Investigation Of Electronic Crime: Disaster Or Opportunity?
By Bill Gillespie, President, Risk Analysis Group
The Current Landscape
Over the past twenty years there has been a consistent trend by law enforcement throughout the United States to put more officers on the streets by eliminating investigative positions. In many agencies, misdemeanor crimes are investigated by non-sworn personnel or referred to the local offices of the district or city attorney. Felony incidents are designated as violent felonies or property crimes. Necessarily, property crimes are assigned investigators as resources allow, and in many instances, these crimes are reported and filed without investigation.
As grim as this scenario may be, it is significantly exacerbated by the appearance on the investigator's plate of a multi-billion dollar criminal industry known as electronic crime (e-crime), a whole new ball game for which law enforcement lacks the tools, training or personnel to address. The Los Angeles County Sheriff's Department is a very progressive agency that has attempted to apply resources to this ever-growing pervasive criminal enterprise. Their voice mail message to its citizenry reporting e-crime activity informs the victim that there will be a minimum delay of eight months before the crime will be addressed. A recent radio interview by the investigative coordinator of the e-crime group informed the listening audience that the delay will most likely be two years.
Could it be worse? Identity theft is the "flavor of the month" for well-intentioned legislators drafting and passing legislation to mandate the reporting of identity theft. Two California senators are attempting to pass federal legislation similar to California's SB 1386, also known as the Simitian Bill which mandates the reporting of a breach of a database to every person within that database if that breach is reported to law enforcement (who will not have time to investigate). One can imagine the impact to the company's market share, reputation and survival potential if the mandated report is distributed. Is this a potential disaster for the Chief Executive Officer or an opportunity for the Chief Security Officer?
The answer is yes, to both questions.
Chief Executive Officer
Is there any doubt that all the recent ethics-based and identity theft legislation puts American businesses at risk of failure if they do not change the way business is conducted?
Common sense suggests that the existing organizational structure must be changed in a variety of ways. There is little doubt that, given the constraints of law enforcement, American companies must institute some changes to combat historic reliance on the police to conduct property crime investigations. Property crimes like fraud and theft impact the financial bottom line of an organization, as they always have, but historically the perpetrators were typically in-house and easy to find. If the police could not or would not assist, the perpetrator could be fired, eliminating the problem as an ongoing risk.
The Internet, a necessary evil, has increased businesses' exposure to external agents who will continue to be a problem until they are identified and the operation dismantled. If the CEO can report that the activity is under investigation by law enforcement, there is an opportunity to avoid or delay public disclosure of the problem. Under California law, it is the only shield. The implication is compelling: build an investigative component that meets the standards of local law enforcement and the office of the District Attorney and potentially spare the business the adverse effects of reporting the security breach.
Chief Security Officer
Is it appropriate to assign this new investigative responsibility to the Chief Information Officer and designate that person the CSO, as has been the trend? Was the CIO in place when the problem was discovered? Would he or she be objective in developing and examining the evidence and validating an executive oversight that created the problem? As part of the existing corporate culture, is this the person who would assist the CEO in changing it?
My advice to any CEO is to insist that the CSO report directly to him or her. In addition to the investigative responsibilities that will fall under the CSO's purview, this critical position must be tasked to assist the CEO in compliance with the many corporate governance mandates already in place and those on the business horizon. It is the CEO who is being targeted by legislation, not the C-level member of the corporate team, and he or she needs information and facts without the C-level "spin" that has been become the trademark of corporate culture.
Whether President Bush is successful in his efforts to continue as President or he is replaced by Mr. Kerry, the statutes will remain. Mr. Kerry has been frequently quoted as being in favor of the prosecution of dishonest executives, an indication that the hunt will continue regardless of who resides in the White House.
The current business climate, therefore, is an opportunity for the Chief Security Officer, if the CSO commits to get to the next level. This can only be achieved through education and training that qualifies the candidate to take his or her place in the board room. While individuals with all of these qualifications are limited, they are out there, and there are many more with the intellect and talent who can be trained.
Perhaps the greatest challenge to the American CEO is to engage in the introspection that will help him or her recognize the need to recruit and train CSOs. They must remember that it is he or she who will be prosecuted for maintaining the status quo, not the spin masters and yes-men and -women who created the organization and maintain the culture that is the source of the misconduct being prosecuted by federal attorneys.
Discuss this article! Post your thoughts to RAG's message boards. If you have not used the RAG website before, you will be asked to create a user profile. The message boards are currently free for all users.
|
