Table of Contents

• Data in the Digital Ecosystem
  • Data Availability
  • Managing Data Access
  • Data Storage
  • Data Quality
• Data Analytics: Turning Raw Data into Gold
  • Data Mining and Predictive Analytics
  • SQL and Python – Key Skills
  • Tableau and Power BI for Visual Analysis 
    
• Further Education and Learning Opportunities
  • Recommended Resources
  • Finding Your Learning Path
• Your Next Step with Mr. 01 Analytics

Data in the Digital Ecosystem: The Soil on Which Innovation Grows

Today's businesses are sitting on a treasure: their data. But as with the Death Star, a treasure is worthless without proper handling. In this chapter, we'll examine four critical aspects: data availability, controlled access, appropriate data storage, and ensuring data quality.

Data Availability – Making Data Usable

Data availability means ensuring that required data is accessible reliably and at any time. Without rapid data availability, significant disadvantages arise in daily operations: inaccessible data can stall routine processes or even bring them completely to a halt. Imagine an e-commerce company suddenly lacking sales or inventory data during peak times. Decisions would then become guesswork.

Conversely, high data availability facilitates efficient processes. In retail, for example, real-time data helps optimize inventory management, monitor supply chains, and measure employee performance. Having the right information at the right time is often the cornerstone of innovation. According to a recent analysis, providing the right data, at the right time, and in the right context is essential for staying ahead in data-driven competition. Therefore, success lies not merely in having vast amounts of data but in making it timely and practically available.

Managing Data Access – Balancing Openness and Security

Who should have access to which data? Data access management is crucial for determining whether data becomes an asset or a liability. Good data governance ensures employees across an organization receive the data they need for informed decisions without compromising security. An overly restrictive approach ("Data access only for the IT department!") hinders data democratization and limits valuable insights from other departments. Conversely, too lax an approach ("Everyone can access everything") poses significant security and privacy risks.

Practical Example: In many organizations, access rights are assigned ad-hoc, without proper consideration of data sensitivity. As a result, sensitive data may inadvertently fall into the wrong hands, or conversely, crucial information might be hidden from people who need it, thereby hindering decision-making processes. Effective data access management involves striking a balance: as open as possible, yet as secure as necessary. Modern concepts like role-based access control (RBAC) or the Least Privilege Principle can help achieve this. Additionally, adhering to data protection regulations (such as GDPR) and implementing technical safeguards ensures that accessible data doesn't accidentally or intentionally leak out.

In short: Data access must be strategically managed to keep your data secure yet accessible. This forms the foundation for trust and efficient data utilization.

Data Storage: Data Warehouse, Data Lake, and Lakehouse

Effectively using data also means storing it properly. Several storage concepts have become established, each suited to different requirements:

• Data Warehouse: A classic Data Warehouse is a centralized database designed for structured and processed data. Companies store cleansed transactional and operational data here to facilitate efficient reporting and analysis. Data Warehouses provide built-in query and BI capabilities, delivering rapid SQL performance with consistent data. However, data must be transformed and modeled beforehand, which involves effort. Data Warehouses excel at Business Intelligence and standardized reporting from consolidated data (financial KPIs, sales reports, etc.).
• Data Lake: A Data Lake follows a different approach, storing raw data in its native format—structured tables, unstructured logs, text files, images, or sensor data. This makes Data Lakes highly flexible, cost-effective, and scalable. They can ingest virtually any data type without enforcing a strict schema. Advantages: Historical raw data can be used to answer unknown or future questions. Data scientists particularly value Data Lakes for Big Data and AI workloads that require large, diverse datasets. Disadvantages: Without suitable tools, Data Lakes can become infamous "data swamps"—chaotic, unorganized, and hard to navigate. Challenges in data governance and data quality are typical unless mechanisms for order and quality assurance are implemented. Nevertheless, Data Lakes are invaluable for initial data storage, including backups, archived data, and rapidly growing new data sources.
• Data Lakehouse: The newer Lakehouse approach seeks to combine the best of both worlds. A Data Lakehouse can store data of all formats inexpensively like a Lake, while simultaneously enabling fast queries and analyses similar to a Warehouse. Technologically, this is achieved by adding layers for metadata management, indexing, and governance on top of a Data Lake. Lakehouses can enforce schemas, support ACID transactions, and maintain data quality controls—features traditionally difficult in pure Lakes. Many modern cloud data platforms (such as Databricks with Delta Lake) follow this concept. Example: A financial service provider could use a Lakehouse to store structured customer data for dashboards alongside unstructured social media feeds or log data for data mining. Thus, Lakehouses reduce redundancies and data silos and simplify IT architectures and landscapes.

For your company's data strategy, consider which storage approach best fits your needs. A Data Warehouse is often ideal for standardized reports and KPIs. If you're aiming to collect and use versatile raw data exploratively (keyword: Data Science), a Data Lake is essential. To combine both structured reporting and flexible data exploration, explore modern Lakehouse platforms. Ultimately, it's crucial to design your data platform for scalability and future-proofing to truly extract value from your data.

Data Quality – Garbage in, Garbage out

All available data has little value if its quality is poor. The phrase "garbage in, garbage out" remains as relevant as ever: processing incorrect, outdated, or duplicate data leads to unreliable results. Poor data quality directly impacts business performance, skewing analyses, forecasts, and decisions—the greater the amount of erroneous data, the worse the outcomes.

In everyday business, data errors often remain undetected for a long time. Ensuring data quality is not merely nice-to-have; it’s essential. Effective measures include regular data cleansing (removing duplicates, correcting errors), implementing validation rules within systems, assigning data stewardship responsibilities, and establishing systematic Data Quality Management (DQM). In short, quality over quantity, as reliable, consistent data forms the basis for sound analyses and business decisions.

Tip: Foster awareness in your organization that data quality matters at all times. It's better to continuously fix small data errors than to eventually be surprised by a "data Death Star" destroying your decision-making foundations.

Data Analysis: The Art of Turning Raw Data into Gold

Data alone only reveals its true value through proper operational use and strategic analysis. In this section, we explore two key questions: which analytical methods should you know, and what skills does your team need to successfully perform data analysis?

Data Mining and Predictive Analytics – Recognizing Patterns, Predicting the Future

In the age of Big Data, companies no longer want just to describe past developments; they aim to anticipate future trends. This is where data mining and predictive analytics come into play. Data mining involves systematically analyzing large data sets to uncover hidden patterns, relationships, and anomalies. These insights often form the foundation for predictive analytics—forward-looking analyses using statistical models and machine learning to forecast future events. Simply put: data mining digs out the nuggets, while predictive analytics turns them into gold bars.

Why is this important? Companies that proactively act, rather than reactively respond, gain substantial competitive advantages. Predictive analytics utilizes statistical modeling, forecasting, and machine learning to derive predictions from descriptive analysis outcomes. Application fields are diverse: businesses use predictive analytics to enhance service efficiency, develop new products, anticipate risks early, optimize machine maintenance, and even save lives.

A notable industry example: Rolls-Royce employs predictive analytics to reduce CO₂ emissions from aircraft engines and to schedule proactive maintenance. Rolls-Royce's Intelligent Engine platform monitors in real-time how engines are used and their current condition, applying machine learning models to generate customized maintenance schedules for each engine. The result: engines run more smoothly with fewer unplanned outages—clearly adding significant value.

Another example comes from the utilities sector: DC Water in Washington D.C. uses AI-supported analytics to automatically inspect video recordings of sewer pipes for defects and target maintenance accordingly. Their goal is to reduce water losses by 2–5%, since every percentage point of water recovered saves approximately $4 million.

Read more: Predictive Analytics: Four Success Stories from Rolls-Royce, DC Water, Ellie Mae, and Kaiser Permanente

These examples illustrate a shift from reactive to proactive analytics. Data mining provides the insights that predictive analytics turns into actionable strategies. Predictive analytics enables companies to enhance processes (predictive maintenance at Rolls-Royce), forecast customer churn (and proactively counteract it), detect fraud patterns (before damage occurs), and anticipate market trends early enough to adjust strategies.

Crucially, these analytics must always be combined with domain expertise—algorithms provide probabilities, but people make decisions. One thing is certain: companies that merely collect data without analyzing it waste tremendous potential.

SQL and Python – Key Competencies for Data Analysts

What skills do your employees need to execute these tasks? Alongside domain knowledge, technical analytics skills are essential—two of these particularly stand out: SQL and Python.

SQL (Structured Query Language) is the language of databases. Almost no larger enterprise can operate without relational databases, thus making SQL indispensable. With SQL, structured data can be efficiently queried, filtered, and modified. Whether retrieving sales figures from a data warehouse, defining customer segments, or performing ad-hoc aggregations, data analysts proficient in SQL can independently extract information from databases without waiting on IT specialists. Most analytics tools—from Python Pandas to Tableau and Power BI—support SQL or similar query languages, adding to its versatility. It's no surprise that SQL consistently ranks among the top skills required in analyst and data scientist job listings.

Python has established itself as the Swiss Army knife of data analysis. This programming language is indispensable for data manipulation, statistical analysis, and even developing machine learning models. Python's strength derives largely from its vast ecosystem of libraries: for nearly every data use-case, there's a dedicated package—like Pandas for data preparation, NumPy for numerical computations, Matplotlib and Seaborn for visualizations, or scikit-learn for machine learning. Analysts proficient in Python can integrate data from diverse sources, automate complex data transformations, and generate new insights through statistical analyses or machine learning. No wonder Python is among the most in-demand languages in the data world.

Together, SQL and Python form an unbeatable duo: SQL retrieves data from systems, and Python turns that data into meaningful information.

Conclusion: Invest in training your team in SQL and Python. These two skills are akin to reading and writing in the data world. They empower your team to fluently speak the language of data and create tangible value from it. Numerous learning resources—many free (see recommendations below)—make getting started easy. Team members proficient in these skills can seamlessly move between roles, ensuring your organization truly lives and breathes data. In short: SQL and Python are the lightsaber and the Force for data analysts—essential tools that belong in every data professional's toolkit.

Tableau and Power BI – The sunlight that helps ideas grow from data

Just as a Jedi cannot function without their lightsaber, analysts require appropriate tools to extract valuable insights from raw data and present them clearly. In the fields of Business Intelligence (BI) and Visual Analytics, Tableau and Microsoft Power BI are currently the leading solutions, turning data into valuable ideas and serving companies like sunlight that enables innovation and growth.

Tableau, around since 2003, is particularly renowned for high-quality, interactive visualizations and compelling data storytelling. Users intuitively create complex dashboards, detailed maps, and insightful charts using drag-and-drop functionality. Tableau's flexibility and aesthetic quality make it especially attractive to analysts focused on effectively communicating their results.

Power BI is a younger competitor (launched in 2015) within the Microsoft family. Its strength lies in seamless integration with existing Microsoft products such as Excel, Azure, and Teams. Furthermore, Power BI offers an accessible entry through its free desktop version, making it particularly appealing to small and medium-sized businesses. Additionally, Power BI stands out with intuitive usability and ease of collaboration.

Both tools have unique strengths and are widely adopted by data-driven companies. Ultimately, the right choice depends on your existing infrastructure, specific needs, and organizational culture.

Takeaway: Modern BI tools like Tableau and Power BI are essential for clearly presenting raw data and deriving actionable insights for informed decision-making. Choosing the right tool significantly impacts how effectively organizations translate their data into practical actions.

Professional development: The key to mastering the power of data

The world of data is evolving rapidly—what’s cutting-edge today may be outdated tomorrow. Continuous professional development is therefore essential. Fortunately, numerous high-quality and free resources are available:

• Microsoft Learn: Free, interactive online courses covering Power BI, Azure Data Services, and data analytics, ideal for preparing for certifications such as PL-300 (Power BI Data Analyst).
• openHPI: German-language MOOC platform from the Hasso Plattner Institute, offering free courses on Data Science, Big Data, and AI, often with certificates. Example: "Data Science Bootcamp".
  • Overview of various learning content on openHPI
  • Specific Python courses:
    • Python – fast and intensive programming
    • Learn programming with Python – school edition
    • Learn programming with Python
• DataCamp: Interactive introductory chapters of many courses in Python, R, SQL, and Machine Learning are free. Additional free tutorials and community resources available.
• Other resources:
  • YouTube channels like freeCodeCamp, StatQuest, Edureka
  • University courses on Coursera and edX (audit mode free), e.g. edX Computer Science Courses from Harvard University
  • Competitions and micro-courses on Kaggle
  • Official documentation and examples from providers (e.g. Tableau, Power BI)

Important: Actively schedule time for professional development—both individually and within your team. Data literacy isn't a one-time acquisition, but a continuous process. The resources mentioned above help you keep pace with the latest developments, adopt new trends (such as AI-driven analytics), and practically apply tools and techniques. Often, just a few hours per week significantly advance your expertise. Use the freely available resources—the only investment is your time, and the return can be immense in the form of new insights and capabilities.

Editorial note: While embracing the opportunities of data & analytics, we must not overlook data ethics and data governance. Responsible data usage, privacy protection, and compliance are critical to maintain customer and partner trust. Issues like algorithmic fairness, transparency, bias avoidance, and adherence to regulations (e.g., GDPR) form the foundation of any data strategy. These topics exceed the scope of this article but will be explored in future blog posts. Stay tuned for upcoming episodes focused on the final defenders—ethics in IT.

How to find your personal learning path

1. Clarify your tasks and goals: Do you want to make decisions, build dashboards, detect fraud, or monitor machine data in real-time?
2. Assess your prior knowledge: A quick skill-check identifies if you should focus on fundamentals (like table structures) or advanced topics (like model monitoring).
3. Select your learning format: Self-paced modules, team workshops, or coaching accompanying projects—depending on your time budget and learning style.
4. Set small milestones: Celebrate weekly mini-achievements: performing a SQL query, creating a data model, validating data, conducting analyses, training a model, etc.

