Scam Alert!

A friend I have known since my university days recently came dangerously close to falling for a phone scam. Nothing unusual there, you might think. However, this victim was a hard-headed businessman, the last person you would expect to be caught out by scammers. I began to think about the number of people I knew who had been targeted in this way.

Generally, the victims of these scams are NOT poor decision-makers. They may, like my friend, have successful business or professional careers, but something makes them unduly open to persuasion. Modern life is increasingly complicated and the information overload seems to get a greater every day. We navigate through its using all sorts of shortcuts and rules-of-thumb. Scammers take advantage of these processes to catch their targets off-guard. Which means that no one is immune to being scammed. We need to be on our guard: if something sounds like a scam it probably is one.

The subconscious mind can be exploited in different ways. Scammers know about many of the techniques that can help people to take irrational decisions. These include allowing them to visualise future outcomes, motivating them to make over-hasty decisions, among many other methods. Many scams target people who do not have enough technical knowledge to understand how some things work. When a person has less knowledge about something it becomes much easier for a plausible scammer to drag him into their trap.

Wikipedia defines Emotional intelligence (EI) as: “the capability of individuals to recognize their own, and other people’s emotions, to discern between different feelings and label them appropriately, to use emotional information to guide thinking and behaviour, and to manage and/or adjust emotions to adapt environments or achieve one’s goal(s).” Which is a long-winded way of saying that, when dealing with strangers (particularly on the telephone) you need a very strong empathetic sense of what is going on in the current transaction. Scammers also use emotion intelligence to make us comply and to “feel safe”. Perhaps this explains why so many technically-oriented professionals fall into the trap.

Saddest thing of all, it is good people who make the easiest targets. Some people assume that all people are “good”; usually the ones who really are “good” think that way. By believing that everyone out there is like them, they respond to scammers without suspicion. I would put my friend in this category, although he had enough life-experience to smell a rat when his caller told him that he was due a credit from BT Openreach for which they would need bank details.

Forgive me if I am preaching to the converted but I treat all cold calls whether by telephone or email or any other method with deep rooted suspicion, but that might be because I am a tight-fisted Yorkshireman, a cynical bastard, or probably both. Whichever way it might be I have learned to respond to cold calls by telephone either by telling the caller that, when I want the goods or services they are purporting to sell, I will go looking for them myself or, if I am interested, I tell them that I am too busy to talk at the moment and ask them for their telephone number so that I can ring them back when I am free. It is amazing how many callers hang up at this point.

If you are targeted by phone, including texts, or by email or are the victim of any kind of cybercrime, please report it immediately to Action Fraud any time of the day or night using their online fraud reporting tool: www.actionfraud.police.uk/report_fraud, or by calling 0300 123 2040. Your local police might also have their own cybercrime unit. The more information the police receive the more likely they are to put a stop to the scammer.

As an object lesson:

  • This was a BT Openreach scam, masquerading as a cold call about broadband speed.
  • The caller installed Team Viewer on my friend’s PC ostensibly to check broadband speed.
  • He did ask for ID and the credentials offered were very plausible. For example: everything that was shown was branded as “BT Openreach”.
  • The scammer asked my friend to type values into terminal.
  • The calling telephone number was within the UK.

Carefully prepared and expertly executed. Unlike a scam that was visited on a friend in the USA who got an email from “Smith & Weson”! We cannot rely on scammers to make obvious mistakes these days; they have learned.

One lesson we can learn is not to let anybody take control of your computer unless you have contacted them and asked them to – for example – run diagnostics. Otherwise nobody has any legitimate reason to take over control of your computer and you do not have to type in any values if you are uncomfortable doing so.

A suggested immediate action drill on finding yourself in this situation:

  1. Break the Internet connection at once, and I mean physically. Pull out the cable or switch off the router.
  2. Put your virus protection and related security software on a deep scan.
  3. Phone your bank to have them monitor your account(s).
  4. Phone your payment card providers (there is usually an emergency number printed on the back of each card) so that they can block any suspect transactions.
  5. Contact your dealer, tech support number or any other support you have available to you, tell them what has happened and follow their instructions. Most suppliers and manufacturers have a help line. This may involve taking your machine in or calling out an engineer to thoroughly diagnose the extent of the damage done.
  6. Lodge an incident with the police (see above).
  7. When you are back on line send an email to everyone in your contact book to tell them to report any unusual messages they receive from you. Do not be embarrassed to admit that there has been an attempt to scam your account; you are acting decisively to clear up after it.

One last word: I keep the emergency numbers (tech support, BT, police, bank etc.) on a card that goes everywhere with my laptop. I have never had to use it but I am easier in my mind knowing that I have everything in one place if I do fall victim.

Outsourcing IT in the Third Sector

Information security in the 3rd Sector: does outsourcing IT represent a benefit or a risk?

While most of AMDS Consultants Ltd’s clients operate in the defence, security, transport and generic business process transformation markets some of our recent information security work has been with the 3rd Sector. Our 3rd Sector practice includes: charitable endeavours, the arts and civic organisations.

We recently concluded a major information security audit for an arts organisation. The main purpose of which was to assess their position against the PCI DSS framework for the management of debit and credit card transactions. Like many organisations in the 3rd Sector this particular community had chosen to outsource their information technology function to a third party provider and this is a common approach across the entire market segment.

