Corruption and Cybercrimes: Bribery, Fraud, Extortion Considerations

It is imperative for cross-border and global businesspeople to understand bribery, fraud, extortion laws, and related red flags. This applies to private transactions as well as public deals. For example: in private transactions, United States laws such as the Foreign Corrupt Practices Act can pose pre-closing due diligence disclosure issues or post-closing compliance obstacles for non-United States entities in many regions—particularly outside of the EU. Another example is a foreign target’s historical business activities that do not comply with United States export and sanctions laws. In cross-border public deals, compliance regulations also play a key role, and it is important to be aware of Securities and Exchange Commission rules, the Sarbanes-Oxley Act, and stock exchange requirements during the deal. Before a deal can close, it must be ensured that the non-United States target is able to comply with all these standards.

For example, in order to ensure listing requirements in the United States or even for the observance of the Business Judgment Rule, the international entity must comply with rules relating to director independence, internal control reports, and loans to officers and directors. The chapter begins with a review of corporate fiduciary duties, summarizes the requirements for anti-money laundering and anti-terrorist financing compliance, sets forth the key aspects of the Foreign Corrupt Practices Act, and lays out the legal, ethical, and business basics of corruption and cybercrimes, including bribery and extortion.

Fiduciary Duties

A fiduciary duty is a type of obligation and legal doctrine applied to individuals who act on behalf of and in the best interests of another person or entity. In summary, it is an obligation of trust from the person acting on behalf of another (aka “fiduciary”) to the one for whom they are acting. Typically, a fiduciary duty simply translates into an obligation to act with the care of a reasonable person, in good faith and with the belief that the fiduciary’s decisions are in the best interests of the entity and its shareholders.

A fiduciary is a person who has either a legal or ethical relationship of trust to someone else. Owing fiduciary duties means conducting oneself in a manner that benefits the entity and not oneself.

The fiduciary responsibility requires officers and directors to make good-faith decisions that put the best interests of the institution in alignment with its charitable or public mission. This must be kept independent from undue influence by any person or any other financial interests. So, in this way, one of the most important fiduciary duties is the obligation to act for the beneficiary’s benefit rather than be self-interested. Note that, in a partnership, the owners (partners) carry the bulk of this duty. In addition, fiduciaries owe duties to the organization, but in many cases, they also owe duties to each other as well.

Remember, however, the Business Judgment Rule. There are always risks involved on the path to success. Calculating the risk to turn a profit is what maintaining a profitable business is all about. Some of the calculated risks may not turn out as they were intended. The business judgment rule is a presumption that directors and corporate officers make their decisions in good faith and honestly believe their actions are in the corporation’s and shareholders’ best interests.

If a corporate officer or director is accused of violating at least one fiduciary duty, the plaintiff must prove that the respondent was self-dealing, disloyal, or grossly negligent under the business judgment rule. Without the business judgment rule in place to protect corporations and their directors and corporate officers, it may be difficult to fill executive positions because the executive staff could be blamed for everything that ever goes wrong with the company.

Anti-Money Laundering/Anti-Terrorist Financing (AML/ATF) Compliance

The global anti-money laundering landscape is diverse, and institutions must keep pace with developing rules and regulations to meet their obligations. Wherever business is done, achieving AML compliance requires dealing with financial regulators and understanding legislation imposed at a national and international level.

Money Laundering is typically defined as “the concealment of the origins of illegally obtained money, typically by means of transfers involving foreign banks or legitimate businesses.” Money laundering, therefore, is the illegal process of making large amounts of money generated by criminal activity, such as drug trafficking or terrorist funding, appear to have come from a legitimate source, such as carwash or restaurant revenues. The money from criminal activity is considered dirty, and the process “launders” it to make it look clean. Most of this happens through financial institutions.

The processes by which money is laundered vary extensively.