Your next step with Mr. 01 Analytics

The true power of data and analytics determines whether you merely collect information or actively use and shape it. By learning today to securely store, connect, and effectively analyze data, you can create innovative business models, precise forecasts, and data-driven decisions tomorrow.

Just as Luke Skywalker first learned the fundamentals of the Force before saving the galaxy, mastering the essential building blocks of data & analytics allows you to fully leverage digital transformation opportunities. Continuous learning and practical experience lay the foundation to confidently tackle complex challenges.

At Mr. 01 Analytics, we guide you through customized “Coaching on the Job”, tailored learning programs, and practical toolkits—supporting your long-term development into data experts, no matter your current level.

Interested?

• Complete our contact form and outline your goals. We'll respond with a proposal.
• Subscribe to our newsletter for monthly learning insights and practical tool-tips.

Together, we’ll find your ideal learning path tailored to your tasks, pace, and business.

May the force of data and analytics be with you!

Table of Contents

• Episode III – Revenge of the Sith
• Cybersecurity and Risk Management
• Organizational and Technical Protective Measures
• Data Backup as the Last Line of Defense
• Preventive, Detective, Reactive – The Three Pillars of Security
• Practical Examples – When the Dark Side Strikes
• Employee Awareness: Guiding People to the Light Side
• Your Next Step with Mr. 01 Analytics

Episode III – Revenge of the Sith

In Episode III, we see how the promising Jedi Anakin becomes a tool of evil. What could have prevented this tragedy? Likely more discipline, knowledge, and caution. Exactly this is required of IT professionals to resist temptations of convenience and ignorance. In IT, the light side of the Force corresponds to a proactive security culture: intelligent preventive measures, regular backups, trained employees—all of these keep us on the good side of the Force. The dark side, on the other hand, is reflected in outdated systems, sloppy handling of passwords, or a “that’ll probably be fine” mentality. In this article, we'll examine the lessons we must learn in IT training to avoid being overwhelmed by the dark side.

Cybersecurity and Risk Management

Cybersecurity is risk management. Every new technology, every digital connection brings immense opportunities, but also carries inherent risks. There's a well-known saying: "There are two types of companies: those who have already been hacked, and those who don’t know it yet." This somewhat dark joke holds a kernel of truth. Today, we must assume an incident can happen at any time. Therefore, systematic risk management is essential: What threats exist? Where are our vulnerabilities? And what potential impacts must we prepare for? Effective risk management identifies these factors and prioritizes measures based on how likely and severe these risks are. For instance, a financial company might prioritize phishing and trojan attacks, while a manufacturing business focuses on sabotage or system outages. Important to note: There is no such thing as 100% security. However, smart risk management significantly reduces the likelihood of successful attacks and mitigates potential damages.

Concrete support comes from recognized standards and frameworks such as ISO/IEC 27001 or the German BSI IT-Grundschutz. These provide guidelines to systematically identify risks and implement appropriate security processes. For example, the Allianz Risk Barometer 2023 ranked cyber incidents as the number one global business risk for the first time, ahead of traditional risks like natural disasters. This underscores that cybersecurity has become a matter for top management. From executives to server-room admins, everyone must understand: Security is teamwork. It begins with awareness ("Increase risk awareness, recognize danger, you must!" as Yoda might say) and ends with technical implementation. In the next section, we will look at how organizational and technical protective measures must be combined to create a comprehensive security concept.

Organizational and Technical Protective Measures

Organizational measures form the foundation of IT security. These include clear security policies, processes, and responsibilities. Imagine there's a "Jedi Council" in your company setting rules: password policies (e.g., regular changes, complexity), access rights following the need-to-know principle, an incident response plan, and regular employee training. Without these basics, even the best technology will not help much—because if employees stick passwords on post-it notes or open attachments from unknown emails, even the most advanced virus scanner becomes useless. A robust organizational framework ensures that everyone in the company thinks about security. It creates a culture where people prefer to ask before plugging in unknown USB sticks, and where security incidents are openly reported rather than covered up.

Technical measures: Besides processes, technical vulnerabilities naturally play a major role. Technical risks in IT security primarily arise from the absence of suitable security standards and measures:

• Unpatched vulnerabilities: Hardly anything is exploited as ruthlessly by attackers as known security gaps. If critical updates are missing or outdated software is in use, it’s like leaving an open gate. For example, the WannaCry attack in 2017 exploited a Windows vulnerability for which a patch already existed—many organizations simply had not installed it. Hence, patch and update management must be a top priority. Effective risk management maintains an inventory: Which systems have what risks, for instance, due to expiring support? Then, priorities can be set on what urgently needs replacement or patching.
  
• Misconfigurations: Not only software vulnerabilities but also incorrectly configured systems pose significant risks. Examples include cloud storage accidentally made publicly accessible or a firewall mistakenly configured to allow "Any Any" (total open access). Such errors occur frequently, partly due to ignorance and partly due to haste. Standards and automation help here, for example by providing secure configuration templates, principles such as "Secure by Default," and tools that identify deviations.
  
• Network security: Corporate networks must be secured, for instance, through segmentation. Otherwise, a single intrusion can spread rapidly, much like a Sith infiltrating the Jedi Temple. Network security (firewalls, intrusion detection systems, etc.) is essential but becomes risky if neglected. An IDS that nobody evaluates is useless. Technical risk management also involves continuous monitoring: Who checks the logs? Are there alerts for anomalies?
  
• Access protection & permissions: Without technical access control measures, virtually anyone could access anything—a nightmare scenario! Implement principles such as Least Privilege (only grant users the minimum access necessary) and multi-factor authentication. A commonly overlooked technical risk is default passwords on devices or databases. Good system administration checklists always include: "Changed default credentials? Disabled unnecessary services?" and so forth.
  

Data Backup – The Last Bastion

The combination of organizational and technical measures ultimately defines a comprehensive security profile. Let's take phishing as an example: Organizationally, clear guidelines ("We never ask for passwords via email") and employee training help identify malicious emails. Technically, these measures are complemented with email filters and attachment sandboxing. Only together do they provide comprehensive protection. Equally important is the regular review of these measures through audits, penetration tests, or routine checks to verify whether backup and emergency plans are still current. Security measures are not something you "set up once and forget"; they must remain active, adapting to new threats and evolving business processes. Just as a Jedi trains daily to stay fit, our security infrastructure must be continually maintained and improved.

The German Federal Office for Information Security (BSI) explicitly emphasizes the importance of backups in its situation reports and recommendations, especially in light of recent ransomware waves. Currently, ransomware is considered the greatest threat to businesses of all sizes, according to the BSI. Without backups, victims of such attacks are often forced to pay ransom or face ruin. 

Important: Backups themselves must be secure. Modern ransomware specifically targets backup copies for encryption. Therefore, offline backups or backups disconnected from the network are extremely valuable. The industry recommends the 3-2-1 principle: 3 copies of data, on 2 different media, with 1 copy stored off-site (and offline). Only then can infected systems be wiped clean and data restored from the secure "time capsule." Without functioning backups, organizations often must resort to emergency operations, resulting in significant time and costs—not to mention the potential total loss of data.

Practical tip: Test your backups! An untested backup is nearly as bad as no backup at all. Many organizations have a false sense of security until they discover backups are incomplete or unusable. Regular restore drills should be scheduled (e.g., monthly test restorations of critical systems). This builds routine and confidence that everything will work in a real emergency. There's nothing worse than discovering during a crisis that the backup file is corrupt or the documentation for restoration is missing. Just as in Star Wars the maintenance crew continuously checks the Millennium Falcon, we must also regularly test our "Data Falcons" to ensure they don't get stranded in hyperspace.

Preventive, Detective, Reactive – The Three Pillars of Security

Finally, it should be mentioned that security measures can generally be classified into three categories: preventive, detective, and reactive. Every organization should be active in all three areas:

• Preventive: Everything aimed at stopping attacks beforehand. This includes firewalls, access restrictions, security awareness training, secure software development, regular updates, etc.—essentially all "Jedi Master" measures designed to keep the dark side from ever emerging.
  
• Detective: Since not all attacks can be prevented, mechanisms are needed to quickly identify incidents. Examples include Intrusion Detection Systems, SIEM tools for log analysis, and vigilant employees reporting suspicious emails. It is crucial that such reports don’t fall by the wayside but are supported by a clear process.
  
• Reactive: When a security incident occurs, it must be contained, and damages minimized. Reactive measures include Incident Response Plans, forensic teams, backup restoration (here’s where backups become critical!), and communication plans (e.g., notifying customers if data has been compromised).
  

These three pillars interlock. A proactively managed organization with well-trained staff (the "Jedis") will have fewer incidents and detect them quicker. Nevertheless, it regularly practices emergency responses (reactive) so that it is not caught off-guard. Just as the Jedi Order practiced combat alongside meditation—hoping never to use it but ready if necessary.

Real-World Examples – When the Dark Side Strikes

Let's now look at some real-world cases illustrating what can happen—and what lessons we can learn. Unfortunately, there are ample examples of devastating cyberattacks:

• University Hospital Düsseldorf 2020: A ransomware attack encrypted 30 of the hospital's servers. Tragically, the hospital temporarily could not admit emergency patients, resulting in the death of a patient who had to be redirected to a distant hospital. This brutally demonstrates that cyberattacks now impact human lives, especially when critical infrastructures like hospitals are targeted. The lesson: Whether in healthcare, manufacturing, or administration, emergency plans must exist, and systems must be secured as effectively as possible to prevent total disruption.
  
• Norsk Hydro 2019: The Norwegian aluminum producer fell victim to LockerGoga ransomware. Large portions of production halted, forcing the company to resort to Facebook for communication because email and websites were down. However, instead of paying the ransom, Norsk Hydro remained resolute: Thanks to solid backups and incident response plans, they gradually restored their systems themselves. Today, this case serves as a positive example of how a prepared company can withstand a cyberattack. Although damage was significant, they had an action plan ready and did not succumb to the demands of the attackers.
  
• CrowdStrike Incident 2024: CrowdStrike is a leading software company providing IT security solutions across industries, aimed at minimizing downtime and protecting systems. However, a faulty update to their security software "CrowdStrike Falcon" resulted in millions of computers worldwide crashing. The update caused a "Blue Screen of Death" (BSOD) on numerous Windows systems, leading to significant disruptions in companies, including critical infrastructure like airports and hospitals. Affected systems had to be manually reset to resume operation. Companies without current backups were forced to use time-consuming workarounds, severely delaying the resumption of normal operations. The financial and reputational damages were enormous.
  
• Microsoft Exchange Outage 2021: A faulty patch caused massive outages in email systems worldwide. Organizations that were well-prepared and had up-to-date backups could quickly restore their systems, minimizing downtime. This incident again underscores the critical importance of backup and disaster recovery plans to maintain operations.
  
• SolarWinds Hack 2020: A cyberattack delivered through an update of SolarWinds software led to widespread security breaches. Many companies and government agencies were affected, showing that even trusted software vendors pose risks. Again, backups were often the last line of defense for system recovery and damage mitigation.
  
• GitLab Data Loss 2017: GitLab suffered massive data loss, exacerbated by a failed backup procedure. This incident illustrates that even professional providers can make mistakes, further emphasizing the importance of carefully planned and regularly tested backup strategies.
  

These examples clearly show: the dark side strikes in reality, often exactly when least expected. But they also show two sides of the coin: Without preparation, an attack leads to chaos; with prevention and emergency planning, it can at least be contained.

This is not meant to scare you but serve as a wake-up call. Administrators, executives, owners, and all employees can contribute to ensuring our "Death Star" has no exploitable vulnerability.

Recommended Reading:

• Lessons from the CrowdStrike Incident 
  
• Further details on incidents, preventive measures, disaster recovery plans, data backup strategies, tools, and templates can be found in our book: 
  

Backup as a Part of IT and Cybersecurity

➛

Read More

Employee Awareness: Leading People to the Light Side

In the fight against the dark side of IT security, there's an often underestimated secret weapon: informed and vigilant employees. Even the best technology won’t help much if someone obtains the master key through social engineering. Humans are often labeled the “weakest link” in the security chain, but we can also transform them into the strongest line of defense! This requires awareness and training.

What exactly does that mean? Security awareness means ensuring everyone in the organization, from apprentices to executives, knows the threats and how to respond correctly. Starting with simple issues like: How do I recognize a phishing email? What do I do when someone calls, pretending to be IT support, asking for my password? Such scenarios can be explained, but they're best experienced in a safe environment. Here, further training and gamification come into play.

Unfortunately, traditional security training is often dry and tedious, causing the brain to quickly switch off. However, gamification approaches provide a better alternative. Gamification involves integrating playful elements into otherwise dry training to boost motivation and learning effectiveness. SAP, for example, has achieved excellent results using immersive game environments such as digital escape rooms or horror labyrinths where employees solve security puzzles. Employees have great fun and almost forget they're learning. The result: knowledge retention improves dramatically. Studies estimate that gamified learning can achieve retention rates of up to 75%, compared to just 5% with passive learning methods. 75% vs. 5%(!), that's almost like a Jedi training with a lightsaber instead of just reading combat manuals. Read more: SAP | Gamification helps our employees learn cybersecurity.

Even smaller companies can benefit from gamification. Specialized providers like Fabula Games now offer interactive security training games. In Cyber Security Game Events, employees experience simulated, playful hacker attacks. They work individually or in teams, solving tasks under time pressure and getting first-hand experience of handling emergencies—without real risks. These events combine specialist knowledge with a dose of adrenaline and competition. Maybe there's even a small reward for the winning team. Important: Participants also receive an evaluation and compact knowledge to take away, reinforcing learning outcomes. It's like a Jedi trial—afterwards, you know exactly your strengths and weaknesses. Read more: Cybersecurity – How to truly sensitize employees to risks through gamification (Part I) and (Part II).

