As a licenced private investigator specialising in fraud, money laundering and corruption, qualified loss adjustor Paul Hurrell has developed a keen interest in how criminals use modern technology.
He has presented on cybercrime to some of the largest companies in South-East Asia and will be a speaker at the upcoming ANZIIF Cyber Risk Management Seminar in New Zealand.
The means to an end for a criminal
Hurrell has always recognised that criminals will use whatever methods they can to commit crimes — and if they can do so without risk of being caught and serving time in prison: even better.
His business, Hurrell Consulting Limited, is a boutique risk and investigations company specialising in business resilience and assurance around cybercrime and employee relations investigations.
‘My focus for Hurrell Consulting is the small-to medium-sized businesses, or individuals who cannot afford to staff full risk and IT departments,’ he says.
‘These are the types of businesses that are impacted the most when a cyber event takes place, which quite often puts them out of business, or their lax controls and systems allow criminals to use them as a way into larger companies.
‘Criminals know that corporations spend big money on their security, so they find other ways into the honey pot. Some of the biggest data breaches have been through suppliers and not direct attacks.’
Police investigations spark the journey
Hurrell’s interest in fraud started when he trained as a detective with the New Zealand Police in 1985.
‘I was dealing with all types of day-to-day and serious criminal incidents at various stations around New Zealand,’ he shares.
‘I think of one case I investigated in the police where a man and his mother committed tax fraud at the time GST had just come into New Zealand. They were signing contracts of sale and then claiming back the Goods and Services Tax content of the purchase.
‘They were from overseas and used to dealing with VAT [value-added tax] in the UK.’
After leaving the police in 1997, Hurrell seized an opportunity to work as an insurance investigator with State Insurance Limited (now IAG NZ).
When NZI and State merged, Hurrell took on and developed a role in fraud risk and security, for which he gained recognition with an Investigator of the Year award from IBANZ, as well as the ANZIIF Australia Risk Manager of the Year award.
How criminals use modern tech
Hurrell says his experience in insurance and internal investigations piqued his curiosity about the use of company systems to redirect funds and create false documents.
‘I think the natural evolution of my role in IAG NZ, along with trends around the world, saw me take a keen interest in systems and computers,’ he says.
‘We developed some very early data analytics, but the quality of useable information was a roadblock at that time. I wanted to learn more about the way that criminals were gravitating to modern technology.’
While Hurrell does not pretend to be an IT cybersecurity specialist, he says his training, study and experience affords him significant insight into how the criminal mind tends to work.
‘My risk management experience informs my ability to identify the types of crimes that may be perpetrated against an industry or business,’ he explains.
The risk of doing business
For Hurrell, cyber risk is simply the risk of doing business in the modern business environment.
‘The word "cyber" has been bandied around so much that some people see it as networks and systems, [and] others see it as computers or banks of data, when it is all those things and more,’ he says.
‘People have always wanted information, money or goods to keep or sell off. The processes have just become more remote and undertaken on a larger scale.
‘Businesses today have so many balls in the air, and with limited spend available, cyber is just one of the strategic and operational risks that they face.’
Hurrell says the key to managing cyber risk begins with understanding the data businesses have that others might want, how criminals or fraudsters might try to get that data and what they might do with it.
‘Businesses also need to understand who they are connected to in the cyber chain, given that as mentioned, attacks can come at them via their network.’
The mind of a hacker
Hurrell says the types of attacks businesses are likely to suffer depend on the outcome the attacker aims to generate — whether that is the acquisition of information, monetary gain or the creation of chaos to a system, business or city.
'Whether an attack is state sponsored [or] undertaken by a lone actor, current or former employees or cyber criminals will determine the level of sophistication and success,’ he says.
‘Direct attacks with the intention of penetrating the systems of companies, governments or individuals are still the most common.’
According to Hurrell, social engineering attacks — known as phishing, spear phishing, whaling and pharming — are still very common, and there are numerous examples of these being successful.
‘Ransomware continues to be a big concern, despite all the education and awareness programs run to prevent them.
'Even the basic Nigerian email-type scam can still prove effective given the right audience, especially as large numbers of inexperienced users gain access to the internet for the first time each year.
‘It’s also good point for employers to remember that employees are not necessarily on your side and may click on a link or reply to an email simply to see what will happen.’
Head above water
Hurrell says the constantly changing landscape is an ongoing challenge.
‘Cybercrime, like fraud or any other crime, really, is like a balloon full of water — you put pressure on one area to reduce the bulge and it simply pops out another.
‘Modern technologies to combat cyber security and crime are being developed all the time by some of the brightest young minds, although unfortunately, some of those young minds also work for the other side and follow the dollar, or cryptocurrency.’
Hurrell is interested to see how criminals begin to use the Internet of Things [IoT] and AI to their benefit.
‘We have already seen examples of smart houses being reprogrammed and the computer systems of cars getting hacked in order to steal them,’ he says.
‘There are also examples of driverless cars being hacked while driving along the road. Hospitals are now becoming more aware of their vulnerabilities around equipment such as MRI [scanners] that may not have robust security features included.’
A level playing field
When it comes to cybercrime, Hurrell asserts that it is now a globally level playing field, with organisations and individuals equally at risk.
‘With several New Zealand and Australian companies outsourcing functions in Asia, an area to watch will be how they manage being subject to the laws and regulations of those countries, especially around data breaches and compulsory notifications,’ he says.
‘The global nature of business means some companies may be headquartered in one country but carry out most of their business in another.
‘Understanding and dealing with the issues of cross-border attacks and investigations will be critical.’
Knowledge is power
Hurrell says that after ensuring companies have securities in place for essential systems, the key to mitigating the risk of cyber attacks will be ongoing training and awareness.
‘The cyber insurance industry in Australia and New Zealand is still maturing,’ he points out.
‘There is a lot more the industry needs to do to get a proper understanding of what cyber insurance is and how customers and clients can best be protected.
‘A simple risk assessment on a small to medium company not only provides it with the comfort of knowing where it’s at in the game, but will also help brokers and insurers to better understand their clients’ specific needs.’
So why should you sign up for the Cyber Risk Management Seminar?
Hurrell says participants will gain an overview of the cybercrime problem from a practitioner’s point of view and hear case studies detailing how cyber events can occur.
‘They will find out where their information goes and how it might be used by criminals or hackers,’ he says.
‘They will also learn how they can deal with breaches better as they happen and who their best friends will be at that time.'
Key messages of the Seminar:
Katherine (08) 7919 7019
2/46 Chardon St