A Quick Guide to Anti-Corruption and Bribery

Bribery and corruption are significant issues that entrepreneurs and businesses may encounter worldwide. Violators of anticorruption laws and regulations may face the possibility of financial sanctions, crippling fines, and massive reputational damage. When companies are caught in corruption or bribery, it is usually not a quiet settlement, rather their story becomes a cautionary tale for all others.

The United States has been showing renewed commitment to enforcing the Foreign Corrupt Practices Act (FCPA), which, although it has been in existence since the 1970s, it has only become a top priority recently, when the SEC created the Office of Market Intelligence in 2010. This new team is responsible for collecting, analyzing, and monitoring all of the tips, complaints, and referrals each year. With new structure and resources, the ability to root out corruption in the country expanded, and the number of anti-corruption actions carried about by the Department of Justice and SEC quadrupled over the course of a decade.

Besides the FCPA, companies in the United States must abide by the sanctions imposed by OFAC, and furthermore they must also comply with other country’s anti-corruption laws. This means that an American company that goes to operate in China may be hit with charges if they do not comply with China’s regulations, so it’s important to understand the laws of the destination country.

The United Kingdom’s Bribery Act of 2010 is more or less the gold standard for the world. Compared to the FCPA, it has a much looser definition for what comprises “operating abroad”. This means that things that might normally not be considered business entities, such as private individuals, are subject to sanctions and regulations – whereas the FCPA only applies to companies and their officials. Furthermore, any corporate body that “carries on business” in the UK is subject to the Bribery Act, regardless of whether they are formally registered in the UK or not.  Another difference is that the FCPA only prohibits making bribery payments, whereas the UK Act bars accepting them as well.

Reducing exposure to bribery and corruption starts with implementing and updating anti-corruption policies. Most multinational corporations have these today, but a significant number of Small and Medium Enterprises (SME) lack policies for this. In 2015, a UK Government survey revealed that only 33% of SMEs in the UK assessed the risk for bribery and corruption, while the remainder had heard of them and were aware of the liability without any protective measures created.

Good anti-corruption programs usually follow the guidelines below:

  1. Prevent unethical action with clearly communicated standards of operations and procedures.
  2. Be accountable and provide oversight in implementation of the program.
  3. Conduct due diligence to avoid circumstances where unethical individuals have authority.
  4. Make sure that all members of the organization know what the compliance and ethics program is.
  5. Regularly re-evaluate the compliance and ethics program to make sure that it’s a) up to date and b) effective.
  6. Make sure there is an option for people to anonymously report misconduct, thus preventing retaliatory action by unethical individuals.
  7. The compliance and ethics program must be enforced to be effective, and there must also be discipline for violations. Having a program means nothing if there are no consequences for unethical behaviour.
  8. After the misconduct has happened, the organization must respond and assess it to prevent further problems – and if necessary, if in an example of systematic exploitation, take action to modify operations to prevent misconduct.

With an efficient program in place, organizations and individuals may protect themselves from being exposed to bribery and corruption and prevent fines/reputational damage/sanctions due to ignorant or malicious behaviours.






This article was written by Kristina Weber, Content Supervisor of Centry. 


Be Proactive in Risk Management!

Part of efficiently running an organization is understanding and protecting vital information, e.g. the ‘crown jewels.’ The crown jewels of an organization may include concrete information such as customer lists, billings, bank account information, process, trade secrets … or it might relate to intangible concepts such as reputation and business relationships.

As royalty protects their crown jewels, so too must businesses. In 2017 alone, we have seen many, many data breaches that impacted businesses worldwide.

So, how do we protect our assets?

Two words: Risk Management.

If we use the example of the Target Data Breach in 2013, where customer credit card information was stolen at the point of sale, we can see that the company learned an $18.5 million-dollar lesson in the importance of data security.