Of course, awareness is not just about games. A comprehensive program relies on diverse methods: Regular brief e-learnings (microlearning), security tip posters in the office, phishing email tests, internal newsletters highlighting current threats, and perhaps even live hacking demos by experts showing how easily an insecure Wi-Fi network can be breached. The key is not to nag employees with warnings but to engage them positively. Explain why security is everyone’s responsibility: A successful attack could threaten business success (and thus jobs), or put personal data at risk. Employees are particularly motivated if parallels are drawn to private life: for example, recognizing phishing attempts impersonating their bank could save their vacation funds and prevent ruining their holiday.

Another aspect: involve management. When executives take security seriously and actively participate in training, this attitude spreads throughout the organization. Nothing undermines a security culture more than leadership ignoring rules ("Oh, just send me the login via WhatsApp, it’s okay."). Therefore, awareness programs must always be supported and communicated by top management.

In summary: The brightest candle against the dark side is education. Invest in your employees. They are the ones who must make critical decisions in crucial moments (like not clicking "Enable Content" when an Office macro warning pops up!). And with modern, creative training methods, security can even be enjoyable. The era of boring PowerPoint presentations is over; learning organizations rely on interactive, continuous education. As Yoda might say: "Childish the exercises may seem, yes. But master them you must if saving the galaxy you seek."

Your Next Step with Mr. 01 Analytics

Cybersecurity is not a one-time project but a continuous learning and development journey. Just as Jedi Knights constantly train to enhance their skills, IT professionals and organizations benefit from regularly engaging with new security methods and risk management strategies. However, there's no universal security strategy; every company, team, and individual starts from different goals, requirements, and risk levels.

At Mr. 01 Analytics, we understand that successful cybersecurity must always be tailored specifically to your needs. While some companies already have comprehensive IT security strategies and employ complex protective mechanisms, others are just beginning their cybersecurity journey. Whether you're looking to develop initial security guidelines, enhance your backup strategy, or launch a comprehensive awareness campaign, our strength lies in meeting you precisely where you currently are.

With customized learning plans, hands-on "coaching on the job," and security toolkits specifically adapted to your needs, we support you and your team in making your organization safer and consistently staying one step ahead of threats.

Interested?

• Fill out our contact form and outline your goals. We'll get back to you with a proposal.
  
• Subscribe to our newsletter to receive monthly learning insights and tool tips.
  

Together, we'll find the cybersecurity learning path perfectly aligned with your requirements, your business, and your current situation.

May the force of cybersecurity be with you!

Table of Contents

• Episode II – Attack of the Clones
• Automation as the Key to Efficiency
• Important Automation Technologies
  • Robotic Process Automation – The Digital Clone Troopers
  • Business Process Management and Workflow Automation
  • Process Mining – Transparency as a Prerequisite
  • Low-Code and No-Code Platforms – Empowering Business Users
  • Artificial Intelligence and Intelligent Automation
• Successful Automation Projects in Practice
• Tips for Further Training: Become an Automation Jedi
• Your Next Step with Mr. 01 Analytics

Episode II – Attack of the Clones

An army that disrupts the galaxy. Thousands of identical clone troopers fight side by side, perfectly coordinated and efficient under the leadership of the Jedi. This science-fiction metaphor translates surprisingly well to today's IT world: through automation, companies can create a digital "army" of helpers—software robots, scripts, and AI assistants—that, like clone troopers, execute tasks rapidly and at scale. The result? Significant efficiency gains and space for human employees to focus on strategic and creative tasks.

In the first part of this blog series (Episode I: The Beginning – The Power of IT Fundamentals), we discussed the importance of fundamentals—akin to Jedi training before heading into battle. Now, in Episode II, automation takes center stage. We explore how automation is practically implemented in companies, the technologies behind it, and the benefits it provides. Echoing “May the Force be with you,” here we say, “May efficiency be with you!”

Automation as the Key to Efficiency

Modern companies are under constant pressure to operate faster, more cost-effectively, and error-free. This is where automation comes into play. Similar to clone troopers handling repetitive tasks to relieve Jedi, digital automation can take over monotonous workloads from humans. Routine processes run automatically in the background, 24/7, with consistent quality and often significantly faster than manual processing.

The efficiency gains are tangible in numerous areas: tasks that once took hours or days are now completed in minutes or seconds. Error rates decrease since automated workflows strictly adhere to predefined rules. Employees can dedicate more time to valuable activities, such as solving complex problems, serving customers, or innovating new products. Instead of manually copying data from A to B (a task suited for droids), professionals can use their energy where human creativity and decision-making skills are needed.

Additionally, automation enhances company scalability. When workloads grow or peak periods arise, a digital workforce of software bots can be scaled almost indefinitely—as if ordering additional clone troopers from the Kamino factory. Another practical benefit is improved traceability and consistency. Every step is logged, and processes are uniformly executed, providing compliance advantages in regulated industries.

Important Automation Technologies

Automation isn't a single tool but a comprehensive arsenal of technologies, as diverse as the equipment of a Jedi temple. The market offers numerous general and specialized tools. Below, I provide a general overview of key approaches and tools companies use to automate their processes.

Robotic Process Automation – The Digital Clone Troopers

Robotic Process Automation (RPA) refers to the use of software robots that mimic human user actions. RPA bots click, type, and navigate through applications as if they were virtual employees. They are ideal for repetitive, rule-based tasks such as data entry, table reconciliation, or transferring information from emails into ERP systems. Popular RPA tools include UiPath, Blue Prism, and Automation Anywhere, enabling companies to configure bots with minimal programming effort.

Once created, automation tasks can be repeated and even run in parallel. Imagine having a personal army of clone troopers in the office tirelessly handling tasks 24/7. Additionally, manual errors common in repetitive tasks are reduced, provided the automation is correctly and sustainably implemented.

Therefore, it's crucial to understand the differences between "click bots" and "programmed bots," as they vary significantly in their programming and operational approaches.

• Click bots are typical RPA bots that imitate user actions like mouse movements, clicks, and keyboard inputs directly on the screen. They can interact with applications even without specific interfaces (APIs).
• Programmed bots, on the other hand, operate through direct programming, using scripts or API integrations. They perform tasks in the background, offering greater stability and flexibility as they use official interfaces and are less susceptible to changes in the user interface. However, developing such bots requires more technical expertise.

My personal conclusion: Both approaches have their place and can effectively automate frequently recurring tasks. The best option depends on the specific requirements and resources available. Here are two straightforward examples:

• If a one-time review and update of a master data list containing one million entries is needed, a click bot is a helpful choice. It can be created quickly and easily, and the likelihood of interface, parameters, or other conditions changing during the short period of use is virtually zero.
• If a service request process is being revised long-term, including automation that monitors the corresponding email inbox continuously and gathers additional information from various systems upon receiving a request, programmed bots are recommended due to their longevity and system integrations.

Business Process Management and Workflow Automation

Where RPA focuses on individual clicks and actions, Business Process Management (BPM) or workflow automation considers the broader process flow. This involves digitally mapping and controlling entire business processes—from handling vacation requests to approving purchase orders. Modern BPM suites (such as WebMethods, Camunda, Pega, or Appian) enable modeling processes, setting automatic rules, and coordinating interactions between people and software. A defined workflow system ensures the "ball" is automatically passed from one step to the next: forms are forwarded automatically, approvals obtained digitally, and any bottlenecks are instantly visible. Such end-to-end automation significantly boosts efficiency by eliminating media disruptions and manual handovers.

Process Mining – Transparency as a Prerequisite

Before automating processes, it's crucial to fully understand them—not just the defined target (TO-BE) processes, but the actual current (AS-IS) variants in practice. This is exactly where Process Mining comes into play, a technology that, much like a Jedi Master, visualizes the "flow of the Force" within processes. Tools like Celonis (market leader from Germany), Fluxicon Disco, SAP Signavio, or Microsoft Process Advisor analyze digital footprints (such as log files from IT systems). They reconstruct who performed what action, when, and at which process step. The result is an objective, visual representation of real processes, including loops, waiting times, and bottlenecks.

This allows for the identification of inefficient paths or bottlenecks—perfect starting points for automation. Therefore, Process Mining is often combined with RPA: it identifies the best automation candidates and measures subsequent success. For example, Deutsche Telekom discovered optimization potentials in procurement through Process Mining, achieving savings of over €66 million by preventing double payments and better utilizing discount opportunities. Such results highlight that transparency is the first step toward efficiency.

Recommended reading: 12+ case studies that drive home the power of process mining

Low-Code and No-Code Platforms – Empowering Business Users

Not every automation requires advanced programming skills. Low-Code and No-Code platforms empower even less technically skilled users to build automated solutions. With modular designs and graphical interfaces, business experts (so-called "Citizen Developers") can create apps or workflows without writing a single line of code. Examples of these platforms include Microsoft Power Automate, OutSystems, and Mendix.

For instance, HR staff can digitize the vacation request process: a form automatically triggers approvals, updates all relevant systems upon approval, and notifies the concerned employees via email—all without manual intervention.

Low-Code tools significantly speed up automation implementation and broaden the range of users who can develop digital solutions. It’s as if not only Jedi Masters but every capable Padawan could now use their own automation Jedi tricks.

Artificial Intelligence and Intelligent Automation

The ultimate discipline is the combination of Artificial Intelligence (AI) with automation, often termed Intelligent Automation or Hyperautomation. Here, the boundaries of rule-based systems are transcended: AI can recognize patterns, understand natural language, and make predictions.

In practice, this means, for example, an AI module can automatically read invoices or contracts (e.g., OCR and Document Understanding tools like ABBYY or UiPath Document Understanding), extract relevant information, and an RPA bot directly enters this data into the system. Alternatively, a chatbot (such as IBM Watson Assistant or Rasa) automatically answers customer queries via chat, forwarding only complex issues to human employees.

These intelligent assistants act like particularly smart clone troopers, learning from data, making simple decisions, and expanding the scope of automation to include unstructured tasks and data. Companies, for instance, equipping a call center with AI-driven bots can handle most standard inquiries 24/7, allowing human agents to focus on more complex issues.

Successful Automation Projects in Practice

Theory is good, but practice is better. Let's look at some case studies demonstrating how automation's power has driven significant business successes:

• Groundbreaking Efficiency at Danish Railways: Denmark's national railway significantly accelerated its service processes with RPA. For example, renewing youth railcards previously took up to two weeks; now, a software robot completes the process in just four days without hiring additional staff. In customer service, DSB now handles tens of thousands of inquiries automatically. In 2019 alone, software bots managed over 180,000 cases, saving about 12 person-years of work, now allocated to more value-adding tasks. Customer satisfaction also rose due to faster issue resolution. Recommended reading: DSB on Track to RPA Success with UiPath Center
• Order-to-Cash Automation at a Fortune-500 Company: A global leader in data storage faced fluctuating order volumes, particularly overwhelming at quarter-ends. Intelligent document processing combined with RPA provided the solution. Using Automation Anywhere’s Document Automation, the company structured chaotic order data and automated about 20% of its order-to-cash process within five weeks. Achieving a 75% straight-through processing rate, eight full-time employees were reassigned to more valuable tasks, saving USD 350,000 within three months. The system is also scalable, easily adding more "bot clone troopers" during demand spikes. Recommended reading: Cognitive Automation - Fortune-500 Company Brings Structure to Unstructured Data
• Intelligent Assistance in Customer Service: Automation success also appears in banking. Bank of America implemented the Erica chatbot, a virtual AI assistant assisting customers with transfers, balance inquiries, or financial questions. Millions of customers used Erica, successfully conducting over 100 million interactions within a few years (according to internal reports). The bank not only reduced support costs but also enhanced service quality—customers now receive instant responses 24/7, similar to asking R2-D2 for advice anytime. Erica’s success inspired many financial institutions to invest in "Conversational AI" to enhance their customer service capabilities. Recommended reading: AI Adoption by BofA’s Global Workforce Improves Productivity, Client Service

Unlike Star Wars, these examples are not science fiction but reality. They illustrate that automation leads to significant improvements across various sectors, from transportation and high-tech to finance. The key is always selecting the right processes (Process Mining helps identify real process understanding!) and applying the appropriate technologies. This unleashes full potential, allowing human and software teams to collaborate harmoniously.

Tips for Further Training: Become an Automation Jedi

Automation offers enormous opportunities, and those who master these technologies become highly sought-after specialists. Fortunately, numerous options exist today for acquiring the necessary skills, often even free of charge:

• Utilize Vendor Academies: Many leading providers offer comprehensive online training. For example, UiPath provides the world's first free RPA learning platform, the UiPath Academy, offering courses from basic to advanced modules. Similarly, there's the Automation Anywhere University, Blue Prism University, and Celonis Academy for Process Mining. These platforms are ideal for gaining practical skills in specific tools.
  
• Online Courses and MOOCs: Platforms like Coursera, Udemy, or LinkedIn Learning offer numerous automation-related courses, ranging from introductory RPA courses to specializations. For instance, Coursera provides a multi-part Robotic Process Automation Specialization in collaboration with UiPath. Such courses enable learners to study basics at their own pace and gain practical experience through projects. Universities also increasingly offer open online courses in areas such as Process Mining and AI.
  
• Additionally, there are various industry-specific training programs (usually not free) tailored to specific professional use-cases. For instance, the Frankfurt School of Finance & Management offers specialized modules in Business Process Mining and Artificial Intelligence within their Audit Data Scientist program, catering to compliance, auditing, and risk management professionals.
  
• Pursue Certifications: Certificates officially validate automation expertise (the personal "Force"). Leading providers offer internationally recognized certification programs (often not free). Examples include the Microsoft Certified Power Platform Fundamentals exam, confirming foundational knowledge in Power Automate, Power Apps, and Power BI. UiPath offers the multi-level UiPath Certified Professional program, including the "Advanced RPA Developer (UiARD)." Automation Anywhere and Blue Prism also offer tiered certifications for developers. Such certifications indicate professional-level automation expertise, promoting quality and stability in enterprise automation projects.
  
