Idea Watch: New Thinking, Research in Progress
What Business Can Learn From Organized Crime
by Marc Goodman
When 10 men attacked the Taj Mahal Palace hotel in Mumbai, in November 2008, they executed one of the best-orchestrated, most technologically advanced terrorist strikes in history. Before the assault they had used Google Earth to explore 3-D models of the target and determine optimal entry and exit routes, defensive positions, and security posts. During the melee they used BlackBerrys, satellite phones, and GSM handsets to coordinate with their Pakistan-based command center, which monitored broadcast news and the internet to provide real-time information and tactical direction. When a bystander tweeted a photo of commandos rappelling from a helicopter onto the roof of one of the buildings, the center alerted the attackers, who set up an ambush in a stairwell. It took three days for authorities to kill nine of the terrorists and arrest the tenth; his confession provided details of the operation, which had resulted in 163 deaths and hundreds of injuries.
Atrocities like this one are an extreme example, but the fact remains that technology is increasingly put to nefarious uses. Consumers and businesses must deal with the results, from small-bore, almost laughable “I’m stranded in England please send money” e-mail scams to large-scale appropriations of credit card data. During the 25 years I’ve spent in law enforcement—as a police officer, a counterterrorism consultant, and, for the past decade, a cyberrisk and intelligence specialist—the most striking trend I’ve seen is the growing sophistication of global crime syndicates and terrorists (the former are now believed to bring in $2 trillion a year).
Some of this isn’t new: Colombian drug cartels, for instance, have been technologically advanced since the days of Miami Vice. But more-recent international crime groups, including the Russian Business Network, South America’s Superzonda, and the worldwide ShadowCrew, have become especially adept at expropriating legitimate business tactics to create highly efficient global teams and set new best practices in adaptive strategy, supply chain management, the use of incentives, global collaboration, and other disciplines. Here are five lessons companies can learn from the activities of such groups:
Use the news to create opportunity. Criminal groups have made an art of scanning the environment and quickly deploying technology to capitalize on what they find. Within hours of the 2010 Haiti earthquake, for example, scammers were circulating e-mails urging people to use Western Union to wire money to the British Red Cross. The cause sounded noble—but the British Red Cross doesn’t accept donations by way of Western Union. Ever-adaptive criminals are also creating “Text this number to donate $10” scams after disasters.
Thieves are exploiting long-term technology trends as well. While corporations struggled to monetize their social media followers, criminals quickly figured out that tweets and Facebook updates were invaluable tools for planning home burglaries and that social media data could facilitate identity theft. The lesson: Watch the headlines, move quickly, and try to get out in front of developing trends.
Cybercrime’s Wide Reach
- 47%: share of U.S. small businesses that provide no cybersecurity training to employees
- 1 in 6: proportion of U.S. companies in which employees recently fell for a simulated phishing e-mail scam
- $5.9m: median annual cost of cybercrime per U.S. Company
- £27b: overall annual cost of cybercrime to the UK economy
Sources (top to bottom): National Cyber Security Alliance; Help Net Security; Ponemon Institute; Detica
Outsource to specialists. Modern organized crime has abandoned the top-heavy structure of dons, capos, and lieutenants made famous in The Godfather. Most of today’s gangs, along with Al Qaeda and other terrorist groups, are loosely affiliated cooperative networks—and are as likely to recruit website designers and hackers as they are thugs and enforcers. They routinely turn to niche markets for specific expertise. (For instance, Dubai offers the best talent for laundering money.) They are constantly networking to develop sources with the specialized skills they need, much as Hollywood studios scout for talent to cast a given film. For example, identity theft specialists know where to find artists who can replicate the holograms on ID and credit cards, and they routinely utilize a call center in Russia whose multilingual employees work 24/7 and are accomplished at making fraudulent calls to banks during which they might impersonate anyone from a rich Italian housewife to a Brazilian doctor. The lesson: Don’t limit yourself by overreliance on in-house talent. Cultivate e-lancers and other contractors who can provide the precise skills your project demands.
Cash isn’t the only incentive. Criminal organizations pay well, both to compensate for the legal risks involved and because their high profit margins allow them to. But they realize that team members usually aren’t in it just for the money. Most enjoy the thrill of breaking the law. Many, particularly hackers, are also motivated by the challenges of sophisticated security systems and the bragging rights they gain when they foil them. Although criminal organizations still employ a fair share of thugs, they’re increasingly attracting highly educated people who seek autonomy and intellectual stimulation—not unlike the people who are drawn to the risky, demanding work environment of a start-up. The lesson: Socially oriented businesses aren’t the only ones that can use workers’ desire for meaning as a motivating force. Find a way to tap into employees’ needs for recognition, challenge, and belonging.