For instance, a weapons trafficker might buy a car wash to disguise profits from the illegal enterprise, with the legitimate profits of the car wash. Thus, the profits of the illegal weapons are “laundered” through the car wash to make the income appear as though it was lawfully earned. Without money laundering, criminal conduct is easily discovered when the proceeds are “merged” with a legal business, for example, by being deposited into a bank.

Traditionally money laundering is a three-stage process: Placement, Layering, and Integration.

Placement

Placement is the stage of money laundering where illegally derived funds enter the financial system, thus removing the funds from direct association with the crime. This stage represents the initial entry of the money proceeds of the criminal activity into the financial system. By putting the money into the system, the criminals are relieved of holding large amounts of the cash they obtained through their criminal activity, and they are also inserting that money into the legitimate financial system. This is actually the stage where most money laundering is vulnerable to being discovered by the authorities because the criminals are placing large amounts of cash into the legitimate financial system, which could trigger all kinds of alarms.

Layering

Layering is the substantive stage of the process where the money is ‘washed’ and its ownership and source are disguised, thus disguising the trail to throw off any pursuit. Also sometimes called “structuring,” this stage is the most complicated stage of money laundering. The goal here is to separate the money from its source by moving it around domestically or internationally while hiding the trail.

Integration

Integration is the final stage of money laundering. Here, the ‘laundered’ property re-enters the legitimate economy from legitimate sources, thus making it available to the criminal to spend or invest in legal markets. In other words, criminals want not just to “clean” but also to spend and invest their illicitly earned money. This is the stage for that. The money is fully integrated into the legitimate financial system and returned to the criminals from a legitimate source.

While often described in these oversimplified three stages, three stages, the three stages often overlap. In some cases, such as certain financial crimes, there is no placement requirement for the act to still constitute money laundering under the law.

What entities are at risk?

Who needs to worry about money laundering? Obviously, financial services industries. Mostly, the nature of the services and products offered by the financial services industry (namely managing, controlling, and possessing money and property belonging to others) means that it is vulnerable to abuse by money launderers. But what if an entity is engaged in a business that is not a financial institution (such as a bank, an investment bank, or even a currency exchange)? What if the entity is just a small business? What money laundering and terrorism financing risks do these entities face? Any at all?

Yes. Remember our example above of the drug trafficker who buys a restaurant to disguise drug profits? What if the target entity (or its executives) is approached to be a partner in that restaurant, or that restaurant ends up investing in a small business (the target), with terms that seem almost too good to pass up?

In April 2020, numerous laundering scams popped up in a variety of settings and contexts. Among the most despicable was a Covid relief and cure fundraising scam. The so-called fraudulent “fundraising” company hired individuals and contracted with partner organizations to collect the “donations” that were coming in and transfer them to Bitcoin (the individuals and third-party organizations were told they could keep a portion of the donations, like a commission). Most likely, these donations were stolen from various bank accounts, and those intermediaries accepting them and then re-routing them were helping criminals launder the money into cryptocurrency.

It can be a lot simpler than this as well. Perhaps someone just places a large deposit on an order, then cancels the order. Now the refund is being given in clean dollars. It seems legitimate, but if it was not, the seller of the product who took the deposit and gave the refund has now cleaned a criminal’s illegally gotten gains for them.

Another common money laundering scam is done through online auction sites. The criminal lists an item, and then a fellow criminal overpays for it, which defeats all competitive bids; the seller then receives the money. The entire transaction is phony, and the auction site is in trouble.

There are some businesses that can be especially vulnerable to these types of schemes because they do not have a lot of paperwork. Art galleries, for instance, casinos or restaurants. Car washes! Yes, Breaking Bad, the TV series, offered a classic example of how a car wash can be used to launder money! And, pun intended, laundromats are very frequently used to launder money. Small businesses are often at risk for money laundering scams precisely because they do not consider themselves vulnerable and do not have policies in place to protect themselves.

So how can businesses protect themselves from a potential money laundering scheme? Here are some tools to make use of:

First – due diligence!

