“Hackers are always one step ahead”: Corporate defences in an age of evolving threats

In Bertrand Monnet’s lectures, students occasionally communicate remotely with a hacker or analyse an interview filmed several weeks earlier with an international drug trafficker. 

The professor, who has worked in partnership with companies on criminal risks for twenty years and regularly leads immersive field experiences in areas where crime thrives, has a number of contacts in the world of organised crime and invites them to speak anonymously and remotely. Students’ eyes are fixated on the screen when the hacker appears. They suggest the names of major corporations and watch as lists of all their vulnerabilities appear on darkweb forums, and which accounts can be compromised for a given sum.

“Hackers are always one step ahead,” explains Bertrand Monnet. “The first time I heard the word ChatGPT, it was from one of them.” Inviting them to participate in his lectures allows him to “document the criminal economy through those who operate within it” — in other words, to teach students about the reality of criminal risks that businesses face, removed from what can be seen on popular television series and in mainstream culture.

Corporate vulnerability and proliferating threats

Threats have boomed since the Criminal Risks Management Chair was established in 2005, says Bertrand Monnet. Cybercrime is increasing. It now costs €10 trillion per year globally, while criminal finance has swiftly developed (1). The substantial sums generated by criminal activities must be laundered, and this widespread money laundering directly threatens the emerging financial players to which many students gravitate upon graduation, whether fintech firms or cryptocurrency platforms.

Though criminal threats have always existed, the growth and intensification of physical flows of goods, people and information thanks to globalisation have made companies more vulnerable to trafficking. This is how the shipping company MSC, one of the giants of maritime transport, found itself infiltrated in 2019 by a gang of drug traffickers who, with several complicit crew members, managed to transport 20 tonnes of cocaine in a cargo vessel (2).

Digitalisation is the culmination of these connections, explains Philippe Very, a strategy professor who teaches within the Chair: “A company may try to protect itself, yet the criminal organisation can reach it through a link in its chain.” Examples abound. In 2013, hackers reportedly infiltrated the central systems of American retail giant Target’s stores via an air conditioning supplier with the goal of accessing Customer banking data (3). In Sweden, the Coop chain was infected through contagion in 2021 via the point-of sale software Kaseya (4). 

“The methods are always the same,” says Bertrand Monnet. “Hackers seek weak links, namely low-tech products, ones that are poorly secured and rarely updated, such as accounting software.” Philippe Very concludes with an adage attributed to Robert Mueller, the former FBI director: “There are two types of companies: those that have been hacked, and those that remain unaware they have been hacked.”

Other threats beyond cybercrime continue to be underestimated, says Bertrand Monnet. Given that maritime transport accounts for 90 per cent of global freight (5), piracy is a real danger, as is counterfeiting, which doesn’t just involve “a counterfeit Gucci bag manufactured in the suburbs of Naples,” but also counterfeit medicines and fraudulent mechanical components.

Risks reconfigured by AI

In recent years, artificial intelligence has transformed the landscape for criminal organisations, leading Bertrand Monnet to prefer using the term “digital crime” over “cybercrime.”

“Previously, you had to access dark web forums to purchase ransomware or hire a hacker,” explains Bertrand Monnet. “Today, you can independently code Something that is fully functional, simply by using ChatGPT.” With regards to fraud, the two academics note that AI also lets people write nearly perfectly-worded messages and create deepfakes that are exceedingly difficult to distinguish from authentic images. This is why we’re witnessing a resurgence of “CEO fraud,” in which an employee is persuaded that they are communicating with leadership when it is in fact a hacker.

At the same time, AI has strengthened companies’ ability to defend themselves. Whereas an internal audit would previously have been needed to investigate potential fraudulent invoicing in the finance department, now AIdriven anti-fraud programmes operate continuously and automatically to detect the slightest anomaly. AI is also becoming more efficient when it comes to cyberattacks: it is now “capable of rapidly breaking encryption keys on ransomware that would have been highly dangerous six months ago.”

Beyond that, AI has improved insurability against criminal risks. Insurers were previously unable to precisely assess certain risks, so they protected themselves by offering prohibitively high premiums. Predictive models now allow prices to be adjusted, which provides additional protection for businesses. “AI will not reduce the danger of risks,” Monnet concludes, “but it will transform the geography of a company’s external platforms.”

Identifying grey areas

People mainly think of companies as targets when it comes to criminal threats, but they can actually find themselves in more ambiguous areas. An aircraft manufacturer can become collateral damage in a counterfeiting scheme if its mechanical parts supplier buys fraudulent components; it could unwittingly incorporate a defective part that could cause accidents. Distributors can be instrumentalised by criminal organisations by unknowingly distributing or transporting counterfeit goods. This “horizontal connection between strictly criminal actors and legal actors with grey zone behaviours” requires leaders who have been trained in criminal risk issues, Monnet explains.

