The Association of Certified Fraud Examiners estimates that crime costs companies $3.5 trillion each year. These crimes take at least eight major forms: white collar crime; organized crime; internal pilferage and embezzlement; computer related crime; external attack including robbery, hijacking, and shoplifting; vandalism; terrorism and industrial espionage.
[1] Publicly traded companies under the Sarbanes-Oxley Act (SOX) are required to have anti-fraud programs within their organizations. By and large, these programs are detective in nature as opposed to being proactive or preventative. Why is this? The answer lies in the culture of businesses in contrast to governmental entities. In the United States, governmental entities such as the National Security Agency, Federal Bureau of Investigation, and the Central Intelligence Agency use proactive approaches to detect potential security breaches that could be harmful to the country. This task is accomplished in many ways including but not limited to: data analysis, surveillance, interrogation, and managing operatives.
Business can employ similar techniques to produce a more proactive process that can potentially head-off many costly and embarrassing events. For the process to work there are basic organizational requirements: Executive support (tone-at-the-top); coordination among security personnel, internal audit personnel, and operating personnel. This level of interaction can be very beneficial to an organization. This process can be subdivided into two segments: administrative security and operational security.
Administrative security includes: personnel, communications policies and procedures, document controls, access to physical areas, employee identification (ID), trash disposal, travel security, and physical facility security.
Operational security activities are divided into security surveys, crisis response management, executive protection, information processing, and briefing and debriefing programs. These are designed to anticipate and protect against possible or probable security related contingencies.
Most everyone has heard of crisis response management and executive protection processes. What is more than likely to appear strange to the reader are the briefing and debriefing processes. We want to look at only one portion of this process today.
We'll take a dive into these processes. In the briefing process, management is presented with the current trends in developments that could negatively impact the business. For example, nationalization of business enterprises by foreign governments, terrorist activities in proximity of company locations, etc. On the debriefing side this is maybe not so obvious. Done consistently, this program can provide a wealth of information ranging from commercial data of importance to the company for planning to information, which if tracked over time can indicate the targeting of company officials or assets. This targeting can have objectives ranging from economic intelligence to physical threats. The following is a hypothetical example of how an organization can be assessed for the potential of having a productive intelligence gathering program put into place and become operational.
Click to see example
[1]
Information source - ASIS International