Entities should ask a lot of questions when approached with a business proposition. Ask specifically about the amount of money involved. Ask who the other investors are. They should not accept vague answers but demand detailed answers. They should always conduct background checks to make sure the entity is registered with the appropriate state entity, a due diligence task easily accomplished online.

Using common sense is often helpful as well. If something seems too good to be true, it usually is. This does not mean an entity is required to pass up great opportunities. It simply means to invest in a business, it is essential to conduct due diligence and investigative work, such as reviewing financial statements and making sure the source of income is clear.

Second – entities should learn what money laundering is and keep abreast of recent scams and tactics.

Criminals can be quite clever and innovative. They keep producing new techniques. Keep up to date with the scams that are out there right now.

Third, entities should establish a formal anti-money laundering policy and implement technology tools to prevent money laundering.

It may seem as though this is overkill, but it is not. Even a very small business can have a formal policy, including instructions on how to avoid scams. Not only can this help protect a business from getting caught up in the laundering, but if a business is scammed, a formal policy can save the entity from prosecution.

It is worth noting that in the modern world, it is easier to engage in money laundering because of cybercash, e-banking, and anonymous wire transfer options. In addition, these transactions take place at such a high volume that it is often hard for the regulators to keep up. By staying vigilant in small or midsize businesses, they do their part to help curb this crime.

The Foreign Corrupt Practices Act

The Foreign Corrupt Practices Act (FCPA) is a 1977 law that Congress passed to punish bribery intended to influence the decisions of foreign officials. It is punishable by criminal and civil penalties that can be applied against both companies and individuals. Compliance for a non-United States entity can be challenging during the deal-making and due diligence process, as well as during post-closing integration, in both public and private transactions.

Criminal penalties for violations of the anti-bribery provisions of the FCPA include fines of up to $2,000,000 for corporations and other business entities and up to $100,000 for officers, directors, stockholders, employees, and agents of such entities. Individuals held criminally liable can be subject to imprisonment for up to five years. The statutory fines can be significantly increased under the Alternative Fines Act, up to twice the benefit that the defendant sought to obtain by making the corrupt payment. In addition, fines imposed on individuals may not be paid by their employer or principal.

Corruption in international business is common and frequently ignored.

Many ethical executives believe they are employed with a clean, ethical organization, and therefore ignore potential corruption pitfalls. The ins and outs of the FCPA and its requirements are significant to every person and entity engaged in business internationally. In order to avoid falling prey to violations, businesses should maintain vigilance. Certainly, corrupt activity also exists in the United States, but businesses are more likely to have difficulty spotting and stopping it in foreign nations, if for no other reason than that it is more difficult to understand what is going on in foreign countries, because of the different language, cultural, and political context.

Note that investigation, prosecution, and punishment under the FCPA are not rare – actually, they are quite commonplace. This is a sharp diversion from what was happening in this area even just ten years ago when prosecutions were rare. In today’s world, cases are far more common and tend to be half against the companies and half against the individual managers and employees themselves. The Department of Justice, the Securities and Exchange Commission, and the Federal Bureau of Investigations all have well-staffed units dedicated to FCPA investigations.

Understanding a company’s risk of being involved in international bribery

The best way for an entity to understand its risks is to evaluate each element of the FCPA.

The First Element: “Make a Payment of … directly or indirectly”

The first element of the FCPA is to “make a payment of, offer or promise to pay, or authorize a payment of money or anything of value, directly or indirectly.”

The FCPA makes illegal a “payment of, offer or promise to pay … anything of value.” Note those last three words, “anything of value,” is far beyond just cash. It has been construed to include among other things, discounts; gifts; use of materials, facilities, or equipment; training and education; entertainment; meals and drinks; transportation; lodging, insurance benefits; promises of future employment; and forgiveness (or cancellation) of debt.

There are definitely circumstances during which companies can cover reasonable and bona fide expenditures of foreign officials, such as travel, lodging, and entertainment — but they have to be directly related to the promotion, demonstration, or explanation of the company’s products or services, or to the negotiation, execution, or performance of a contract. On the other hand, political contributions will always be extremely high risk.

