its list of high-risk issues affecting organizations across the country. All organizations, from large federal agencies to universities, hospitals, and small businesses, store PII about their employees, clients, members, or contracto</span><span style="line-height:1.5em;">rs. And, as seen in recent large-scale cyberattacks, PII is a hot commodity for malicious attackers. </span></p><p>According to the U.S. Office of Management and Budget, PII is any information that can be used alone or with other sources to uniquely identify, contact, or locate an individual. However, the definition of PII can depend on the context in which the information is used, according to Angel Hueca, information systems security officer with IT consulting company VariQ. For example, a name by itself is innocuous, but that name combined with a personal e-mail address, a Social Security number, or an online screenname or alias could give bad actors all they need to wreak havoc on a person or company.</p><p>And it appears that no one is immune to the risk of compromised PII. According to research by the GAO, 87 percent of Americans can be uniquely identified using only three common types of information: gender, date of birth, and ZIP code. </p><p>If PII is leaked, the consequences for both affected individuals and organizations can be damaging, says Hueca. Companies may face large fines or legal action if the PII they hold is breached, especially if the organization didn’t comply with outlined customer agreements or federal regulations, or if the breach violates the Health Insurance Portability and Accountability Act. A breach can also be reputation-damaging and cost the company employees and clients, Hueca notes. </p><p>Hueca stresses the importance of educating all employees, regardless of whether they have access to the company’s PII, about cybersecurity awareness and online behavior. Even using a personal e-mail at work or posting an image of their workspace on their social media account could lead to the leak of PII—there may be confidential information inadvertently documented in the photo, Hueca points out.</p><p>A more common occurrence is someone with access to an organization’s PII database inadvertently forwarding an e-mail with sensitive information, such as a client’s case number or an employee’s personal contact information. For example, in 2014, a Goldman Sachs contractor accidentally sent an e-mail with confidential brokerage account information to a Google e-mail address instead of to the contractor’s personal e-mail. Goldman Sachs went to the New York State Supreme Court to ask Google to block the recipient from accessing the e-mail to prevent a “needless and massive” data breach. The court didn’t rule on the case, because Google voluntarily blocked access to the e-mail.</p><p>Hueca says that segregating duties and tightly controlling who has access to certain information can help with this issue. Often, HR or administrative employees may need access to some PII, but not all of it—isolating potentially sensitive information can prevent harmful leaks. </p><p>How an organization’s network is set up can help prevent the accidental or malicious transfer of PII. Hueca suggests keeping sensitive information segregated from the rest of the network environment—if there is a breach, hackers will have to break through a second firewall to access the information. Organizations should also take advantage of standard content tracking software to spot suspicious activity.</p><p>“Fortunately, many organizations have something called content filtering, which are tools that are able to filter information as it comes in and out of the organization,” Hueca explains. “If there’s something that looks like a Social Security number, with nine digits, being sent out, the tool will alert an administrator that this activity is happening, which could be accidental or malicious.” </p><p>The U.S. Department of Homeland Security’s (DHS) handbook for safeguarding PII says only secure, organization-issued electronic devices should be used to view sensitive information. If an employee must access PII on a portable device, such as a laptop, USB, or external hard drive, the data should be encrypted. And if PII must be e-mailed within the office, DHS strongly recommends password-protecting the data within the e-mail. </p><p>Lastly, Hueca recommends that all companies have an incident response plan in place specifically for the malicious theft of PII. </p><p>“This is something that most organizations don’t think about, having an incident response plan specifically for a PII breach,” Hueca says. “What happens if you do get breached? What are the steps? Talk about what-ifs. Once you have a notification in place, you get alerted, what do you do? Try to segregate it from other sensitive data and figure out what happened.” </p>GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Diebold’s-Responsive-Banking-Concept-Enhances-ATM-Security-and-Service.aspxDiebold’s Responsive Banking Concept Enhances ATM Security and Service<p>​</p><p>Diebold has fielded an array of new technologies and capabilities in what the company describes as a branch transformation solution. The solution, unveiled at last month's Money 20/20 conference in Las Vegas, consists of an ATM that weaves innovations in security, design, technology, user experience research, and feedback from financial institutions. Diebold describes the result as four distinct "experience zones" designed to blur the lines between face-to-face, online, and mobile banking. Security technologies such as IP video, privacy glass, and directional audio are key factors in the solution.</p><p>Customers are initially greeted with video tower walls designed to attract passersby with dynamic content management. The kiosks use near-field communication, proximity sensors, and motion detection to securely identify customers. Cardless transactions are authenticated by smart phones that then become the primary user interface for the banking transaction. Those without smart phones can still use 19-inch touch monitors that protect sensitive information with a privacy filter that limits visibility of sensitive information. A smaller secondary touch screen on a lower work service provides an even greater degree of privacy and accommodates customers with accessibility requirements. </p><p>Customers unfamiliar with the service or who have more complex transactions are able to bring up additional assistance in the form of and "intelligent" avatar that uses natural language recognition to interact with the customer and handle more advanced tasks. Customers are also able to connect through two-way video with remote financial advisors who can provide the personal consulting previously only available in a branch location. </p><p>The responsive banking concept is intended for high-traffic areas such as transportation hubs, shopping centers, and retail locations. Another use case in the financial sector is branch lobbies, affording customers more accustomed to banking in a branch with an opportunity to have bank staff assist as needed and facilitate the transition. </p><p>"All of our customers are engaged in branch transformation projects aimed at transforming their branch networks to be more cost effective while better promoting their products and services," says Devon Watson, Vice President of New Business & Solution Incubation for Diebold. For such in-lobby uses, Diebold offers a app that from which bank staff to monitor operations such as cash levels and assist customers whose transactions are taking longer than average. </p>GP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465