• Community & Practical Experience: Beyond formal courses, newcomers learn significantly through practice. Many tool providers offer free trial or community editions. It’s beneficial to experiment with small automation projects within your work environment or as practice: learning by doing! Additionally, active communities and forums (e.g., the UiPath Forum, Stack Overflow for scripting queries) exist for asking questions and learning from others' experiences. Common beginner questions and typical errors are often already resolved in these forums, enabling quick solutions.
  

Your Next Step with Mr. 01 Analytics

Automation is not a one-time project, but a continuous learning and development process. Just as Jedi regularly train to enhance their skills, IT professionals benefit from consistently familiarizing themselves with new automation technologies and methods. However, there is no universal curriculum for this journey—every company, team, and individual begins from a unique starting point, with different goals and prerequisites.

At Mr. 01 Analytics, we understand from experience that successful automation must always be customized. While some companies already utilize complex AI and RPA solutions, others are just beginning their automation journey. Whether your goal is anomaly detection, report automation, or establishing a self-service platform, our strength is meeting you exactly where you are.

With personalized learning plans, practical "coaching on the job," and tailored toolkits, we support you and your team in fully harnessing the power of automation.

Interested?

• Fill out our contact form and outline your goals. We’ll get back to you with a proposal.
  
• Subscribe to our newsletter to receive monthly learning insights and tool tips.
  

Together, we'll find the ideal learning and automation path tailored to your tasks, pace, and business model.

May the Force of Automation be with you!

“A long time ago, in a galaxy far, far away…”

This is not only how the epic Star Wars saga begins but also marks my personal journey back to writing. After dedicating myself to other topics for some time, I recently rediscovered the joy of writing. It helps me organize my thoughts and explore topics more deeply.

In the coming days, I'll be exploring the "Power of Learning." In anticipation of the upcoming Star Wars Day on May 4th ("May the force/4th be with you"), I'm participating in a countdown, starting with this post focusing on the "Power of Fundamentals."

On these pages, you will find additional downloadable checklists as well as instructions for configuring data backups on Microsoft Windows, Windows Server, and Apple macOS. In addition to detailed step-by-step explanations for setting up secure backup processes, you will also receive practical tips for the long-term maintenance of your backup strategies. The content is regularly supplemented and updated so that you always stay informed about the latest developments in the field of data backup and IT security. As a result, you can not only deepen the fundamentals described in the book but also put them directly into practice.

Work Aids and Templates

In the book, we provide illustrative work aids and templates in Chapter 8. These examples not only serve as demonstrations but can also be used as a reference when creating your own checklists and guidelines.

You can download these sample guidelines here as a PDF. We have also included references to the relevant sections in the book.

(see Sec. 8.1; for more details: Sec. 5.9)

(see Sec. 8.2; for more details: Sec. 4.1.1)

(see Sec. 8.3; for more details: Sec. 4.1.2)

(see Sec. 8.4; for more details: Sec. 4.1.3)

(see Sec. 8.5; for more details: Sec. 4.2.1)

(see Sec. 8.6; for more details: Sec. 4.2.2)

(see Sec. 8.7; for more details: Sec. 4.2.3)

(see Sec. 8.8; for more details: Sec. 4.3)

(see Sec. 8.9; for more details: Sec. 4.4)

Bibliography and Sources

Since we refer to online sources with lengthy hyperlinks in this book, we would like to offer you the possibility to click these links via a collection rather than having to type them out. You can download this link collection here: Bibliography and Sources

Step-by-Step Instructions for Setting Up Backup Processes

After learning from our book about the purpose and importance of data backup, how diverse the associated risks can be, and how to develop a solid backup concept, we now want to focus specifically on implementing these backups. To help you with that, we are providing an earlier guide Data Backup Made Easy.

About the Authors

	Vanessa Chamera earned her Master’s degree in Economic Policy Consulting (M.Sc.) at Ruhr University Bochum, then gained professional experience in the field of IT security. In addition to her work in digital forensics, she specialized in analyzing information security measures for risk prevention.
	Martin Bodenstein holds a degree in Computer Science (univ.), an MBA, and has a military background, making him an expert in high-security requirements. Building on many years of forensic expertise, he focuses on the continuous further development and professional hardening of security profiles to achieve “Forensic Readiness.”
	Patrick Müller, who holds a degree in Business Information Systems, is an expert in forensic data analysis and has made significant contributions to optimizing analysis methods in leading consulting and industrial companies. As a lecturer, he focuses on forensic data analysis, audit data science, and visual analytics. His ethos, shaped by forensic precision, aims to provide companies with transformative insights while preventing damage. His credo in this regard: “No Data, No Party.”

Further Reading Recommendation

Lessons from the CrowdStrike Incident – A Commentary

➛

Read More

In the current Information Age, data is far more than just neutral carriers of information for companies. They form the heart of strategic decision-making processes, represent a crucial competitive advantage, and often form the core of an entire business model. It is an irony of our time that despite their central importance, data loss—whether due to technical mishaps, human error, or malicious attacks—remains a real and often underestimated threat. The consequences can be devastating, ranging from loss of reputation to significant financial damage.

With this book, you will gain a profound and comprehensive introduction to the multifaceted field of data backup. It not only sheds light on the diverse categories of risks to which data is exposed daily but also underscores the fundamental importance of data backup in the overall context of IT security. It demonstrates that protective measures must go far beyond reactive backup solutions. This includes protection against technical failures, safeguarding against unauthorized access, and implementing robust security protocols.

Effective data backup extends far beyond mere precautionary measures. The book conveys that a strategic approach is necessary, combining preventive, detective, and reactive safeguards. These strategies must be tailored to the specific risks and requirements of a company. The importance of correct implementations and regular verification of backup systems is particularly emphasized, as many issues originate precisely in these areas.

This well-founded work is rounded out by a collection of practical tools, including helpful resources and templates, which are also available online. Thus, this book is not merely a reference work but a comprehensive guide—indispensable for any company that not only recognizes the value of its data in a digital world but also knows how to protect it. 

Overview of the Contents

In this book, we guide you through the essential areas of data backup, from threats to practical protection strategies. With concrete practical examples, tips, and guidelines, we support you in effectively protecting your data. Whether you are a beginner or already an expert, this book serves as your guide in the world of data backup. We also provide insight into IT security as a complement to data backup.
Let’s get started!

Data Diversity, Loss Costs, and Retention Obligations:
In Chapter 2, we focus on data diversity, loss costs, and potential retention requirements. In the digital era, data forms the backbone of companies. They can be categorized in various ways and must be recognized and protected. Data loss can lead to financial setbacks and damage a company’s reputation. In addition, depending on location, industry, and type of data, there are legal retention requirements. Therefore, solid data handling and backup are indispensable for every company.

Causes of Data Loss:
In Chapter 3, we delve into the causes of data loss. These can arise from various risk categories, including technical, spatial, and operational hazards. Mobile devices, in particular, are vulnerable to physical damage and theft. A lack of technological knowledge can lead to misunderstandings about data storage. Internet crime, a growing threat, exploits both technical vulnerabilities and operational shortcomings for its attacks. In this chapter, we examine these threats in detail and illustrate them with practical examples.

IT Security as a Complement to Data Backup:
To avoid creating a false impression, we would like to emphasize at this point that although data backup is essential, other measures are required to prevent data loss. In Chapter 4, we focus on IT security as a complementary element to data backup. In this section, we examine the organizational and technological points of vulnerability in IT security and present the various categories of protective measures. IT security aims to safeguard digital data, encompassing all measures designed to protect IT systems from failures and unauthorized access. Consequently, it also plays a pivotal role in protecting backup data. Given the importance of unaltered data, especially in forensic investigations, the significance of information security within a comprehensive security approach is also discussed. The chapter concludes with practical case studies.

Developing a Data Backup Strategy:
In today’s digital era, data backup is essential for ensuring data integrity and avoiding data loss. To create a data backup strategy, Chapter 5 starts by contrasting reactive and preventive backup procedures. A well-thought-out strategy requires categorizing data, selecting suitable backup methods, and choosing the right storage location. The 3-2-1 principle, in which three versions of data are stored on two different media and one copy is kept off-site, takes center stage. Both contemporary solutions such as cloud backups and traditional procedures are explored. A well-developed contingency plan completes this approach. The chapter concludes by highlighting the importance of regular reviews and adjustments of the backup strategy and introduces a comprehensive guide to strategy development.

Implementing a Data Backup Strategy:
Chapter 3 discusses the threats to data, including cybercrime, while Chapter 5 demonstrates how to counter these threats with a carefully developed data backup plan. In Chapter 6, we link theoretical considerations with hands-on solutions for implementing the developed data backup strategy and establishing a solid backup concept. We highlight that difficulties often arise from incomplete strategies or inadequate implementations. Therefore, special emphasis is placed on the technical design of the backup infrastructure and the organizational framework of the backup concept.

Implementing the Backup Concept:
In Chapter 7, the implementation of the backup concept takes center stage. The chapter begins by discussing configuration, focusing on the correct setup of backups. The “control” section emphasizes the importance of regularly checking backups. After a data loss, restoring data or systems is possible by rolling back to backups. The reliability of backups is confirmed through repeated recovery tests. In cases of larger-scale failures, a complete system restart may be considered. The closing section of this chapter delves into the built-in tools of various operating systems and cloud services.

Work Aids and Templates:
In Chapter 8, we provide you with work aids and templates. These exemplary checklists and guidelines can also be downloaded as a PDF. Because we reference online sources with longer hyperlinks in this book, we want to give you the opportunity to click on these links from a link collection rather than having to manually type them in. This link collection can also be downloaded.

Chapter and Topic Overview:

About the Authors

	Vanessa Chamera completed her Master’s degree in Economic Policy Consulting (M.Sc.) at Ruhr University Bochum and subsequently gained professional experience in the field of IT security. In addition to her work in Digital Forensics, she specialized in analyzing information security measures for risk prevention.
	Martin Bodenstein is a graduate computer scientist (univ.), MBA with a military background, and an expert in high-security requirements. Building on many years of forensic expertise, he focuses on the continuous further development and professional hardening of security profiles to achieve “Forensic Readiness.”
	Patrick Müller, a graduate in Business Information Systems, is an expert in forensic data analysis and has significantly contributed to optimizing analysis methods in leading consulting and industrial companies. As a lecturer, he specializes in Forensic Data Analysis, Audit Data Science, and Visual Analytics. Guided by forensic precision, his aim is to provide companies with transformative insights while preventing potential damage. His credo in this context: “No Data, No Party.”

Interested?

Our book offers a comprehensive introduction to the world of data backup, covering the essential areas—from threats to practical protection strategies. In the digital era, data form the backbone and competitive advantage of companies, and data losses can cause significant damage. There are various risk categories for data loss, including technical and operational hazards. Our book addresses measures that protect IT systems from failures and unauthorized access and demonstrates the importance of data backup. It takes into account preventive, detective, and reactive safeguards and presents an individualized, risk-based strategy. The book provides practical guidance, including checklists and templates available online. It serves as a guide for businesses to effectively and efficiently protect their data, enhance IT and cybersecurity, and acknowledge the value of their data from a risk-based perspective.

➡️ Visit Springer (free access from corporate networks with Springer corporate licenses). 
➡️ Visit Amazon.

Further Reading Recommendation:

When the Cloud Starts Burning

➛

Read More

Despite the digital boom, there is still a lack of budget for enhanced IT security

➛

Read More

Backups as the Last Bastion

On July 19, 2024, businesses worldwide were brought to a standstill due to a faulty update from the software company CrowdStrike.

Although companies today implement comprehensive IT security measures, even the best firewalls and antivirus programs, along with organizational processes in the background, are not infallible. Human error and technical failures can never be completely ruled out. In such cases, a well-planned backup strategy can be the last line of defense.

The incident on July 19, 2024, when a faulty update from CrowdStrike caused widespread outages, painfully reminded us of the importance of a solid backup strategy. Companies with reliable backups were able to restore their systems to the state before the update and quickly resume operations. However, many companies still underestimate the importance of regular backups and effective disaster recovery plans.

A Security Update with Catastrophic Consequences

CrowdStrike is a leading software company that provides IT security solutions across industries, aiming to minimize the risk of outages and protect IT systems from threats. However, a faulty update to their protection software "CrowdStrike Falcon"[1] led to millions of computers worldwide being incapacitated. The update caused a “Blue Screen of Death” (BSOD) on numerous Windows systems, resulting in temporary shutdowns for many businesses, including critical infrastructures such as airports and hospitals.

A faulty file, released in the early morning hours of July 19, 2024, and deployed into IT systems, was responsible for the chaos. Affected systems had to be manually reset to resume operations. Companies without current backups were forced to resort to time-consuming workarounds, significantly delaying the restoration of normal operations. The financial and reputational damage was immense.

Similar Incidents from the Past

The CrowdStrike incident is not the first of its kind where IT systems were massively affected by software issues or cyberattacks. A look at similar incidents underscores the importance of being prepared for such eventualities:

• Microsoft Exchange Outage (March 2021): A faulty patch[2] led to massive outages in email systems worldwide. Companies that were well-prepared and had up-to-date backups were able to restore their systems quickly and minimize downtime. This incident again highlights how critical backup and recovery plans are to maintain operations.
  
• SolarWinds Hack (December 2020): A cyberattack delivered via a SolarWinds software update led to widespread security incidents. Many companies and government agencies were affected, showing that even trusted software providers can pose risks. Once again, backups were often the last line of defense to restore systems and prevent further damage.
  
• GitLab Data Loss (2017): GitLab suffered a massive data loss, exacerbated by a failed backup. This event illustrates that even professional providers can make mistakes, underscoring the importance of carefully planned and regularly tested backup strategies.
  

Backups as an Essential Security Measure

The CrowdStrike incident clearly shows that regular updates and professional patch management are important, but not enough. Even the best measures can fail, and in such cases, backups are the last line of defense. A comprehensive disaster recovery plan that includes regular and tested backups is essential to quickly restore operations after an incident.