Besides that, there is no de minimis threshold. That means, there is no violation too small. Rather, the perception of the recipient and the subjective valuation of the thing conveyed is often a key factor in determining whether “anything of value” has been given to a foreign official. For example, if the corporate entity has a preferred or discounted arrangement with a luxury or first-class hotel, it is not the actual cost to the company for the hotel room, but rather the value of the room to the person who received it – the perception of the foreign official as to that hotel room and the subjective value of it (which will be higher than the actual cost) will be the determining factor.

Turn to the “directly or indirectly” language. This is vitally important. Many people assume that as long as they are not the ones bribing government officials, as long as they have an agent or someone on the ground, they work with who does it, then they are in the clear. The reality is that, under the FCPA, a company and its executives are equally guilty of a violation whether it is that entity’s executive or an agent, including a foreign resident living in a different country, who engaged in the wrongful conduct. As long as they are working with the company or for it in some capacity and they have engaged in illegal activity, the company and its executives are responsible.

The Second Element: “Any foreign official …”

What constitutes a public official for purposes of the FCPA?

The FCPA’s definition of “Government Official” is extremely broad – including low-level employees of government-owned businesses. It includes all employees of non-United States national, state, provincial, and local governments and all their departments and agencies, from high-level officials to low-level employees. But the term also covers employees of state-owned or state-controlled entities (SOEs) – that is, employees of companies and organizations that may not explicitly be a part of the government but that are owned or controlled by the government. Examples of SOE employees who were deemed to be “foreign officials” in recent enforcement actions include pharmacists, doctors, administrators at public hospitals, and university officials, as well as employees of telecommunications companies, electric utilities, and state-supported oil firms

It is important to understand every way a business has contact with these individuals. Consider:

• What kind of business does the company do outside the US?
• Does the business conduct foreign business through its own employees, through agents, distributors and intermediaries, through joint ventures, or all of the above?
• Does the business need to get permits or qualify products for sale in foreign countries? Obtaining permits can involve working with government officials.
• Does the business ship through freight forwarders and use customs agents? Customs agents are government officials.
• Does the business deal with universities, use professors in an advisory capacity, or deal with doctors or hospitals? In many countries, education and healthcare are government-run and all employees, including doctors and professors, are government officials under the FCPA.
• Is the business involved in litigation? In some countries, lawyers routinely bribe court officials and judges.

The Final Three Elements: “corrupt intent” to influence “official acts” in order to “assist in obtaining or retaining business.”

“Corrupt intent” and influencing “official acts” are easy to understand, but “assist in obtaining or retaining business” requires further discussion.

Similar to the other FCPA elements, “obtain or retain business” is interpreted broadly, and includes payments related to the renewal of contracts, the execution or performance of contracts, the retention of existing business and the ability to continue operating. Recent examples from FCPA enforcement actions include winning a contract, influencing the procurement process, circumventing import rules, gaining access to non-public bid tenders, evading, or minimizing taxes or penalties, influencing enforcement actions or litigation, obtaining exceptions to regulations, and avoiding contract termination.

This is significant to understand because prosecutions under the FCPA have become quite commonplace. While businesses are not expected to become an expert in FCPA practices, they can generally make themselves aware of the issues that are of concern to them, then hire outside firms to do risk assessment and control.

What are simple things companies can do to protect themselves against FCPA violations? How much control do companies really even have over independent agents in other countries? Here are 7 steps entities can take to protect themselves.

Policies.

Companies require a standalone international anti-corruption compliance policy and an executive who is accountable for the “tone at the top.”

Yes, enacting a policy can really help protect companies against liability if someone who works for or with them violates that policy. Companies should not rely on a few paragraphs. Instead, they should really enact a compliance policy. In addition, to make sure it is taken seriously, designate a member of the senior management team for FCPA compliance. While it does consume some financial resources to operate in this manner, this is the cost of doing business.

