Raising awareness – also when it comes to topics like biases – is where everything starts. Without being aware of xyz no transformation can happen.
Therefore, I am convinced that with your personal awareness of being biased the protection already starts.
And if you extend it to your team, your organisation, you have a powerful tool at hand which is understood and supported. That is what you need to secure your most precious assets.
When it comes to social engineering there is that common myth of putting the term to the tech side and forget.
But it is everything else than tech. It is just us. Our human being!
Crisis shifts priorities
A shift in priorities during times of crisis is necessary. We all agree on that!
Reassessments must be made, and the focus is on the ability to act. While those responsible are organising themselves, others are doing the same on organizational level.
Especially in the area of fraud and cyber risks, adaptation to new circumstances rarely takes long. Often too long in my opinion and the reasons are manifold.
On the contrary. And that is the most important part of us to protect our most precious assets.
The scheming of the malicious social engineers does not stop at global crises but discover them as an entry point to prey that was often not on the agenda before.
I mentioned at the very beginning: Social Engineers love crises! Of course especially the malicious.
Fact is when a crisis hits: Either there were already prevention measurements in place or nothing will happen during the ongoing crisis.
During the crises, the resources will be allocated to Business Continuity Management which means, managing the impact of the crisis as such.
While the responsible – Board of Directors included – focus on the above-mentioned duties, the vulnerability of non-compliance, economic- and cybercrime increases. Silently.
When it comes to the fraud risk assessment we have to keep in mind and refresh, that there are different stages organisations are related to a fraud risk assessment:
Either it is
You will know mention that there is a fourth category missing, the one which has a perfect implemented fraud-risk-assessment in place. Yes, you are right.
The experience taught me that in crisis these “well matured” fraud-risk-assessments immediately shift to No. 3 and I will tell you more about it in a few minutes.
None of the three categories will succeed against fraudulent behaviours but due to different reasons.
Let me give you as an overview and especially more beef to what these three categories means:
Three Categories of Fraud Risk Assessment Status when we hit a crisis
The first one is obvious:
Category 1: A Fraud Risk Assessment is missing
Without having a Fraud Risk Assessment in place, the potential risk is not identified at all. As the responsible know about the circumstance and do not trust on an existing assessment.
The vulnerability is very high or low – we just do not know about it. Impact and Likelihood of fraud is not assessed nor under control. Not managed at all
Category 2: The existing Fraud Risk assessment was made more than 5...