Disaster Recovery Plans: Quick Response in Crisis Situations

Disaster recovery plans are crucial to minimize the impact of an IT outage. These plans describe the processes and responsibilities for restoring critical systems and data. A key component of these plans is regular simulated crisis exercises to ensure that all stakeholders know how to act in an emergency.

A well-maintained backup is the simplest way to recover lost data or restore broken systems. Depending on a company's risk assessment and resources, a backup strategy can range from simple data backups to redundant IT infrastructures that can be quickly activated in the event of an emergency. Companies should choose between "cold," "warm," and "hot" backup environments according to the criticality and availability requirements.

A cold environment covers the basic infrastructure to resume operations, but recovery time may be longer. A warm environment includes pre-installed systems, while a hot environment offers nearly everything needed to quickly resume business operations. When deciding which environment makes sense, risks and costs must be weighed.

Prevention through the Right Backup Strategy

In today's dynamic cyber world, it is crucial that companies regularly review and adjust their backup strategies. A thoughtful backup strategy begins with identifying critical data and selecting appropriate storage media. It is equally important to align the backup cycle with system changes and ensure that backups themselves are protected by IT security measures. Regular tests of backup routines are essential to ensure they function smoothly in an emergency.

The CrowdStrike incident shows that even with carefully planned updates, unforeseen problems can arise. Therefore, every backup strategy should be designed to allow a quick rollback to a functional previous version in case an update fails.

Lessons Learned and Recommendations

In Germany and Europe, this incident has fueled the discussion on cybersecurity and corporate responsibility, especially regarding new EU regulations like the NIS2 Directive, which will significantly tighten IT security requirements. Companies must now ensure that their systems are robust and that security measures are regularly reviewed and adjusted.

CrowdStrike has learned from the incident and announced that future updates will be rolled out in phases to improve error control and minimize the scope of such outages. The German Federal Office for Information Security (BSI) has also called on software providers to ensure that systems can start in a safe mode in the event of critical errors.

The following recommendations can be derived for companies:

• Test Environment: Updates should be tested in a protected, isolated offline environment ("sandbox") to detect potential issues early.
  
• Avoid Automated Updates: Instead of allowing automated updates, they should be manually reviewed and applied under controlled conditions.
  
• Rollback Strategies: It is important to test prepared rollback strategies and quickly implement them in case of problems.
  
• Staggered Updates: Updates should be staggered across different systems to minimize the risk of widespread outages.
  

In conclusion, backups encompass far more than just data storage. They are an essential part of a comprehensive IT security concept that includes disaster recovery plans, IT security measures following recognized standards, and, in some cases, even redundant IT infrastructures.

Sources and Further Reading:

[1] CrowdStrike Falcon is an Endpoint Detection and Response (EDR) software used to defend against cyber threats on endpoints (PCs, laptops, tablets, smartphones, servers). This EDR software monitors and analyzes endpoint behavior to detect potentially suspicious activities. In the event of anomalies, automated responses such as isolating the affected device can be triggered.

[2] A "patch" is a software update that fixes bugs or closes security gaps, making the software more secure and stable.

More details on prevention strategies, disaster recovery plans, data backup strategies, work aids, and templates can be found in our book: 

Data Backup as Part of IT and Cybersecurity

➛

Read More

About the Co-Authors

Vanessa Chamera completed her Master's in Economic Policy Consulting (M.Sc.) at Ruhr University Bochum and gained professional experience in IT security. In addition to her work in Digital Forensics, she specialized in analyzing information security measures for risk prevention.
➡️LinkedIn

Martin Bodenstein holds a degree in Computer Science (Dipl.-Inf.) and an MBA, with professional experience in IT service, security, and project management. With forensic expertise as a foundation, the core of his knowledge lies in the continuous development and professional hardening of information security measures.
➡️LinkedIn

The Trap: A German Account to Pretend Security.

Advancing digitalization brings us not only comfort and efficiency but also unfortunately opens the doors for cybercriminals who are constantly improving their tactics. Bank accounts can be opened online, and a sophisticated online video identification process ensures that it is indeed the person and not a so-called deep fake.

To trick this system, fraudsters have devised a devious method: they post fake job offers. The task is to go through the account opening process and then provide feedback.

The deceived applicants are asked to provide their personal data for personnel purposes. With this data, the fraudsters open the accounts and send the supposed testers the validation links. Believing they are participating in a test run, the victim-employees unknowingly confirm their data, leading to a real account opening.

The worrying aspect of this method is that the victims do not even realize they have been scammed. Only when unexpected financial activities or even legal problems arise does the extent of the fraud become apparent.

These practices are extremely dangerous for the victims because, in many cases, the victims are liable for the fraudulent transactions made from their accounts. In some cases, it can even lead to criminal consequences.

It is important that we all remain vigilant and take precautions to protect ourselves and our companies from such scams. The benefits of digitalization should not be overshadowed by its rare downsides.

How can we prevent the above scenario?

• Companies should revise their training materials to highlight "foreign accounts" as a warning signal.
  
• As individuals, we must be alert when copies of our ID or passport are required/made. This could be by employers, insurance companies, hotels, for rental cars/mobile phones, etc.
  
• The BaFin should review the guidelines for online identification and, for example, include notes on the exclusion of test and quality purposes.
  
• What to do if deceived?
  
• Contact the police for further assistance.
  
• Request a self-disclosure from Schufa to see what reportable activities have been carried out in your name. This may also be advisable without any specific reason.
  

Further Reading Recommendation:

CEO Fraud Blog - Your guide in the fight against the sophisticated 'Grandparent Scam for Companies.'

➛

To the CEO Fraud Blog

Yesterday, I had the opportunity to switch roles from being a fraud fighter and gain insights at my bank's customer event.

The event provided insights into attack vectors and defense strategies in the banking sector. I learned that there is a significant overlap between the preventive measures against hacker attacks on banks and their clients, and the measures to prevent CEO Fraud, which is currently my main focus.

The core of the attacks in both cases revolves around identity theft, leading to similar preventive measures.

Some security tips for online banking:

For emails:

• Check the sender and links to detect fake sources.
  
• Don't be pressured by time. Urgency is a warning signal! Banks plan for customer vacations and absences when contacting them.
  
• Do not respond to emails or click links. Always access the relevant online portal through your known source. If any action is required, you will usually be prompted after logging in.
  

For websites:

URLs in phishing emails are often deceptively fake and checking them can be time-consuming. So:

• Bookmark URLs for online banking.
  
• Ensure the URL uses an encrypted HTTPS connection. Unencrypted HTTP without the 'S' is not enough.
  
• Always use your browser's bookmarked link for banking, not the link in the email.
  

For login credentials:

• Never reuse passwords.
  
• Use strong passwords. Length is more important than complexity.
  
• If using many long and complex passwords, consider a password manager like NordPass.
  
• Always enable two-factor authentication.
  

Trust is good, verification is better!

• Actively search for your data online.
  
• Password managers like NordPass can also scan stored data.
  
• Additionally, check data leak databases like Have I Been Pwned or Leakchecker by University of Bonn for your data.

My conclusion:

• Bank fraudsters are just as lazy as CEO fraudsters and won’t exert more effort than necessary!
  
• Simple measures address multiple attack vectors.
  
• The information from corporate IT security trainings can also be applied in personal life. The bank tips for individuals can also be transferred to your daily work in the company or other systems. -> Win-win!

Further reading:

Fraudsters only jump as high as they need to!

➛

Read More

CEO Fraud Blog - Your guide to combating the sophisticated "grandparent scam for businesses".

➛

Go to CEO Fraud Blog

I wonder, is it primarily about defining every incident perfectly when it comes to preventing these cases? In other words, is it essential for raising employee awareness whether the uncovered fraud case of Martin Meng at konfidal is identity theft or just the presentation of false information?

In my opinion, it’s much more important that employees are well-informed about the considerable criminal effort that goes into these deceptions and are educated on the scenarios currently circulating.

(Editorial note: Permission to reprint has been granted.)

But raising awareness of red flags alone is not enough.

The people who process hundreds of transactions daily also need support in verifying authenticity.

We know two-factor authentication (2FA) from passwords as a security method where two different and independent components are required to confirm a person’s identity.

In the Purchase to Pay procurement process, this can be easily applied to verifying the existence of suppliers, purchase orders, or recorded goods receipts during the invoice entry process.

But what about invoices without purchase orders?
Process guidelines often prohibit such transactions, but in reality, there are many reasons and exceptions. And it’s precisely these exceptions that fraudsters exploit.

Therefore, for such cases, similar to two-factor authentication, consideration should be given to what measures can be implemented to ensure the integrity of senders or payment recipients.

A relatively simple verification step: checking the bank account details.
For example, just look it up on the respective authority’s website or ask the known contact at the business partner’s office.

Is that enough? Certainly not!
What exactly is needed should be individually defined for each company or department. But it doesn’t always have to be complicated or elaborate; it should be practical.

Currently, I am deeply involved with CEO fraud, a scam that involves identity theft. While considering prevention measures, I keep noticing that these verification methods also protect against other types of fraud, regardless of whether the "boss" calls or the tax office writes.

Further reading recommendation:

If you're interested, feel free to check out the CEO Fraud Blog.

CEO Fraud Blog – Your guide in the fight against the sophisticated "Grandparent Scam for Companies".

➛

Go to CEO Fraud Blog

Yesterday, I had the exciting opportunity to participate in the AEB getConnected event and contribute to the TMS workshop. As a digital enthusiast, the opening keynote brought a smile to my face. Johannes Klingebiel answered the question, "What is a hype, and how do I recognize it?" Naturally, his talk focused on AI, blockchain, and other emerging technologies. His zine titled "Guide to Hype" is also worth a read in this context.

From Keynote to Workshop

The task in the workshop was to develop solution approaches for TMS and create a prototype for a control tower. This tower would serve as a central hub for organizing and managing transport processes. The phrase "No Data, No Party" emphasizes the need to improve access to relevant data to make transport management effective. A well-functioning control tower allows companies to integrate all data streams and receive real-time information on transport status, route planning, freight costs, and other details and parameters. Problems and bottlenecks become transparent, enabling us to intervene. Only with this information can we kick off the party of optimal transport management and ensure that all guests enjoy it.

My Pitch

In a brief pitch, I outlined a possible IT architecture. My suggestion was a decentralized service-oriented architecture (SOA). The idea behind this is to create the necessary data transparency that TMS and other departments, such as procurement, sales, warehouse management, and foreign trade, require.

Focus on Methods and Interaction

"Everyone kind of knew what a control tower for logistics processes is, but how to approach it?" This question occupied the 14 of us participants. We ultimately chose two methods:

• Troika for getting to know each other and working out the problem, and 
• Design Studio for visualizing the task and ultimately solving the problem. 
  

My Conclusion

It was inspiring to hear and learn from the experiences and strategies of logistics practitioners. The insights and exchanges with professionals from various companies broadened my horizons and helped me develop new perspectives. Regarding the much-needed data foundation for a control tower: No Data, No Party!

Takeaway

Inspiring conversations, new connections, and a self-printed pencil case. 

You will learn how typical attacks unfold, which variants exist, how to spot warning signs across email, phone and messenger, which public and internal information attackers exploit, and which processes, controls and trainings your company should implement now. Practical. Compact. Actionable.

I work at the intersection of forensic analytics, cybersecurity and prevention. The examples come from projects and trainings with Finance, Procurement, IT and Internal Audit. The goal is a clear plan that works in day-to-day operations without shortcuts. We also look at how data analytics and anomaly detection can help and where real-time approaches have limits.

CEO fraud is not a single scam

There are several similar schemes that aim to cause financial damage in a comparable way, e.g. advance-fee, invoice, order, investment or rental fraud.

In general these are forms of identity theft, where criminals steal the identity of a person or a company to prepare and execute fraudulent activities.

Related cybercrime offenses often appear alongside, such as social engineering and phishing.

Variants of CEO fraud

In practice several patterns recur. The most common variants at a glance:

• Internal fictitious deals: requests to transfer funds for alleged acquisitions, major contracts or purchases such as patents, real estate or machinery.
• Refunds of alleged overpayments: demands to reimburse a supposed duplicate or excessive customer payment.
• Urgent intercompany payments: references to emergencies or liquidity gaps within the group, often backed by plausible-looking documents.
• Abuse of external partners: names of real customers, suppliers or service providers are used to request goods, data or payments in ongoing or newly constructed processes.
• Deposits and prepayments: requests for upfront payments for supposed large orders or “expedite fees”.
• Fake orders: fictitious purchase orders with real contacts and convincing paperwork to obtain goods or money.
• Change of bank details: prompts to update account information for suppliers or customers to reroute payments to a new IBAN.
• Pretending to be an authority: letters demanding payment of taxes, fees or supposed fines.

In short: CEO fraud is identity theft in many guises and touches Finance, Procurement, master data, HR, IT and Management.

The typical CEO fraud flow

1. Research and preparation: attackers collect open information about the company, roles, processes and contact paths. Sources include website, social media, registers, press, out-of-office notes and visible email patterns.
2. Contact via email, phone or messenger: personalized messages to Finance, Procurement or management follow. Senders appear legitimate, often using look-alike domains or display names. Calls frequently support written communication.
3. Manipulation: urgency and secrecy are used to block questions. Fake documents, alleged contracts or PO numbers increase credibility. Requests aim at bypassing controls and forcing quick decisions.
4. Payment approval or master-data change: transfers to new accounts, splitting into partial payments or changing supplier IBANs are requested. Second-channel confirmations are actively avoided.
5. Cover-up: funds move to foreign or mule accounts, are forwarded and withdrawn. Traces are deleted, communication stops.

Prevention measures

Attackers only jump as high as they must. Raise the bar.

