Written only 3 years ago, the International Cyber Security Protection Alliance's Project 2020 Report forecasted an array of cyber-related activities that are to become more apparent in a truly converged 2020. Unfortunately, many of these have already come to bear. There are 3 of note for reputation risk management and brand protection practitioners.
No one could argue with the maturity of the illicit market for virtual items, both stolen and counterfeit, with the pharmaceutical industry being the hardest hit. TheInternational Anti-Counterfeit Coalition reports that the estimated value of cross-border trade in counterfeit and pirated physical goods was to account for more than USD 1.77 Trillion in 2015. This now drives enormous investment by companies to put in place resources, technologies or enhance their programs for global brand protection.
Global Brand Protection Managers today are responsible for developing and implementing secure supply chain and online best practices designed to counter the risk to consumer safety and business value from counterfeit and illicit trade worldwide. In contrast, the Anti-Counterfeit Packaging Market alone was estimated at USD 85 B in 2015 and is estimated to grow to almost twice the size by 2020 - USD153.95 Billion.
When I asked a senior South East Asian Government official what was the greatest threat to national security, they stated counterfeit and piracy, as the impact on a small countries GDP and employment is considerable. Take this against a backdrop of the US who estimated in 2013 that 55M jobs supported by IP-intensive industries were at risk.
2. Reputation Manipulation Markets
In their horizon scanning, Project 2020 forecasted that we would move to a reputation economy where reputation underpins the stability of governments, businesses and citizens alike. The term ‘reputation economy’ coined by the Reputation Institute in 2011, suggests a marketplace where businesses and brands are rated, commented on, and judged based on reputation (rather than financial performance). It implies that power has shifted to a company's stakeholders. The new role of the company and institutions is to be at the service of their stakeholders.
Today against this context we see 3 examples of sophisticated reputation manipulation.
On TaoBao and Amazon for example, we are seeing "seller-reputation-escalation" (SRE) markets operate in a crowdsourcing mode, connecting insincere online sellers who desire a high online reputation with people who want to earn extra money. The only task: conducting fake transactions on the specified stores, where they go through the entire purchase of a product, but nothing is delivered.
We are increasingly seeing commercial scenarios of reputation manipulation through online libel and defamation for profit purposes targeting key drivers of reputation and sensitive topic pressure points: corporate governance, child labor, taxation and others.
Take the short attacks of a US hedge fund on Olam back in 2012 where the short-seller published a 133-page report detailing "shocking" accounting gaffes at the trading firm, prompting Olam to respond with a 45-page rebuttal. This attack was made on a reputation driver "governance". This has been proven in portfolio management to have significant immediate/short term negative impact on a company's reputation and economic performance. These libel attacks are increasingly vicious, where damage can be instantaneous and increasingly difficult to repair.
Since the Hedge Fund's CEO comments at the Ira Sohn conference in London on 28 November 2012, shares of Olam hit a low of USD 1.465, a level unseen since 2008, wiping out nearly half a billion dollars off its market capitalisation.
Olam described the accusations as "false and misleading" and stood by its practices. They asserted that the report's accusations were motivated to distract and create panic amongst its continuing shareholders, bond holders and creditors. Hear the SGX's reponse to the affairs here.
Today Olam trades at 2.0, nowhere near its highs of 3.29 earlier that same year.
While in the United States, there are no criminal defamation, libel or insult laws on the federal level, libel is deemed as a civil offense, where a person or entity suing for libel may only collect monetary damages from the person who published or posted libelous materials. This is meant to remind people or entity not to abuse press freedom or freedom of expression. Freedom of Speech is deemed a civil liberty.
However, in Singapore there certainly are protections in place for this. Defamation is a criminal offense under section 499 of the Penal Code. This means that the police can take action and arrest the perpetrator of defamation if there is sufficient evidence of such transgression. For the prosecution of criminal defamation, it must be shown that the defamer intended, or knew, or had reason to believe his words would harm the reputation of the victim.
Olam Custodians are rumored to have taken legal action, however, the company architecture of the hedge fund allegedly appears to have been specifically designed with shelf companies in various jurisdictions to limit any major lawsuits against them.
