A few months ago, I received a phone call from someone at a giant Israeli corporation that owns 120 companies. He relayed the story of a COO in one of the corporation’s companies who had stolen a few million dollars over a two-year period. Financial and technological monitoring systems did not register the theft. The COO claimed that he had been blackmailed and had no other choice. He said that the blackmail had come from an aggressive foreign company. This COO had broken the trust of the major corporation whose umbrella his company was under, abused his authority and betrayed friends and colleagues. The company had been acquired five years prior and had been an important part of the Israeli corporation.
The company was completely unaware of the situation until it was discovered that there was something suspicious on a certain row in the balance sheet. This led to inquiries to discover the perpetrator, which is when we were hired. The first people to greet me were the lawyers. The company called the lawyers as soon as they discovered the fraud, but lawyers do not necessarily know how to deal with these situations.
The following was discovered about the case:
- The COO in question had refused a polygraph test to clear his name (a common practice in this country).
- The VP Marketing failed a polygraph test, turning him into a second suspect in the scandal.
- Two legal practitioners spent two weeks manually collecting relevant information in order to create a map of related entities (people, bank accounts, etc.) to follow the money trail and create a snap shot of what happened and how. An experienced intelligence analyst using the right OSINT system would have been able to achieve the same goal in moments.
- No one ever visited the purported physical address of the foreign company allegedly involved, nor interviewed the European bank teller who was accused of possibly cooperating with the COO. There was no one who could, therefore, corroborate or deny the COO’s story with 100% clarity.
While interviewing the CEO of the local company, it was discovered that when it was acquired by the large corporation five years ago, background checks were never conducted for local employees, nor were their computer systems ever assessed for cyber protection in either the Internet Protocol (IP) department or the management offices. The only thing that changed when the company was acquired was the company logo on the sign outside the office. Nothing else.
In this case, it was discovered directly from the COO once he had been convinced to talk, that he had failed a polygraph test from his previous employer. This was something that the current company (i.e. the daughter company of the large Israeli corporation) did not discover because their external HR provider was focused purely on professional, rather than personal, information.
It was discovered that within the entire Israeli corporation, with 120 daughter companies across dozens of countries, there is only one IT professional.
While an incident such as this could cause shares to collapse, the corporation seemed to view this as a small bump in the road.
This is disproportional when the large mother corporation has the highest of standards, their recruitment process is extremely thorough, and they have physical protection technologies in place. Their cyber arena and commercial intelligence sectors are both highly protected. These high standards must now be trickled down to all the smaller companies which they have acquired and will acquire in future. This must be done with a deep understanding of cultural differences, language barriers, and an often-suspicious and local-patriotic approach exhibited by local employees.
To begin with, there must be operational due diligence. Just as most companies review the legal and financial aspects of potential acquisitions, they must also check the personnel of the company. Exploring the background of the company heads, including personality, attitude, and track-record using psychological due diligence and designated background checks is an essential step. But this is not enough. Web-based digital questionnaires with smart algorithms should be used to confirm the loyalty of the acquired company’s personnel. Computerized systems, security awareness, technologies, and processes should be brought in line with those of the larger corporation’s standards. Analysis of the local company’s history, to spot weak links and tailor suitable solutions is essential.
Seventy per cent of mergers and acquisitions fail. Part of this is, as we have seen, due to security challenges. Confronting corporate business security challenges using an integrated solution that accounts for the human, physical, commercial, and cyber dimensions combined is by far a better method than confronting challenges one dimensionally.