Training

Companies should train their board, management, employees and third parties who distribute their products. At a minimum, they should train the board, managers, and employees. Most of them may have no experience with “on-the-ground” international business or may be out of date with FCPA compliance. Even online training is better than no training. Something more robust, however, is often recommended. Remember the significance of training third parties who facilitate the company’s international distribution – they in fact present a higher FCPA risk.

Due Diligence

The third strategy companies can implement to protect themselves against FCPA violations is to know all the third parties a company uses in business outside the United States and conduct due diligence.

As previously outlined, there are vulnerabilities of third parties who work and/or contract with an entity. In FCPA language, an “intermediary” is an external third party who assists the company in some aspect of its foreign business. The government assumes the entity has conducted reasonable due diligence background investigations on its intermediaries and has determined they are not involved in corruption.

To repeat: intermediaries do not shield a company from liability – they create liability. In fact, 90% of FCPA cases brought by the United States government involve conduct by third parties.

Internal Controls

Establishing a set of internal controls over company expenditures and assets will help protect the company against FCPA violations and prosecutions.

Many United States businesses are scarcely familiar with the FCPA, and their existing processes are not tuned to FCPA issues. It is incumbent upon the business leaders to ensure their organization’s leadership understands the FCPA and compliance with the FCPA.

In doing so, it is worth reiterating that there is no concept of materiality in the FCPA. Any violation can result in extreme penalties. Companies have been prosecuted for very small bribes and for inaccurate books and records, or failures to set up systems of controls – which arguably have no monetary value. Remember that the FCPA is a criminal statute. Criminal activity by employees that impacts a company should always be seen as material.

No Facilitating Payments

Amazingly the FCPA contains an exception for “facilitating payments,” (i.e.grease payments) small bribes to secure the performance of routine government action. Some companies rely on this provision to get them out of trouble with otherwise seeming FCPA violations.

First, facilitating payments are actually bribes and are always illegal in the country where employees pay them. So even if an entity is not violating the FCPA here in the United States, it is likely violating the laws of the other country it is operating in.

Second, the definition of a facilitating payment under the FCPA is technical. Therefore, delegating the payment does not negate the violation.

Third, facilitating payments are transactions that have to be recorded accurately in the company’s books. That record is written proof the company intentionally violated the law of the country where the payment was made. Not recording it would also be a violation!

Last and most importantly, the facilitating payment exception has never been used successfully in a reported case.

Therefore, entities should not rely on that exception.

Internal Investigations

What is the next thing businesses can do to protect themselves against FCPA violations? Plan for the likelihood of high-quality international internal investigations.

Most small to midsize companies have very little experience conducting international internal investigations. In addition, it is most likely a business’s own employees and business associates would be involved if a violation occurred.

Therefore, the best thing to do is to have experienced outside counsel lined up to conduct this work. They will be independent and competent. It will cost money, but it will cost the company a lot less than a prosecuted FCPA violation.

Contract FCPA Terms

Last but not least, the seventh tip for protecting a company against FCPA violations is to include clear FCPA terms in every international contract.

This is a very inexpensive way to reinforce the company’s message to employees and all contractors as well. Entities should make sure to have a clearly worded audit clause that requires the partner to provide documents and assistance in an investigation. In addition, they should ensure the clause includes the ability to terminate the contract if the partner is in violation.

Corruption and Cybercrime

Basic issues pertaining to corruption and cybercrime will be essential to operating a business in today’s global climate. We will spend some time discussing bribery and extortion, as well as cybersecurity.

Bribery versus Extortion

There are federal laws and international treaties that render corruption-related activity illegal.

The legal distinction between bribery and extortion is not straightforward, it varies between jurisdictions, the concepts overlap, and a person can be guilty of both in many instances. Both crimes involve the exchange of money, property, or services, but the manner in which the exchange occurs and the parties involved vary depending on the nature of the crime.

In extortion, the extorter is threatening to perform a certain action that will harm the extorted party unless the extorted party gives the extorter whatever is requested. Bribery, in contrast, involves the bribed party doing something in favor of the bribing party, in exchange for the bribe.