Important elements of such an approach are shown below:

a. Retaining sufficient expertise in-house, to be an intelligent IT service buyer

b. Ensuring that requisite SLAs (Service Level Agreements) are in place

c. Negotiating robust and effective contracts

d. Clearly annunciating the third party’s place in your supply chain, and their responsibilities

e. Most importantly, ensuring that the third party will fully support you in information security

With these elements in place any information security assessment should go smoothly, provide significant benefit and present limited risk.

If, however, the IT provider chooses a different philosophy, as they did in our most recent 3rd Sector contract, then the possibility of a breach of the PCI DSS regulations becomes real as do the concomitant fines. In particular, we found it remarkable that any third party paid to provide comprehensive IT support to an organisation in the 3rd Sector would see an information security audit as an opportunity to make a profit. By refusing to supply responses to questions about their approach to information security without receipt of a fee not only did they raise concerns over the robustness of their information management systems but also placed one of their most high profile customers at increased risk of a breach. If the level of PCI DSS fines being discussed rwee implemented then our client would face financial ruin.

The question that exercises us now is how typical of 3rd Sector IT providers is this behaviour? Does the generic IT service company see this market segment as easy pickings dependent, as it it often is, on a mixture of employed ofIicers, administrative staff and willing volunteers?  Perhaps it is that the IT providers consider the 3rd Sector lacks the commercial nous to properly manage the services these providers supply and so use the 3rd Sector as a highly profitable dupe. Alternatively, we may have merely encountered a “bad” company and the broader base of IT service providers are committed to comprehensive support to 3rd Sector clients.

Whichever scenario represents a true reflection of these relationships, before choosing to follow this route, the 3rd Sector must consider how much of a risk their provider presents.

In an information security context, risk is vested with the owning organisation, i.e. the buyer of the service, not the outsourced IT provider. It is the responsibility of the buyer to ensure that sufIicient precautions are utilised by their IT providers to protect personal data in both storage and transmission. The buyer should also make sure that the supplier adheres to the appropriate information security standards as well as established best practice in their industry.

In the worst case scenario, where there has been a breach in data protection, any investigation would look first at the information security arrangements put in place by the buying organisation. If it is apparent that the buyer has not set appropriate information security standards and targets or has failed in their due diligence of the supplier then they will receive any penalty.

However, if it is clear that the buyer has done everything that is reasonably practical and the failure to protect information lies with their supplier then it will be the IT provider who will incur any fines deemed necessary.

Returning to the question posed at the outset. The ability of the 3rd Sector to successfully outsource IT services, in a world where the fines for information security breaches could cause financial ruin, is no longer just dependent on making a well-founded choice of supplier. Successful supplier selection is not merely a combination of: running a competition, setting generic performance standards, and placing the contract. In an increasingly connected world, where all IT service buyers carry data security responsibilities the following additional essentials must be considered:

a. Buying intelligently

b. Addressing information security and data protection from the outset

c. Setting genuine information security performance targets

d. Clearly delineating responsibilities

e. Creating and managing a robust but collaborative relationship with the IT provider

The absence of any of these factors in the provision of IT supply increaes risk and limits benefits.

What do people want from their leaders and managers?

In my experience, there are four things that people in the workplace – including myself – want from their leaders and managers. Inspiring leaders and good managers all have these four qualities and market-leading organisations actively seek them when recruiting or promoting.

Trustworthiness

You cannot be a good leader or manager if you cannot win the trust of your people and sustain it over time. Trust binds commitment and promotes action. Without it, you cannot win. From the employee’s point of view, if they cannot see signs of your competence then you are not going to gain their confidence. Openness is another aspect of trust and good leaders and managers encourage openness and manage dissent. You will know when you have got it right when you do not have to reprimand staff who transgress; it will be enough that they know that you know.

Optimism

Oddly enough this is linked with trustworthiness. Working as a project and programme manager I have often been told that I am “positive” or “optimistic”. It is always good to hear because there is not a big market for negative and pessimistic project and programme  managers; we  need to be purveyors of hope. Optimism can be pervasive and powerful. However, it has to be built on trust and not on delusions; it cannot be an act. If you get hung up on your mistakes, problems, wrong turns or mishaps (we all make them) and do not treat them as opportunities to learn and change, do not become a leader or manager! Optimism stems from a clear vision of the future, a commitment to get there and determination to bring everyone on their team along for the ride.

Purpose, direction and meaning

Which brings me to determination. I cannot over-emphasise the significance of determination to achieve a goal, together with the conviction, passion and unique point of view that will establish the energy and direction of the leader and manager. If you are a leader then you are helping to define the purpose of the job. Without the sense of alignment behind the purpose there can be no direction. How do you know which way to face? It must also be a purpose that energizes and engages people, that has meaning and resonance. That is why it is easier to do for leading a project than for managing Business As Usual (BAU). However, it belongs to everyone in the organization. The leader and manager must communicate the purpose in such a way that ownership is created on every level of the operation.

Acts and gets results

Ultimately, of course, you are there to deliver results so you must have the capacity to convert purpose and vision into action. Having developed a great vision you have to use it to inspire people. It has to become “real” in some material way to produce results. Most leaders and managers are pragmatic dreamers and practical idealists, which is not an easy balance to maintain.