Today national authorities are working to overcome jurisdictional restrictions through regional coordination (e.g. Interpol) or with agencies with similar levels of capability/capacity, to better understand and respond to Internet-facilitated crime.
The 2020 Report forecasted that the widespread use of multiple identities with varying levels of verification, pseudonymity and anonymity were likely to give rise to new identity management services and tools, especially as cyber criminals increasingly jurisdiction shopped to source the lowest location risk of enforcement for their activities.
Today Corporates and Governments working to combat these risks are heavily investing in identity management and access control solutions. In 2015, the Identity and Access Management market was valued at USD 7.20 Billion and is now expected to grow to USD 12.78 Billion by 2020.
3. High impact and targeted identity theft and avatar hijack
Avatar hijacking and targeted identity theft on social networks are becoming increasingly common. We are all no strangers to phishing scam messages on LinkedIn, from an apparent "reputable" corporate citizen that we know, who has had their online identity stolen.
Corporates are also no stranger to Twitter Hacks. In June 2016, hackers put millions of twitter credentials up for sale. To demonstrate the poor security of its network, in July 2016, Twitter CEO Jack Dorsey had his own account hacked by the hacking group OurMine. They quoted "Hey, its OurMine, we are testing your security," with a link to their website to sell their services. They are alleged to have previously defaced social media accounts belonging to Facebook CEO, Mark Zuckerberg, and Google CEO, Sundar Pichai. While its root cause was found not to be a Twitter hack, but rather it was accessed via Vine, which was integrated into its feed. Alas, Vine are also owned by Twitter.
Reputation practitioners should ensure that :
1. All IP assets that exist across their key Executives including corporate spokespersons social media ecosystem are registered in the asset register and are part of the companies enterprise risk management program.
2. All digital IP Assets should be constantly monitored, regularly penetration tested and ideally, registered with a digital certificate that is only issued after compliance with a minimum set of Digital Standards for "digital governance'.
3. Each asset is locked down with minimum two-factor authentication and secure passwords. This should include any sites that are integrated to feed to them.
Project 2020 forecasted that an outsourced corporate online reputation management was a new market that would emerge from the expanding array of social and online risks. Today, the market in online-reputation management is estimated to be worth nearly USD 5 Billion.
These are only 3 of the challenges for reputation risk practitioners and global brand protection managers on the ICSPA's list.
In a truly converged 2020, their extensive list of cyber-related activities to watch out for also includes: highly distributed denial of service attacks using Cloud processing, a move from device-based to Cloud-based botnets, hijacking distributed processing power, physical attacks against data centres and Internet exchanges, electronic attacks on critical infrastructure, including power supply, transport and data services, micro-criminality, including theft and fraudulent generation of micro payments, bio-hacks for multi-factor authentication components, criminal intelligence gathering, including exploitation of big and intelligent data and more...
Their extensive list certainly begs the question of who exactly will be empowered and have the capabilities to resource, investigate and combat such threats.
If you enjoyed reading this post check out "How to Survive a Hack" from the Cyber Breach Simulation held at the Thomson Reuters ASEAN Regulatory Summit. We will continue the discussion on cyber crime and data privacy at the Pan-Asian Regulatory Summit that is taking place on the 8th & 9th of November, 2016 at the Grand Hyatt in Hong Kong. For the full agenda and details on how to register, please visit the website.
I appreciate that you are reading my post. Here, and on LinkedIn, I write about board related issues - corporate strategy, human capital, reputation risk, technology and innovation, corporate governance and risk management trends.
If you learned something from reading this post, please click the thumbs up icon above and let me know. If you would like to read my regular posts then please click 'Follow' (at the top of the page). If we have met, do send me a LinkedIN invite. And, of course, feel free to also connect via Twitter.
If you are interested in more effective reputation risk management, improving corporate governance, using the Reputation Institute's RepTrak model to benchmark your company's reputation, or developing your digital, communications, responsible investment or sustainability strategies, do connect with us at RL Expert Group.
We just sent you an email. Please click the link in the email to confirm your subscription!