Duty of Disclosure — what secrets are in your organisational closet?

Matt Tett

Matt Tett is the Managing Director of Enex TestLab, an independent testing laboratory with over 22 years history and a heritage stemming from RMIT University. Matt holds the following security certifications in good standing CISSP, CISM, CSEPS and CISA. He is a long standing committee member of the Australian Information Security Association (AISA), Melbourne branch, and is also a member of the Information Systems Audit and Control Association (ISACA). Enex TestLab can be found at http://www.testlab.com.au blog at http://enextestlab.blogspot.com and can be found on twitter as @enextestlab.

A recent spate of incidents involving a fraudulent trucking company has led me to consider its parallels with the information industry.

Electronic fraud and computer crime is consistently treated by the media as white collar crime—it has little victim impact (no one dies) and really only affects organisations that they claim, or believe, can weather the storm, or have contingencies to deal with such losses.

Interestingly, some organisations assume it’s inevitable and, weighing the costs to prevent it against the losses, just draw a line under the incident and move on, evaluating this policy periodically.

In effect, as with most crimes, it is society that foots the bills via higher insurance costs or higher sticker prices on goods and services. The organisation needs revenue to survive, the dollar cost of compliance or the dollar cost of crime is an expense then the company needs to add that to their costs and ultimately pass on to the customer.

Remember the urban legend around the Ford Pinto in the late 70s? It was alleged that Ford knew there was a design fault with the fuel tank and that it could cause the car to burst into flames, even in relatively minor traffic incidents. Instead of recalling cars and repairing the fault, bean counters allegedly decided it would be more cost effective to pay compensation to victims rather than recall and rectify the issue. The myth goes, in the first litigation brought against Ford, they were ordered to pay a significant compensation bill (blowing the bean counters’ logic away).

The saga turned out to be less dramatic with the benefit of hindsight. The Pinto was shown to be no more prone to bursting into flames than any other car of that era (lucky for Ford). But proves a good example to highlight how organisations could favour commercial over ethical considerations. And how much a myth can affect a corporation’s brand. It’s easy to presume that for every public case there are many more closeted by corporations.

There is a lot at stake, and it’s not always a straight forward profit based decision made by an evil corporation. There are middle managers who fear the loss of a career. People who may be aware of the risks but don’t want to make the wrath bringing decision to commit funds into what may be a more expensive, time consuming, but perhaps morally correct course of action. And those that are aware of the regulations and compliance requirements but are happy to skirt or outright breach them in favour of “productivity”.

Further up the chain there are those who risk being the face pinned with the issue should the risk be realised and made public. Then there are those at the very top who, representing shareholders, prefer to avoid any blemish to their record.

From the outside, electronic criminals are often portrayed as modern day Robin Hoods, as likeable, non-conformists rogues who shun authority. They’re presented as opportunistic, only preying on evil corporations that are able to absorb any losses.

Unfortunately, this is not the way it plays out. Electronic crime costs everyone.

It hides behind anonymity and cross-jurisdictional legality. What is illegal in one place can be unregulated in another, and not every nation can afford to manage sufficient enforcement.

When an incident as big the recent trucking example gets reported, people begin to question where the line is drawn and why regulators failed.

For those not familiar with the matter, a B-double truck driver was detected by police travelling at 133km, exceeding the speed limit. He was duly issued an infringement and allowed to go on his way.

The following day, allegedly speeding again, the same driver crossed the median strip and collided with a vehicle travelling in the opposite direction, three people died in that vehicle. With the regulators and media demanding answers it was discovered that the operator intentionally bypassed the speed limiters and logging systems on not just this vehicle, but a number of its vehicles.

Who failed?

Was it the controls themselves, or the failure of compliance testing and checking - they are merely words on paper. Indeed what are these checks? Was it the police who fined the driver on the first day, but failed to take the vehicle off the road or investigate why a vehicle limited to 100km/h was exceeding that speed, or was it the driver, the directors and managers of the company, or the technicians who modified the vehicle to bypass the controls? And in all reality if this is just one operator in that industry willing to accept the risks, I would be extremely surprised.

The same questions can be raised in the online world, and it remains a problem in addressing electronic crime. There are safeguards and checks, but the corporate turning of blind eyes, the anonymity, regulatory issues and jurisdictional challenges that are still being addressed are a hot potato issue.

What would happen if electronic criminals decided to take down a communications network in a distributed denial of service attack as part of attempts to blackmail a wagering operator? As a result, the telco’s VoIP network is also taken down causing emergency services to be unavailable to someone desperately seeking help.

Or what if computer criminals “play” with critical national infrastructure and inadvertently cause two trains to collide, or sewerage to back into potable water supplies, or cause damage to electricity infrastructure that takes days to repair.

Modern day electronic highwaymen are undoubtedly still getting away with it, and the cost to the rest of us as individuals is only starting to be acknowledged. It’s just a matter of time before consequences become more tangible, and those with their heads in the sand might what to reconsider their attitude. And the depth of the “hiding” or denial becomes apparent.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Tags: duty of disclosure, fraud

Show Comments