• Secure processes: four-eyes principle and out-of-band approval from defined thresholds. No exceptions without written documentation.
• Protect master data: change bank details only after a call-back using known numbers from the ERP. First payment after a new IBAN with a 24-hour hold and an extra approval.
• Enable email security: enforce SPF, DKIM and DMARC. Mark external senders. Show the full sender. Scan attachments in a safe environment.
• Limit public information: do not publicly announce executive absences. Publish direct dials, org charts and role profiles only where necessary.
• Detect anomalies: continuously monitor payments and master-data changes. Flag unusual amounts, new beneficiaries, payments shortly after IBAN changes and atypical times.
• Train and test: regular awareness training for Management, Finance, Procurement, IT and master-data teams. Quarterly phishing and social-engineering tests with feedback.
• Leadership by example: no shortcuts on approvals. If leaders bypass controls, identical behavior by attackers looks credible.
• Communication and playbook: inform internally about current scams. Clear steps on suspicion: stop payment, second-channel call, bank, preserve evidence, involve forensics.

Further resources: CEO Fraud Blog

CEO Fraud Blog – your guide in the fight against the sophisticated “grandparent scam for companies”.

➛

Go to the CEO Fraud Blog

The rapid increase in digital communication offers businesses new opportunities, but it also presents significant risks. One of the most dangerous threats is CEO fraud, where fraudsters pose as executives to obtain confidential information or money. At the recent security conference hosted by the Federal Office for Information Security (BSI), essential fraud prevention measures were discussed.

In the following, I would like to share my own work assignment after 2 days at the 2023 BSI Security Conference … along with my initial findings!

As we increasingly communicate digitally, we must rely on messages, links & files. However, the flood of messages opens the door to scams.

In terms of fraud prevention, I took three key points away from the event:

1. Two-Factor Authentication (2FA): An additional layer of security beyond the password, using one-time codes or biometric features to protect user accounts.
   
2. Digital Signatures: These verify the authenticity of emails and documents, minimize manipulation risks, and increase integrity and credibility.
   
3. Continuous Scanning for Stolen Credentials: Regular checks of public databases for your data to detect security breaches early and take appropriate action.
   

DEEP DIVES:

Two-Factor Authentication (2FA)

Two-factor authentication (2FA) is essential for increasing the security of online and user accounts. Alongside user IDs & passwords, a second channel is used, such as one-time codes or digital/biometric features.

"Time-Based One-Time Password" (TOTP) is a method used to generate time-limited one-time passwords and is commonly used in authentication apps.

My Findings:

• For some of my personal accounts, I can't activate 2FA or find the option. I've reached out to support… waiting for a response.
  
• For all business accounts, I was able to activate 2FA or define it as a company standard.
  
• Where 2FA is available, SMS/call & TOTP methods are offered. I prefer the latter.
  

Authentication Apps:

• Google Authenticator
  
• Microsoft Authenticator
  
• Authy
  
• LastPass Authenticator
  

Further Information:

• Explainer Video on "Time-Based One-Time Password"
• FIDO 2 Authentication Standard by the FIDO Alliance
• Explainer Video on "FIDO Enterprise"

Digital Signatures

Digital signatures on emails allow the authenticity of senders to be verified & manipulation to be detected. As a result, using them can increase integrity & credibility while reducing the risk of fraud, hacking, or phishing.

The same applies to PDFs, as digital signatures can confirm the content's authenticity.

However, this only works if digital signatures are always used, so their absence is unusual.

My Experience:

• During my studies and previous jobs, I used both as a user. It was easy and straightforward.
  
• Privately and in my own companies, I haven't yet used digital signatures. I currently lack a certificate provider.
  
• I'm now looking into it and will review the options in the coming days. My current shortlist of providers is below.

My Current Shortlist of Mail & PDF Certificate Providers for Further Review:

• GlobalSign
• DigiCert
• Sectigo
• Comodoca

Continuous Scanning for Stolen Credentials

A "breach scanner" searches for potential data or security breaches. Public databases and published information are checked for your data, helping to detect security issues early & take protective measures, such as changing passwords or email addresses.

My Usage:

• My email addresses are checked by my password manager NordPass.
• I’ve registered my domains for a full check with Have I Been Pwned.
  
• One system email address was flagged and has now been replaced.
• Another check option is offered by the Leakchecker by the University of Bonn.
  

Further Information on the 19th German IT Security Congress 2023 – "Digital Security in a Sustainable Future":

Further Reading Recommendation:

CEO Fraud Blog – Your Guide in the Fight Against the Sophisticated "Grandparent Scam for Companies."

➛

Go to CEO Fraud Blog

In my last ➡️ post on CEO Fraud, I discussed the various forms of identity theft and fraud within companies.

When fraudsters succeed, the transfer is made, and the money leaves the company. Now the question arises: what about tracking or reversing the transaction?

Let's look at the variations of the recipients

In the past, unsuspecting victims were typically instructed to transfer the money to foreign bank accounts. Due to existing reporting requirements and awareness, these attacks were often uncovered in time.

As a result, newer variations have emerged, where the money is to be transferred to a domestic or intra-EU bank account. For these accounts, different scenarios exist:

• The account was created with a fake identity.
  
• An account was opened in the name of a real person who is an unwitting or deceived victim of the fraud.
  
• The account belongs to a real person, and the fraudsters gained access to it through other fraudulent activities.
  
• The account belongs to a real person with no access by the fraudsters, who unknowingly acts as a money mule.
  

What do these variations have in common?

An intermediary bank account is used between the company’s account and the fraudster’s account. By the time the company realizes the fraud, the money is no longer in the account of the additional victim but has already been forwarded, often in small amounts, to foreign accounts. Tracking or recovering the money is almost impossible.

New and future scenarios

New and future scenarios are expected, as fraudsters will continue to need bank accounts to carry out their schemes. Unfortunately, we are witnessing a form of fraud industrialization, with criminals specializing in providing bank accounts for fraudulent purposes.

In a particularly alarming variation, victims unknowingly do all the work themselves. They are tricked into believing that they are testing video identification services for banks as part of their new employment. In reality, they are unknowingly verifying numerous bank accounts in their own name.

Further Reading:

CEO Fraud Blog - Your Guide to Combating the Sophisticated 'Grandparent Scam for Businesses'.

➛

To the CEO Fraud Blog

What are the variants of CEO Fraud?
In general, CEO fraud involves a form of identity theft where criminals steal the identity of a person or company to execute or prepare for fraudulent activities.

When we generalize identity theft, it can also be described as "internal/external business partner fraud," leading to many fraud schemes that follow similar patterns and can be identified or prevented in similar ways.

Various fabricated stories are created based on detailed research, often tied to current issues, problems, vulnerabilities, or ongoing situations. Therefore, the identities of people or companies being impersonated can vary significantly.

Some Variants:

• Internal fictitious transactions: Requests for payment of acquisition amounts in corporate takeovers, business deals, or other lucrative purchases such as patents, real estate, or machinery.
  
• Urgent need for intercompany payments: Often combined with real emergency expenses or actual customer payment delays.
  
• Bank detail changes: Falsified requests to change company bank details before a real transaction takes place. Alternatively: Requests to create or correct supplier or customer bank details.
  
• Refunds from customer payments.
  
• Advance payments for ongoing large orders.
  
• Feigning official authority: Demands for payment of overdue taxes or other fees.
  
• External business partners: Existing customers, suppliers, or service providers can be fictitiously involved to request "things" related to existing or newly created business transactions.
  

‼️ Fraud schemes continue to evolve and adapt to circumstances and weaknesses. The examples above are known attack points from the past. In the future, new stories and variations will likely be invented.

New stories will sound convincing and believable again, as fraudsters carefully research and gather information about companies and executives to make the instructions as authentic as possible.

Further Reading:

CEO Fraud Blog - Your guide in the fight against the cunning 'Grandparent Scam for companies'.

➛

Go to the CEO Fraud Blog

Why are CEO Fraud cases increasing?
One of the main reasons for the rise in this fraud scheme is the increasing digitalization of businesses and their growing reliance on digital processes, a multitude of business transactions, faulty processes, and a variety of banking programs. This complexity is further compounded by numerous communication channels like email, MS Teams, SMS, WhatsApp, ticketing systems, Slack, etc.

Cracking the complexity: Criminals exploit the confusion caused by systems, tools, and procedures, as well as existing process weaknesses.

Another factor is the growing professionalism of cybercriminals who specialize in CEO fraud and are developing increasingly sophisticated methods to deceive companies. Additionally, many companies have yet to invest adequately in cybersecurity measures, making it easier for cybercriminals to exploit system vulnerabilities.

In recent years, fraud has also become more professionalized. This trend can be compared to the industrialization of the last century, where experts specialized in specific tasks. As a result, CEO fraudsters only need to orchestrate different fraud schemes or cyber services and do not necessarily need in-depth expertise in social engineering, hacking, or opening bank accounts under fictitious names.

Finally, the anonymity of the internet makes it difficult to prosecute fraudsters, which increases the attractiveness of CEO fraud as a type of crime.

Further reading:

CEO Fraud Blog - Your guide in the fight against the sophisticated "grandparent scam for companies".

➛

To the CEO Fraud Blog

In this episode, we discuss:

1. Data analysis
   
2. Vulnerability assessments in IT processes
   
3. Digital forensics to detect and document fraudulent activities.
   

We are on the hunt for fraudsters. And with analytics, we eventually catch the perpetrators. But we find so much more!
We also uncover errors within a company, as well as the hidden potential. And the amount of money involved is often much greater than in most fraud cases.

In fact, it’s a fascinating process because, in most cases, the proportion of people who commit fraud within a company is much lower than the proportion of employees whose mistakes cause the company to lose money. This is why it’s an even more exciting starting point. Nonetheless, I would still start with the fraudsters and put up a block there.

In the podcast interview above, I provided insights into how I approach routine audits and case-specific investigations.

Often overlooked: these (forensic) methods can also be adapted to other issues: analyzing errors and identifying business potential. Where can companies improve? Where are they unnecessarily losing money? The latter is money that companies can quickly recover and reinvest.

Further Listening Recommendation:

Further Reading Recommendation:

Supplementary Page for the Book "Accounting Fraud"

➛

Read More

Tracking Accounting Fraudsters with Modern Prevention

➛

Read More

Is this scam only about large sums?
The answer is clear: NO!

Recently, there was an incident in Langenhagen involving 18,000 euros, and in Kirchhorst, a forged order for 250,000 euros. Such smaller amounts rarely make front-page news or the national press, making these incidents less known, causing smaller companies to misjudge the risk. But these smaller frauds are no longer isolated cases; they have become a business model for fraudsters. For example, Europol identified and dismantled a network responsible for nearly 40 million euros in CEO fraud.

The ongoing trend toward smaller amounts in CEO fraud cases shows that no organization – regardless of size – is immune to such fraud attempts. Smaller companies, in particular, which often have less sophisticated IT infrastructure and automated processes, are increasingly vulnerable. They often rely on manual approvals and do not always have the technological means to effectively detect and prevent sophisticated fraud attempts.

The takeaway is that even smaller businesses need to engage in serious and proactive education within their organization. It is crucial that they inform their employees about the risks and signs of CEO fraud and conduct regular awareness training. They should also establish clear procedures for verifying and approving payment instructions to minimize the chances of fraudsters successfully stealing funds.

Additionally, even basic security measures such as two-factor authentication and regular checks of email addresses and request content can significantly improve security. It’s important that smaller companies also invest in training their employees and implementing adequate security tools to protect themselves from financial and reputational damage caused by CEO fraud.

Selected Recommendations for Prevention – Prevention, Not Reaction, Is Key

• Train, audit, adjust, and secure processes.
  
• Continuously detect and eliminate process deviations and exceptions with data analysis.
  
• Train risk management, internal audit, employees, and management on cybercrime & social engineering, especially those with sensitive access or high authority.
  
• Sensitize management and top executives that permitted process deviations can facilitate identity theft.
  
• Implement IT measures to easily identify external content for users.
  
• Verify external company information, employee availability, or absences.
  
• Establish regular attack training – creating an alarm routine like annual fire drills or test SPAM emails.
  

Further Reading Recommendation:

CEO Fraud Blog - Your Guide in the Fight Against the Clever 'Grandparent Scam for Businesses'.

➛

To the CEO Fraud Blog

Understanding CEO Fraud

Fraudsters use either real-looking, but fake emails, hack the executive team's email accounts, or make a corresponding phone call to contact the targets. Additionally, more complex attack scenarios are increasingly being constructed, where multiple employees unknowingly become victims or accomplices.

The Two Phases of CEO Fraud

The Long and Meticulous Preparation

• Publicly available company information is used.
• Details about ongoing projects, upcoming investments, restructurings, or current business partners are often incorporated into the "scenario story."
• Information about employees on social media (promotions, absences, roles in the company, special events, etc.) is used to expand scenarios or as an entry point for conversation.

The Short and Targeted Execution

• Contacting selected and previously targeted employees.
• Using a fake identity combined with a well-constructed scenario story and selecting an ideal time when key individuals are not available.
• Ordering one or more large payments with high urgency.
• Payments are often directed to foreign accounts, although hacked domestic accounts or unwitting intermediaries are also commonly used.

Planning and Execution of CEO Fraud

CEO Fraud is characterized by long and meticulous preparation, but the execution is rapid and highly targeted.

During the preparation phase, research is mainly conducted on who has authorization for the systems and bank accounts. Business social networks like Xing, LinkedIn, and Polywork are particularly valuable sources. Once the right target within the company is identified, the procedural or system-related aspect of the fraud is straightforward. The unwitting accomplices only need to be convinced to manually initiate a payout in the accounting or ERP system and start a special payment run, or enter the payment directly in online banking.

Early contact is often made with these individuals weeks in advance to build trust and familiarity. This can be achieved through simple questions about real business transactions or brief conversations with congratulations on birthdays, company anniversaries, or promotions.