Exploit the long tail. Until the internet came along, many criminals pursued a “blockbuster” approach: They were always on the lookout for a single heist—say, a bank robbery—that could provide a huge payoff. Terrorists still strive for spectacular attacks, seeking to maximize the societal shock and disruption. But global criminals have learned that they can reap big profits by executing smaller operations over and over again—a strategy that allows for efficiency gains, continual improvement, and reduced risk.If you’ve ever been the victim of credit card fraud, you probably noticed a flurry of midsize purchases, usually made online; these can be received and forwarded by a “mule” who may not even realize he’s part of an illegal scheme.(Syndicates often tell such mules they’re part of an import-export operation.) The purchases on any one card might not exceed $1,000. Multiply that amount by thousands of transactions, though, and the payoff becomes huge. The perpetrators of small but high-volume frauds also constantly conduct experiments aimed at improving results. They may use different subject lines in the same e-mail scam, comparing the response rates and then fine-tuning the language in the next round. The lesson: A business model that aims for many small transactions instead of a single big hit can result in larger long-term profits and provide numerous opportunities to improve efficiency along the way.
Collaborate across borders. Various radical Islamic splinter groups now work alongside Al Qaeda, even though the entities remain distinct. So, too, with organized crime: The Hong Kong–based triads and the Japanese Yakuza have joined forces to market synthetic drugs, and Colombia’s cartels cooperate with Russian and Eastern European mafias to expand the reach of their products. Although “going global” has been an important way for businesses to extend market opportunities, the strategy delivers an additional benefit to organized crime: It can create legal obstacles for law enforcement officials, who often aren’t as adept at cross-border collaboration as the criminals they’re tracking. The lesson: Don’t look at competitors simply as rivals. Consider the mutual benefits of partnerships.
Protecting Your Business from Information Theft
Your security system needn’t be perfect—it just has to be better than most. Routine maintenance can make a big difference. Cybercriminals continually do the digital equivalent of testing your doors and windows. Simply upgrading the locks—and actually using them—can cause criminals to move on to the next house. Here are four additional steps worth taking:
Know where your information is and who can access it.This used to be simple: Employees came to the office each day and turned on their computers. Now people often work remotely, using laptops, smartphones, and tablets. And a vast amount of data is stored in the cloud, on servers whose location may be unknown. Though mobile and cloud computing drive big savings, they greatly complicate the task of securing data.
Collaborate with your competitors on security matters.As unnatural and unnerving as this may seem, it could be your single best defense against orchestrated attacks. Take a page from the book of criminal organizations, which regularly swap intelligence with one another (and use that intelligence to perpetrate new crimes). A united front on security, even though it means sharing ideas with your rivals, can make your company stronger.
Attack your own IT network.It might strike you as logical to set up a wide array of protective systems and wait until the alarm goes off, but purely reactive measures are doomed to fail. If you don’t explore whether you can penetrate your own defenses, how can you know they’re secure? Red teaming—simulating all the ways in which your adversaries might try to breach your security—can uncover serious gaps.
Think beyond hacking: Physical security and personnel are important, too.If your IT network is bulletproof but anybody can walk into your building and take documents the old-fashioned way, you’ve failed. And if your network and physical plant are safe but your background checks are lax and you inadvertently hire a hacker or someone with ties to organized crime, you’ve got an even bigger problem. Your approach to security must be comprehensive.
Comparing the practices of criminal and terrorist organizations with those of corporations is by definition an imperfect exercise. Despite their sophistication and managerial prowess, crime groups are unconcerned with the human and social costs of their acts; they will remain ruthless no matter how many computer scientists they employ. But it’s also true that as organized crime has come to rely more on technology for competitive advantage, its craft has developed a greater resemblance to the activities of law-abiding businesses. In some cases, criminal enterprises are now the ones pushing the frontiers of knowledge and innovation. Given the high profitability of global cybercrime networks and the limited threat they face from legal authorities, legitimate businesses will undoubtedly become targets more frequently. Managers need to pay close attention to the tactics being used against them—and perhaps even learn to profit from some of the global gangsters’ insights.