Lastly, companies occasionally underpin criminal economies themselves, knowingly or otherwise. For Bertrand Monnet, Purdue Pharma, the American pharmaceutical company that marketed OxyContin in the 1990s, represents an “absolute case.” The company pleaded guilty in 2007 to misleading the public about the addiction risk for OxyContin and paid one of the largest fines ever imposed on a pharmaceutical company. “They are behind the opioid crisis in the United States, which claims 130,000 lives annually, (7)” Monnet says, “and had they not engaged in illicit behaviour, we would not be in this situation.”

Training in doubt and ethics

For the two professors, students must be trained to never get to that point. In the courses taught by the Chair, says Philippe Very, students often underestimate how much violence these kinds of criminal threats can involve, ranging from physical violence when it comes to kidnapping to the psychological violence exerted on family members or economic violence when positions are eliminated after a company is destabilised.

Concrete case studies and discussions with practitioners who work in major corporations help the academics train students to detect criminal risks. Then — and this is the most important part for Bertrand Monnet — it involves “doubting and making judgements, relying on your conscience, and using the precise knowledge gained about what techniques criminals use.” 

To instil how important doubt is in the minds of his students, many of whom will work in investment funds, Bertrand Monnet systematically shares the case of a trust which concealed the daughter of a Mexican drug trafficker. “Had the fund contracted with this trust,” explains the academic, “it would have found itself financing Mexican organised crime, with the cascade of legal and reputational consequences you can imagine.”

These criminal risks also raise questions about “leaders’ ethical framework” explains the Saint-Cyr graduate, who designs the curriculum for the Criminal Risk Management Chair in close connection with the business ethics courses taught by Geert Demuijnck in order to strengthen synergies between the two disciplines. For him, this is what makes the courses offered by EDHEC unique, as the presence of over 130 nationalities on campus enriches the debates with varied cultural perspectives about the legal definition of counterfeiting or brand protection strategies.

Making risk a core business concern

This approach to embracing doubt and ethics cannot rely solely on individuals: the entire organisation must be committed, too. For Philippe Very, this involves conducting regular crisis exercises but also positioning the security department closer to executive management. 

“Companies must develop a holistic, horizontal, interconnected approach to criminal risk,” says Bertrand Monnet. To achieve this, human resources must be involved. In his view, they are a “key entity”: “the people who staff the company can serve either as bulwarks against risk or vectors for it.” This is why it’s necessary to make training and supervising employees on these matters mandatory.

This also involves changing practices for selecting suppliers, in order to not automatically exclude small companies that may have modest turnovers or be recently established but which are considerably more secure than certain legacy behemoths that Monnet characterises as “hoovers for viruses.” Sales teams need to be trained to question why there might be a question of counterfeiting when they see the company selling 20 per cent less despite a lack of new market entrants.

Finally, this means putting the subject “on the board’s agenda” to make sure it becomes an integral part of company culture. Bertrand Monnet’s discussions with hackers confirm this: “when hackers conduct a phishing Campaign and only three individuals respond, they conclude that the door is closed and seek opportunities elsewhere.”

References

(1) Cybercrime To Cost The World $10.5 Trillion Annually By 2025 (2020), Cybercrime Magazine - https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/

(2) Le géant maritime MSC aurait été infiltré par un gang de trafiquants de drogue (2022), RTS - https://www.rts.ch/info/economie/13644414-le-geant-maritime-msc-aurait-ete-infiltre-par-un-gang-de-trafiquants-de-drogue.html

(3) U.S. HVAC Firm Reportedly Linked To Target's Data Security Breach (2014), NPR - https://www.npr.org/sections/thetwo-way/2014/02/05/272101928/u-s-hvac-firm-reportedly-linked-to-target-s-data-security-breach

(4) Swedish Coop supermarkets shut due to US ransomware cyber-attack (2021), BBC - https://www.bbc.com/news/technology-57707530

(5) Maritime Transport, OMC - https://www.wto.org/english/tratop_e/serv_e/transport_e/transport_maritime_e.htm

(6) L'OxyContin, l'antidouleur de Purdue Pharma par lequel la crise des opiacés est arrivée (2019) Le Temps - https://www.letemps.ch/monde/ameriques/loxycontin-lantidouleur-purdue-pharma-lequel-crise-opiaces-arrivee

(7) What is OxyContin, the drug behind America’s opioid crisis? (2017), The New Statesman - https://www.newstatesman.com/world/2017/11/what-oxycontin-drug-behind-america-s-opioid-crisis

Photo by Shamsudeen Adedokun via Unsplash