Simultaneously, research is done on the interests and schedules of the executives whose identities will later be impersonated. The goal is to identify absences or unavailability, which will determine the timing of the attack. This poor availability and the reason for it are also incorporated into the scenario story that will be presented to the victims. Simple checks will then confirm the story, for instance: "Yes, XY is attending that conference or is on the mentioned long-haul flight." During the execution of the fraud, either calls are made or fake emails are sent to the targeted employees, with particular emphasis on confidentiality and discretion. Additionally, a fictitious sense of urgency is created to ensure minimal discussion with colleagues or superiors.

These fabricated scenario stories usually revolve around special transactions, such as (fictional) corporate acquisitions or other lucrative purchases, like acquiring patent rights, real estate, or machinery. In this context, reasons are presented as to why a large sum of money must be transferred to a foreign account. Increasingly, domestic accounts are also used, with fraudsters having gained access to these accounts through another scam, enabling them to transfer the money abroad from there.

Social Engineering and Hacking for Information Gathering

In addition to public sources like official registries, two more digital approaches are used: Social Engineering and Hacking. Social Engineering involves spying on employees' personal environments on social networks to identify details such as positions, professional interests, résumé information, conference participation, and contacts.

This information enables a targeted and trustworthy approach via phone or email to potential victims. Generous settings on communication software like Microsoft Teams, Skype, or Slack also contribute to information leaks, allowing external parties to see employees' availability or absence status.

Selected Recommendations for Prevention – Prevention is Key

• Train, review, adjust, and secure processes.
• Continuously detect and eliminate process deviations with data analysis.
• Provide cybersecurity and social engineering training for Risk Management, Internal Audit, employees, and management, particularly for individuals with sensitive access or high-level authority.
• Sensitize executives to the risks of process circumvention, which can facilitate identity theft.
• Activate IT measures to easily identify external content for users.
• Review external company information, as well as employees’ availability and absence.
• Establish regular attack simulations – create an emergency routine similar to annual fire drills or test phishing emails.

Conclusion

Preventing new fraud methods is becoming increasingly complex. To meet this complexity, an interdisciplinary approach to prevention is essential. In addition to traditional process controls, preventive (data) analyses, supportive IT configurations, and organizational changes, it is advisable to conduct preventive training for Risk Management or Internal Audit/Fraud Management. Participants gain expertise in data and information security, social engineering attacks, false identities and forgery detection, forensic data analysis, and are trained in a data-driven auditing approach.

Further Reading:

CEO Fraud Blog - Your Guide in the Fight Against the Sophisticated "Grandparent Scam for Businesses".

➛

Go to CEO Fraud Blog

In recent years, balance sheets have repeatedly been manipulated through fraudulent actions. This raises the question of how such activities are recorded in accounting. Expanding IT landscapes and complex processes allow these fraudulent transactions to be carried over into financial accounting through pre-systems and interfaces without the involvement of individual accounting staff.

In discussions about recent cases, the examination of how the actual manipulation was technically and operationally performed is often missing. Were the balances of general ledger accounts manually altered during consolidation and transfer into the balance sheet and income statement structure? Was manipulation carried out directly in the accounting system? Or were fraudulent transactions entered through processes such as procurement, sales, HR, or inventory management?

How does the money end up in the war chest?

Balance sheet manipulation becomes relevant when significant amounts are altered for the company. While large individual transactions are easy to identify and review, positions with many transactions provide an opportunity to conceal fraudulent activities within the mass of data. In practice, this is often compared to looking for a needle in a haystack. But it’s not that simple. We now associate fraud detection more with solving a puzzle since it’s not only about the individual transactions but also about understanding the connections between them and the overall picture that emerges.

Practical example: How invoices without purchase orders can be used to fill general ledger or bank accounts.

In practice, it sometimes happens that departments place orders by phone or email without involving the procurement department. When invoicing occurs, the department typically involves the accounting team and requests payment of the invoice. In this case, accounting records an invoice without a purchase order and automatically generates accounting records with the corresponding entries. This process is illustrated as Scenario 1 below. If the correct inventory or expense type is selected, Scenario 1 will not raise any issues from an accounting perspective. However, procurement decisions and control mechanisms are bypassed. This approach has been used in known fraud cases to obtain payouts on fraudulent bank accounts by using fictitious and self-created invoices, so we recommend minimizing such practices.

The situation becomes critical from an accounting perspective when a process is split (see Scenario 2). In the first procurement process, a goods receipt is recorded for an existing purchase order, automatically generating the accounting document with the inventory increase and posting it to the goods receipt/invoice receipt (GR/IR) clearing account. So far, so good, as this can be linked and documented as a real transaction. If the incoming invoice is not assigned to the already started process No. 1 but, as in Scenario 1, a creditor invoice without a purchase order is created as a second process, an additional inventory increase occurs. While process No. 2 is consistent and does not cause any accounting issues, the accounting entry generated by process No. 1 leads to a misrepresentation.

If Scenario 2 occurs by mistake, it can be classified as an operational error. However, if it happens intentionally, it can be considered balance sheet manipulation. The benefit of this manipulation and how the two manipulated accounts – inventory and GR/IR clearing – are handled remain open. At a later stage, this created account balance could be deliberately rebooked to manipulate selected balance sheet items or adjust other accounts under audit.

A look into the book: Invoices without purchase orders as established process deviations and their possible consequences

(Image source: Rinker, Carola; Müller, Patrick: Münker, Frank (2022): "Accounting Fraud – Understanding Balance Sheet Manipulation in Practice and Detecting, Investigating, and Preventing It Early Using Data Analysis"; page 70.)

Recommendations for analyzing complex relationships in business process and accounting data as preventive measures

Our primary focus is on substantive and technical control options. For example, this involves training, auditing, adjusting, and securing process workflows. Process deviations should be continuously detected and corrected using data analysis. It's essential to apply the correct analytical methods and verify a data foundation that matches the company’s complexity. For large companies, we believe it’s no longer sufficient to only audit financial accounting data. Instead, it’s necessary to trace individual transactions back to their originating processes and then audit them. We present various methods and audit steps in our recently published book.

Additionally, setting up a whistleblower system and conducting continuous monitoring or continuous auditing can be beneficial. Tips from employees and business partners can help detect early indications or suspicions of fraud. In practice, experience has shown that there are always people aware of manipulations, such as accounting staff who notice irregularities. If there is a whistleblower system in place, reporting becomes easier, and the long-term damage is reduced compared to situations where employees have no way to report.

Another early detection method, triggered by data, comes from the continuous audits performed by risk management or internal audit. Each system on its own is an asset. Furthermore, applying the 'sharing is caring' principle by exchanging insights and suspicions between the second and third lines of defense in a trust-based and appropriate manner allows for new preventive and data-focused analyses or controls to be derived and carried out fully automatically and in real-time.

We personally believe that teams conducting audits should have strong data analysis skills and that management should have basic knowledge of data and analytics. Often, experts from other areas are brought in for data analysis or programming. With this 'Analytics as a Service' approach, we see the risk that relevant information, domain knowledge, risk areas, analysis selection, findings, and insights could be overlooked or misinterpreted. While outsourcing analytics competence may be efficient, we don’t believe it’s the best approach.

In addition to training in accounting and (digital) auditing, we recommend that risk management and internal audit staff also experience what it’s like to be on the 'wrong side' of things – in other words, see how some of the more absurd scenarios play out in real life. This shift in perspective from audit to intentional fraud helps when assessing processes and permissions and simulating where, how, and how much damage can be done. We also present several examples in our recently published book.

A look into the book: Chapter and topic overview

(Image source: Rinker, Carola; Müller, Patrick: Münker, Frank (2022): "Accounting Fraud – Understanding Balance Sheet Manipulation in Practice and Detecting, Investigating, and Preventing It Early Using Data Analysis"; page 4.)

Further Reading Recommendation:

Supplementary Page for the Book "Accounting Fraud"

➛

Read More

Podcast: How Do I Detect Accounting Fraud in IT Systems?

➛

Read More

My co-author, Dr. Carola Rinker, and I explored this question in our latest book, "Accounting Fraud." In an in-depth conversation with Sylvia Meier, we also shed light on the fine line between legal balance sheet cosmetics and illegal manipulation, the role of IT systems in financial accounting, and discuss preventive measures to uncover such practices. These insights are particularly relevant given the recent scandals involving Wirecard and Greensill.

Happy reading!

Dear Dr. Rinker, Mr. Müller, you have written the book "Accounting Fraud" to prevent balance sheet manipulation. Many companies take advantage of accounting structuring options, but when do we start talking about manipulation? Where is the line?
Dr. Carola Rinker: "The line between legal balance sheet cosmetics and illegal manipulation is not always easy to define. If, for example, a non-existent patent is listed on the balance sheet, it's clear to everyone that this is a violation of accounting regulations. However, when it comes to overvaluation in the balance sheet, this can sometimes be a gray area. There is no single 'correct' value in valuations. But if, for instance, project reports are falsified to manipulate the completion status of an ongoing construction project, the line of legality has been crossed."

The topic of balance sheet manipulation has gained public attention due to high-profile cases like Wirecard and Greensill. The question is often asked: Why weren’t the manipulations discovered earlier? What’s your take?
Dr. Carola Rinker: "An analysis of the balance sheets in these prominent cases often shows that there were already some red flags. For instance, Greensill’s balance sheet exploded from one year to the next. This certainly raises the question of how that was possible. In the case of Wirecard, their margins were much higher compared to competitors, which was never explained plausibly by the former DAX company.
I regularly come across balance sheets that show irregularities. But when, for example, an international company’s headquarters is abroad and the German financial regulator (BaFin) is not responsible, even though the discrepancies occur in Germany, it can become quite complicated."

Investors generally trust the accuracy of financial statements. Are there specific balance sheet items that signal early warning signs?
Dr. Carola Rinker: "It’s hard to give a blanket answer because the structure of the balance sheet depends, among other things, on the company’s industry. A research-intensive company, for example, may have a high amount of intangible assets relative to the total balance sheet. This item is prone to manipulation. Intangible assets are more difficult to value than, say, a machine, making them more vulnerable to manipulation in today’s context."
Patrick Müller: "I agree. The risks and opportunities for manipulation depend on the industry and business models. Theoretically, every balance sheet and income statement item can be manipulated to record non-existent transactions. The reverse case, where existing transactions are not recorded, is also possible. Then there are real transactions, as Carola Rinker mentioned, where valuations are not properly accounted for. That’s why all positions should be reviewed, and it should be clarified whether they involve individual transactions or large volumes of transactions.
Balance sheet manipulation becomes relevant when significant amounts are altered for the company. While large individual amounts are easily identified and checked, positions with numerous transactions offer opportunities to conceal fraudulent activity. In practice, this is often compared to finding a needle in a haystack. However, it’s not that simple. I now think of fraud detection more like a puzzle. It’s not just about the individual events but also about understanding the connections between them and the overall picture."

A Look Inside the Book: Established process deviations or recurring errors as a cover for manipulation

(Image source: Rinker, Carola; Müller, Patrick: Münker, Frank (2022): "Accounting Fraud – Understanding Balance Sheet Manipulation in Practice and Detecting, Investigating, and Preventing It Early Using Data Analysis"; page 68.)

What impact does balance sheet manipulation have on controlling?
Dr. Carola Rinker: "By reporting overly high profits, the results from controlling are also distorted, leading to misinterpretations and potentially poor decision-making. For example, controlling may incorrectly suggest that a new product has a high margin. If, without manipulation, the new product is actually losing money, this becomes a major problem."

What motivates balance sheet manipulation – and who is responsible? Is it always senior management?
Dr. Carola Rinker: "There are many reasons why balance sheets are manipulated. It’s not always top management that is behind the manipulation. But there also needs to be a conducive environment for manipulation to occur. The saying 'opportunity makes the thief' is very fitting here: A weak internal control system makes manipulation easier. In addition to opportunity, motivation and rationalization play a role in the fraud triangle.
Balance sheets are sometimes manipulated for personal financial gain. It’s also common for manipulation to be used to hide a negative business development, with the hope that, for example, overstated revenues will be made up in the following year. If that doesn’t happen, the problem grows worse. To cover up the deception, more manipulations, like document forgery, are often carried out."
Patrick Müller: "The motivation behind fraud can vary from case to case. Manipulation may occur due to the company’s economic situation or the personal financial situation of individuals. Public or shareholder expectations can also play a role. As Carola Rinker mentioned, motivation is just one of several factors that contribute to fraud. Opportunity is particularly crucial, and it’s this corporate opportunity that we address in the book."

A Look Inside the Book: Chapter and Topic Overview

(Image source: Rinker, Carola; Müller, Patrick: Münker, Frank (2022): "Accounting Fraud – Understanding Balance Sheet Manipulation in Practice and Detecting, Investigating, and Preventing It Early Using Data Analysis"; page 4.)

The government has responded to accounting scandals by reforming financial oversight. Do you think this reduces the risk of further large accounting scandals?
Dr. Carola Rinker: "I advocated for the abolition of the two-tier financial oversight system during a hearing before the Bundestag Finance Committee. As the Wirecard case showed, the two-tier system was ineffective in responding quickly. But legal reforms alone aren’t enough to reduce the risk of accounting scandals. A corporate culture that counters these issues is also needed. However, such a culture can’t be legally mandated; it must be lived within the company."
Patrick Müller: "I agree, especially given the technological developments of recent years. As large companies continue to grow, automate their business processes, and add purely digital business models, the audit approaches of internal and external auditors are still very manual and sample-based. This has led to a growing gap between the number and complexity of transactions and the human resources in audit teams. While recent updates to audit standards mention analytics and automation more frequently, specific and up-to-date IT requirements are still limited."

