Investigations

To manage risk effectively an organisation should develop an incident management framework and part of that framework should be a robust investigative capability.  Having the ability to respond to incidents and the capability to investigate them fully will allow the organisation to mitigate risk and maintain compliance from within.  The examples below are typical of the types of investigation that POC Management have investigated on behalf of our clients:

• Fraud
• Counterfeiting
• Asset – Loss or Theft
• Breach of Policy, failure of security controls
• Email and Internet
• Systems Abuse
• Harassment
• Staff Performance

In the modern business environment the emphasis in asset security and fraud prevention is usually placed on the technical aspects of the problem.  Whilst this is crucially important in protecting assets, it is equally important to have documented processes and procedures as well as fully trained personnel in place to combat and investigate incidents such as fraud and misuse of systems.

As well as providing investigative support, POC Management strongly recommends the development of incident management processes and internal controls as a framework within which to investigate incidents and manage risks emanating from people, processes, technology and external dependencies.

SOCIAL ENGINEERING SERVICES

Social engineering is best described as the acquisition of sensitive information or inappropriate access privileges by an outsider, based upon the building of an inappropriate trust relationship with insiders. The goal of social engineering is to manipulate someone into providing valuable information or access to that information using non-technical means. The sign of a truly successful social engineer is that they receive information without raising any suspicion as to what they are doing.

The business issues for loss of data are both well defined and significant. They include substantial fines for legal breaches, reputational damage and consequential financial impact. In the majority of cases the failure of staff to fully adhere to policy and process, linked to a lack of structured approaches to data management, forms the root of the problem.

In many cases organisations believe that they have resilient infrastructures that in turn can give rise to a false level of assurance. In 2008 European organisations invested €2.6 billion (Source: Gartner) to protect confidential information from cybercriminals who try to hack into their IT systems. This investment however only addresses one of the three main areas of information security – technology. The two other factors, people and processes, remain vulnerable and the three areas are in fact intrinsically interlinked. Investing a lot of money in IT security, while neglecting physical security, can prove just as much of a threat to information security as an electronic attack.

As technological advances are made in the fight against unauthorised logical intrusion on corporate systems and networks the social engineering approach to gain confidential information and personal data will undoubtedly increase.

POC Management consultants have extensive experience in conducting physical and telephone social attacks against many environments both in the private sector and government organisations and as part of an agreed client 'penetration testing strategy'.

There are several POC additional services available for the more challenging arenas.