Thus, bribery involves an illegal benefit given or received to influence official action, resulting in better-than-fair treatment. Both the person giving and the recipient receiving are equally guilty of bribery. On the other hand, coercive extortion is seeking or receiving a corrupt benefit paid under a threat to give the extorted party – the victim payor – less than fair treatment.

Figure: Characteristics of Bribery and Extortion

The line between bribery and extortion is rather blurred when a public official expects a bribe for an action they are paid to carry out. Surveys in different countries have found that businesses and citizens often feel as if they have little choice but to pay what is asked (UNODC, 2013; UNODC, 2017). This situation makes it difficult to assess the true voluntariness of the exchange.

It also presents significant challenges to our compliance obligations as they pertain to the Foreign Corrupt Practices Act.

Cybercrime

An introduction to a discussion about cybercrime is best divided into three categories:

Assets.

Vulnerabilities.

Threats.

Assets.

Cybersecurity measures are implemented to protect assets, which are defined as anything of value or significance. Thus, assets can include people (such as employees), property (bank accounts and the cash inside of them), information (data – for most organizations this is the most valuable asset), systems (corporate processes and computer software), and equipment (such as computers or other digital devices).

Vulnerabilities.

These assets have vulnerabilities – some of those vulnerabilities are intrinsic to the assets themselves (for example, when it comes to technology and information or data, intrinsic vulnerabilities exist within the system design itself, its security settings, or its hardware and software, etc.). A good example of an intrinsic vulnerability is a software virus.

Indeed, cyber-attacks cost as much as $385 billion a year, if we include the time lost by companies trying to recover from the attacks. And it is not just massive multinational enterprises that are vulnerable. Actually, about 28% of the breach victims are smaller organizations, that is, companies with fewer than 500 employees. These companies spend on average $7.8 million per cyber incident. This varies depending on the size of the organization and the scope of the attack, but that is the average per incident. About 48% of businesses of this size lack any type of cybersecurity defense plan, which explains why so many of them are victims.

Others of these vulnerabilities are extrinsic to the assets, such as, say, the user of the information technology. Intrinsic and extrinsic properties make assets vulnerable to threats, the third item in our introduction.

Threats.

What is a threat? Well, a cyber threat is anything that could potentially cause an adverse cyber-related effect.

These threats can cause both intentional and unintentional harm. For instance, the hardware of a digital device can malfunction accidentally or be purposely damaged as a result of someone exploiting its vulnerabilities.

What should organizations and their leaders be doing to protect their assets?

It is a challenge. Because decisions regarding risk are made without really knowing exactly what threats might be out there. So, an organization needs to engage in risk assessment that is based on gathering information about potential vulnerabilities, the likelihood of various types of threats, as well as an understanding of the potential adverse impact of each such threat.

Figure: Security risk assessment process

Risk assessment processes and procedures, such as the one in the figure, identify vulnerabilities to assets, identify or are informed of internal and external threats by the media, public-private partnerships, or others in the public and private sectors, and identify impacts and the likelihood of threats. Once an organization has assessed the risks, of course, it needs to respond to them. In the cybersecurity context, this is often called “risk treatment.” The “treatment,” of course, is not free of cost, money or time. So whatever response is determined, it needs to factor in the resources of the organization available for the response.

There are, of course, lots of ways to keep corporate information secure. Which one the company chooses depends on the nature of the industry in which it operates (whether it’s regulated or non-regulated), and of course, available financial and human resources in the particular organization.

Whatever method the company chooses, humans are viewed as the weakest link in the cybersecurity chain.

Indeed, several studies have shown that cybersecurity incidents, such as breaches or attacks on networks, systems, services, and data, are the result of human error and failure to implement security measures. While much attention is placed on the role of human error in cybersecurity breaches, cybersecurity measures in place at the time of the incident play a role in the incident as well. The reality is that what cybersecurity measures can actually accomplish and users’ expectations of the performance of these security measures often do not match.