Now, you might say – well that’s data security and this is risk management. However, by properly evaluating risk, a company can take steps to protect valuable information and have a response plan in case of disaster. Just as businesses have procedures for fires and natural disasters, so too should they prep for informational catastrophes.

Mitigating risk starts with identifying your ‘crown jewels’ – and what could happen to them. This analysis needs to include both the measure of the likelihood of a compromising event occurring, and the depth of the impact should it happen.

If you multiply likelihood by impact, you get some idea of risk. Then once you have all the risks identified, you can assess each of them and decide how they should be managed.

Different methods of Risk Management can be easily kept in mind if you remember the 4 T’s: Treat, Terminate, Transfer, and Tolerate!

Treating risk encompasses adapting your process to reduce either the impact or likelihood of a risky event (or both). This is called a “control”.  For a retail example, let’s say that there is a risk your customers may have their bank information compromised by a skimmer secretly placed on the point of sale terminal. Your company can reduce this risk by implementing the option to use only the chip. Additionally, you might institute a process where devices are physically checked for skimmers at the start and end of a shift. While the risk hasn’t completely gone away, as something still may slip past, it’s far less likely with the added security controls.

To terminate the risk, your company would have to significantly adjust something in its process to completely eliminate the possibility of something important being compromised.

Transferring risk essentially means making the risk somebody else’s problem. A common approach to this is where you transfer the risk of damage to your home or car by paying for insurance.

Finally, another option is to simply tolerate the risk. If you decide that you have done all that you can to protect your crown jewels and minimize the risk to them, you can simply decide to accept the risk and its inherent gamble. This, however, is always the last resort and should only be done with a true understanding of the full situation.

That said, your company does not have to invent their own process for risk management. There are several formal frameworks in common use that can assist in creating a plan for this type of issue:

  1. NIST 800-30 Rev. 1. (United States’ Government Guide for Conducting Risk Assessments
  2. NIST 800-39 (US GOV Guide for InfoSec)
  3. OCTAVE – Operationally Critical Threat Asset and Vulnerability Evaluations

Remember that your business is only as secure as the steps you take to protect it!

For more content like this, follow @CentryCyber and @CentryLtd on Twitter.

This article was written by Kristina Weber and Dave Ehman of Centry Global.


Hook, Line, and Sinker: Phishing on Social Media

As the world of social media has diversified in terms of what content it offers and how it can be consumed, so too have scammers adapted their ways to target people across the various platforms.

When we refer to phishing, it encompasses any form of fraudulent communication, including over email and social media, where the goal is to trick the recipient into providing sensitive information such as passwords, credit card numbers, or social security numbers.

Maintaining personal security while enduring these threats requires people to be mindful about who they interact with online and how to recognize a phishing attempt. In order to help our readers with this, we have outlined common schemes that take place on social media to help you recognize them.

The “Check Out My Blog” Bot on Tumblr

On Tumblr, you may receive messages from someone that you don’t follow asking to take a look at their blog, website, game, etc. Usually this is not a real person – it’s a fake profile generated by a bot that sends out mass messages in order to entice people into phishing schemes or to generate traffic to their page and otherwise make money. Sometimes these fake profiles seem someone well put together, with a profile picture, a handful of posts, and a name that might almost seem real.

Tumblr Phishing
Figure 1. Phishing in Direct Messages on Tumblr

Most of the time you can differentiate these bots from real people simply on the basis of normal social cues. It’s extremely unlikely that a person would just randomly message a stranger to ask them to look at their blog – usually follower ties on Tumblr are formed through mutual followers or sharing related content.

The “Duplicated Friend” on Facebook

The Duplicated Friend phishing attempt refers to when an attacker or bot creates a fake profile with the identity of someone known to be connected to you. Then, this fake will send you a friend request to trick you into accepting by presenting as a trusted individual. Since most people have their settings adjusted so that Facebook Friends can see a lot of personal details (e.g. birthday, sometimes phone number, etc.), this means that these bots/attackers may also gain access to these if you accept the request of the duplicate profile.