What does this mean? It means whatever security measures a company put into place should keep users in mind – or more specifically, should keep user error in mind. Surprisingly, this is not common practice. Typically, organizations do the opposite – they build the security system and then expect their employees to modify their behaviors to meet the needs of those systems. This just is not as effective.

In addition, responses to risks should be designed, thus protecting the confidentiality, integrity, and availability of systems, networks, services, and data, while also ensuring the usability of these measures. In fact, sometimes the usability of corporate devices might even take priority over their security – the devices are completely useless, after all, if they cannot be used. These two are not, of course, always mutually exclusive. So, while it is a fallacy to assume cybersecurity measures cannot be both secure and usable, practical common-sense advice is to keep usability in mind when making decisions.

What are some cybersecurity measures organizations can undertake across a company’s IT infrastructure? Here are a few to implement, even if the entity is only a mid-sized business:

1. Authentication measures, such are passwords and biometrics. Encourage users to use complex and unique passwords for each account. There has been much discussion recently regarding the security of biometrics versus fingerprints. It is worth noting here that, as far as the access of the United States government to corporate information technology is concerned, passwords are a more secure measure of authentication.
2. Access Control. Essentially, this is determining who does and does not have authorized access, and taking measures to prevent unauthorized access, such as including authentication measures to protect passwords and logins. This applies not just to systems and applications, but also to particular websites or even social media. For example, companies can limit the number of allowed attempts to enter a password on a computer or the websites various to which users can have access.
3. A firewall scans incoming and outgoing network traffic. Properly set firewalls prevent malicious traffic from reaching the network and possibly damaging it. As employees download external files from a flash drive or the internet, antivirus software scans those files for virus signatures. In this way, each time ransomware, Trojan horses, viruses, and other malware attempt to reach an entity’s internal network, antivirus software will ring the alarm.
4. Network segmentation is another strategy. It involves essentially the division of the corporate entity’s internal networks into separate fragments. This way, if hackers reach a computer in one segment, they are walled off from accessing the other computers in the other network segments – the infected network is thus quarantined. Entities can therefore reduce the risk of corporate data theft by blocking cyberattacks from moving between the network segments and damaging them
5. Email security techniques can be very simple strategies, such as filtering spam and applying password rotations. Email security solutions are designed to make sure that only verified letters reach their addresses in the process of communication between interacting parties. It aims at keeping corporate data secure from malware, spoofing attacks, and other cyber threats in communication happening both inside and outside the company’s network.
6. Intrusion detection (IDS) and intrusion prevention system (IPS) analyze incoming and outgoing network traffic. IDS identifies possible cybersecurity threats using pattern matching which detects anomalies, while IPS blocks identified information security attacks and prevents them from turning into major threats and spreading across the entire network.

Advanced information security measures

If a company is operating in a regulated industry, such as healthcare, or banking, companies need to strengthen its security measures because they have to comply with a whole host of federal and state regulatory regimes that require this further protection. Here are some examples of protections companies need if they are operating in a stricter regulatory regime:

• Endpoint security defends each entry point connected to the network, such as each cell phone or desktop, from attacks before harmful activities spread all over the network. Companies install these both on the corporate network management server and end users’ devices and what happens is that the endpoint security software provides the company’s system administrators with transparency over the actions that can potentially damage the network.
• Data loss prevention (DLP) reduces the loss of confidential data, such as bank account details. DLP systems scan the data passing through a network so no sensitive information slips into the hands of cyber criminals.
• Security information and event management (SIEM) software is essentially a reporting and information-gathering program. It collects the logs from the sources located in the network, analyzes them and provides the corporation with a suspicious activity report. Then, corporations use these reporting results to determine whether their systems need special attention and curative measures.

No matter what set of measures corporations apply to protect their information technology, they should ensure they have systems and processes that assess their functionality and effectiveness on an ongoing basis, as well as constant monitoring of potential threats. Companies should put together an incident response plan in their organization that identifies any attacks and immediately responds to them using corporate strategies.