A quick check to the person whose Facebook identity has been stolen can resolve this issue. The best way to prevent these types of phishing scams is to go into your Friends tab to Settings, and then adjust the security level of who can send friend requests to you. Then, it remains up to you to be mindful of whom you add as a friend.

The “I Just Won a Lottery!” Scam on Instagram

Instagram Scam
Figure 2. Examples of fake profiles on Instagram, Photo Credit: Softpedia

These types of scams refer to fake profiles created to impersonate lottery winners. Usually these profiles will have some personal detail, such as a username that sounds like a real name, a profile picture, and a description. The goal of these is to trick people into providing their email address or personal information in order to benefit from a “give away.” Sometimes this will include a post about clicking a link to donate 99 cents (supposedly for covering postage), which could expose people to compromising their credit card information. Softpedia brings up a good point in that even if only 10% of the people following the 111k follower account donate, it still could net more than $10,000.

The “Check Out This Link” on Twitter

Figure 3. Example of Phishing via DMs on Twitter, Photo Credit: ZDNet

This type of scam occurs when a bot or fraudster targets a Twitter user via their direct messages. They will use a hijacked account to send out direct messages that contain links to fake login pages that can steal user’s credentials. The thing about this is that it has a cascading effect – once a scammer compromises one user’s account, they can use that account to target others, and then build upon each wave of fake links.

Common Themes Between All Platforms

Of the listed scams, the things they have in common across all platforms include: a) sending and/or advertising sketchy links, and b) sending unsolicited friend requests/messages. The easiest way to protect yourself from these scams is to stay up to date with your security settings across your media profiles, avoiding clicking unsolicited links, and to report phishing activity if you see it.

Works Cited





This article was written by Kristina Weber, Content Supervisor at Centry Global.



4 Ways to Secure Your Email

As a continuance of our smart internet use series, this article will provide some pointers for ensuring email security. This comes after the Intercept article, which detailed how Russian attackers were able to infiltrate an American election software company, has been circulating across news platforms.

Our Centry CTO, Dave Ehman, was able to give some insight into best practices for protecting yourself via email:

1. Password Security

Use a strong password that only you know. As we said in our Smart Social Media post, a good password has both length and complexity, avoiding dictionary words and sequential letters or numbers.

Never re-use a password that you use on other websites. This eliminates a security barrier between you and potential attackers. If you use the same password across multiple platforms and websites, it becomes much easier to crack – all it takes is one of those websites to be compromised and then the attacker has access to your email. From there, they can select the “Send password reset to my email” option and gain access to any of your accounts.

2. Enable Two-Factor Authentication

Use two-factor authentication (2FA) for your email sign-in. Most email systems and websites, including Google, have an option for 2FA. Furthermore, you can use it for various social media services including Facebook, LinkedIn, Twitter, Instagram, etc. All you have to do is enable it in your account settings. It may seem inconvenient to set up, but in the long run, protecting yourself is worth it – especially if things like money or sensitive information could be compromised.

3. Disable Automated Messages

Do not use automated “away from office” messages, as these validate your email for spammers and open up the possibility for directed spear phishing.

4. Be Mindful of Email Content

Finally, never write something in an email that you are not 100% accountable for. If you would not want it to be read back to you in a deposition or open court, don’t write it – email is not private.

Ultimately, what you get out of cyber security is what you put into it. Attackers depend on people being lax about protecting themselves – it makes their goal that much easier to reach. If you put in the effort to secure your information online, you can help deter instances of attacks not only for yourself but for your organization. As in the example of the Intercept article, all it takes is for a few unsuspecting people to click on a link and then their entire organization becomes compromised, with rippling effect throughout the nation and the world.

For more news and tips on managing your security online, follow @CentryCyber on Twitter!





This article was written by Kristina Weber, Content Supervisor of Centry and Dave Ehman, CTO of Centry.