What preventive measures would you recommend to companies?
Patrick Müller: "I like a quote from Roger Odenthal, who works in the field of employee crime. He interprets economic crime, after removing all the side stories, as essentially a control offense. In other words, controls can be used as preventive and detective measures. When it comes to controls, the question is often asked, 'Who controls what?' The responsibility for such controls should be clarified using the so-called 'Three Lines of Defense' model. In our book, we don’t go into the division of responsibilities between operational management, risk management, and internal audit. Our focus is on the substantive and technical control options, which can also be used by external auditors and regulatory authorities.
For example, it's about training, auditing, potentially adjusting, and securing process workflows. Process deviations should be continuously detected and corrected using data analysis. It’s essential to apply the right analytical methods and ensure that the data foundation matches the company’s complexity. In large companies, it’s no longer enough to just audit financial accounting data. Instead, it’s about assigning individual transactions to their originating processes and auditing them. We present various methods and audit steps in the book.
Setting up a whistleblower system and conducting continuous monitoring or continuous auditing can also be helpful.
Personally, I believe that teams conducting audits should have strong data analysis skills and that the respective management should have basic knowledge of data and analytics. Experts from other areas are often brought in for data analysis. In this 'Analytics as a Service' approach, I see the risk that relevant information, domain knowledge, risk areas, analysis selection, findings, and insights could be overlooked or misjudged. Outsourcing the analytics function may be efficient, but I don’t believe it’s the right way forward."

A Look Inside the Book: Real-Time Analytics as Part of Continuous Monitoring and Auditing

(Image source: Rinker, Carola; Müller, Patrick: Münker, Frank (2022): "Accounting Fraud – Understanding Balance Sheet Manipulation in Practice and Detecting, Investigating, and Preventing It Early Using Data Analysis"; page 136.)

Further Reading Recommendation:

Supplementary Page for the Book "Accounting Fraud"

➛

Read More

Podcast: How Do I Detect Accounting Fraud in IT Systems?

➛

Read More

Enjoy reading!

Dear Mr. Müller, together with Dr. Carola Rinker and Frank Münker, you wrote the book "Accounting Fraud" to prevent balance sheet manipulation. What motivated you?
The past few years have shown that balance sheets have repeatedly been manipulated through fraudulent actions. This raises the question of how such activities are recorded in accounting. Evolving IT landscapes and complex processes allow these fraudulent transactions to be carried over into financial accounting through pre-systems and interfaces without the involvement of individual accounting staff.
In my opinion, discussions around current cases have failed to address how the actual manipulation was technically and operationally executed. Were general ledger balances manually modified during consolidation and transfer into the balance sheet and income statement structure? Was the manipulation already carried out in the accounting system? Or were the fraudulent activities entered through processes like procurement, sales, HR, or inventory management?
Several publications address accounting fraud from an economic and legal perspective. With our book, we aim to introduce the IT-systematic possibilities for manipulation in a simplified manner — simplified because we do not want to provide a guide to fraud — while also offering various warning signs and auditing possibilities. In doing so, we aim to close the technical gap and trace the origins of widely used Red Flag analyses.

The issue of balance sheet manipulation has gained new relevance through recent cases like the Wirecard scandal. What motivates perpetrators? And how is fraud facilitated?
The motivation of perpetrators varies from case to case. Manipulation can occur due to the company’s financial situation or the personal financial circumstances of individuals. Public or shareholder expectations can also play a role. However, motivation is just one of several factors that facilitate fraud. The so-called "Fraud Triangle" also highlights the internal justification of perpetrators and the opportunity they have. It’s these corporate opportunities that we address in the book.

A Look Inside the Book: Chapter and Topic Overview

(Image source: Rinker, Carola; Müller, Patrick: Münker, Frank (2022): "Accounting Fraud – Understanding Balance Sheet Manipulation in Practice and Detecting, Investigating, and Preventing It Early with Data Analysis"; page 4.)

What are the key warning signs of balance sheet manipulation that should be noted?
In addition to the classic analysis of balance sheet items and key financial figures over the course of the year, we recommend paying attention to warning signs that may arise from the company’s environment, IT systems, or transaction data.
For example, red flags can emerge from the industry-specific environment or through observation of internal organizational conditions.
Alarm bells should also ring when examining IT systems and their configurations. This could include manual interventions in automated processes or inactive organizational units.
Transaction-based warning signs can also arise when looking at digital business transactions. These red flags can appear in an imbalanced customer or product portfolio, missing attachments, or overly perfect data.

Are there specific balance sheet items particularly vulnerable to manipulation?
That depends on the company’s industry and its specific business models. In general, every item has the potential to record non-existent transactions or, vice versa, not record existing transactions. Additionally, real transactions may be recorded with incorrect valuations. For this reason, all balance sheet and income statement items should be reviewed, and it should be clarified whether each item includes individual transactions or a large volume of transactions.
Balance sheet manipulation becomes relevant when significant amounts are modified for the company. While large individual amounts on an item are easy to identify and review, items with a high volume of transactions provide opportunities to conceal fraudulent activities. In practice, this is often compared to finding a needle in a haystack. But it’s not that simple. I now think of fraud detection more like solving a puzzle because it’s not only about individual transactions but also about the connections between them and the overall picture.

A Look Inside the Book: Established process deviations or recurring operational errors as a cover for manipulation

(Image source: Rinker, Carola; Müller, Patrick: Münker, Frank (2022): "Accounting Fraud – Understanding Balance Sheet Manipulation in Practice and Detecting, Investigating, and Preventing It Early with Data Analysis"; page 70.)

A magnet to pull the needle out of the haystack isn’t enough. What should be done to identify such activities and prevent balance sheet manipulation?
I like a statement by Roger Odenthal, who works in the field of employee crime. According to his interpretation, economic crime, after removing all the side stories, is essentially a control offense. That means controls can be used as preventive and detective measures. When it comes to controls, the question often arises, "who controls what?" The responsibility for such controls should be clarified using the so-called "Three Lines of Defense" model. In our book, we do not focus on the division of responsibilities between operational management, risk management, and internal audit. Instead, we focus on the substantive and technical control options that can also be applied by external auditors and regulatory authorities.

For example, this involves training, auditing, adjusting, and securing process workflows. Process deviations should be continuously detected and corrected using data analysis. It is essential to apply the correct analytical methods and verify a data foundation that matches the company’s complexity.
For large companies, it is no longer sufficient to audit only financial accounting data. Instead, it is necessary to trace individual transactions back to their originating processes and then audit them. We present various methods and audit steps in the book.
Setting up a whistleblower system and conducting continuous monitoring or continuous auditing is also helpful.

Personally, I believe it’s important that the teams conducting audits possess strong data analysis skills and that management has a basic understanding of data and analytics. Often, experts from other areas are brought in for data analysis. With this "Analytics as a Service" approach, I see the risk that relevant information, domain knowledge, risk areas, analysis selection, findings, and insights could be overlooked or misjudged. While outsourcing analytics capabilities may be efficient, I do not believe it’s the right way forward.

A Look Inside the Book: Real-time Analytics as Part of Continuous Monitoring and Auditing

(Image source: Rinker, Carola; Müller, Patrick: Münker, Frank (2022): "Accounting Fraud – Understanding Balance Sheet Manipulation in Practice and Detecting, Investigating, and Preventing It Early with Data Analysis"; page 136.)

Further Reading Recommendation:

Supplementary Page for the Book "Accounting Fraud"

➛

Read More

Podcast: How Do I Detect Accounting Fraud in IT Systems?

➛

Read More

For companies, the key question is how to detect early signs of systematic misappropriation and prevent them from happening, or how to identify embezzlement beyond scheduled inventory audits.

According to a recent fraud study by the Association of Certified Fraud Examiners (ACFE), the average time to detect fraud cases is between 12 and 18 months. Even in larger, publicly known theft cases, it took some time before they were discovered. Considering the current economic situation due to the pandemic, war, and supply chain issues, the question arises of what impact this will have on employee crime and how companies can enhance or begin using known prevention measures.

Are companies to blame if they get robbed?
The ACFE's study covers all types of fraud, including embezzlement of assets, which can be either cash or inventory and other assets. Such embezzlement cases are not rare. For example, a fraud involving €1.6 million worth of shopping vouchers occurred at the measuring instrument manufacturer Testo between 2010 and 2015. In the 1980s, unauthorized cash withdrawals at Metro AG amounted to around €18 million, and at Hewlett-Packard (HP), server components worth around €31 million were stolen.

What’s intriguing about these older cases is that the perpetrators often become more open about their actions after serving their sentences, providing insight into their methods and motivations. This openness helps improve prevention strategies. Stephan Brannys, for instance, mentioned his daily 25-kg thefts at HP: "Companies are to blame if they get robbed. I did it back then because I could. No other reason." Günter Schotte-Natscheff, on the other hand, had disagreements over Metro's payment system security and regularly complained about his supervisor: "(...) he has no idea, and I'd love to show him up." Shortly thereafter, he committed the fraud to prove his point.

If we categorize these statements within the Fraud Triangle, we can see that the opportunity and self-justification are closer aligned than in other fraud cases. Taking the current economic situation into account, we can assume that the incentive within the Fraud Triangle framework has significantly increased due to the pandemic, supply chain issues, and the effects of the Ukraine war.

In my opinion, the blame cannot entirely be placed on the companies. However, in various fraud and damage cases, there might be assessments to determine whether the internal control system (ICS) was appropriate, whether the risk assessment was accurate, and whether the resulting controls were targeted. Depending on the assessment outcome, this could lead to shared liability for the management or the board. For this reason, companies should assess their business processes and data for systematic misappropriation possibilities and address such issues in risk workshops.

Stages of Misappropriation
When examining various fraud scenarios related to asset misappropriation, we can generally identify four key stages: appropriation, concealment or cover-up, liquidation of the stolen goods, and use of the loot. These stages mostly apply to the theft of physical goods. In cases of cash misappropriation, the concealment may begin before the appropriation, and liquidation may not be necessary.

Comparing the misappropriation of cash with the misappropriation of physical goods, the advantage of cash is that it doesn’t need to be sold. The downside of cash (compared to physical goods) is that access to business processes, particularly accounting, is restricted to relatively few employees. On the other hand, the misappropriation of physical goods can be enjoyed by a wider group of employees. As a result, different scenarios require different monitoring and control measures.

Misappropriation of Financial Assets
When it comes to the misappropriation of financial assets, there are several ways to do it. Some examples are provided below. It becomes clear that the embezzlement of financial assets is not limited to employees in accounting departments.

Fraudulent purchase orders with fictitious suppliers are often used to extract large sums of money from a company. This money is then used for private purposes or further fraudulent activities, such as bribery. The primary activity here involves concealing the fictitious supplier and pretending that a real business transaction has taken place. A special form of concealment is the temporary manipulation of the bank details of current or former suppliers, instead of creating a new fictitious supplier. Depending on the perpetrator’s profile, the amounts may also remain below a certain threshold to bypass necessary approval processes. If such activities go undetected, the number of small transactions will determine the extent of the damage. Fraudsters typically try to process these fraudulent transactions just like legitimate ones, allowing them to blend into the overall volume of transactions.

To detect such fraudulent activities, it is advisable to closely examine supplier bank account details and ordering behavior. Start by checking if there have been any changes from an original bank account to a new one, which was later changed back to the original. If you identify such a pattern, the next step is to review the transactions that occurred when the changed bank account was active.

Another way to detect concealed supplier manipulation is to look for simple bank account changes from X to Y. Once you identify a pattern, which is likely, compare the order behavior before and after the change. Check whether the same materials, products, or services were supplied, if the volumes and frequencies are similar, if the deliveries were sent to the same locations, and if the same departments placed the orders.

To identify fictitious suppliers, focus on suppliers who only receive orders from one or a few cost centers and don’t supply goods but instead provide services. In your review, exclude orders where goods deliveries can be technically identified and physically verified. Avoid solely focusing on specific units of measurement, like services, as you might miss important quantities. For the remaining orders, examine whether the suppliers delivered only to one or a few business units. If such suppliers are found, it is advisable to first verify the legitimacy of the supplier. If the supplier is legitimate, then verify the bank details and have at least one transaction confirmed by the supplier's accounting department.

While fraudulent orders usually occur through normal ordering processes, there is also the possibility of manually initiating payments outside these processes in accounting, with a commonly used expense account used to cover it up. This is a hypothetical scenario because such transactions are usually validated and questioned by the ICS, internal audit, and external auditors during year-end audits.

To identify such transactions, you can start by logging the use of payment programs and identifying payments that didn’t originate from standard purchasing or payment processes. These can be identified from payment run data, as well as accounting data. You can also perform an analysis of offsetting accounts in the accounting data. Normally, the offsetting accounts for bank accounts should be general ledger accounts managed by ERP systems and not directly accessible by individuals. If you come across other accounts, you should investigate these transactions further and trace their origin.

Another method of misappropriating cash is through a "man in the middle" attack during the sales process, where funds owed to the company are partially siphoned off. In this scenario, a salesperson might use an intermediary company to divert a portion of the sales price. Alternatively, several sales can be bundled together to secure a volume-based bonus at the end of the year.

To detect such schemes, you can look at customers with drop shipments, where the billing and shipping addresses differ significantly. For such customers, first verify their legitimacy. Once confirmed, have a sample transaction verified by the customer’s accounting department.

In general, regardless of the misappropriation method, accounting involvement and the recording of the transaction are usually closely tied to the fraud scenario. In the following section, we will explore the misappropriation of physical goods, highlighting the distinction between appropriation and the accounting or IT system-based concealment of the crime.

Misappropriation of Physical Goods
Unlike the misappropriation of financial assets, physical goods cannot simply be transferred. They must first be appropriated and then removed from the company’s premises. In theory, personal and vehicle checks could easily prevent this, but in practice, these checks are costly and sometimes face legal challenges, which is why comprehensive checks are often avoided or conducted randomly. Despite security measures, systematic misappropriations still occur, exploiting loopholes. Similar to fraudulent business transactions, perpetrators try to blend in with normal activity, and with around 220 working days a year, they have ample opportunities to test weaknesses in the system when leaving the premises without actually taking anything. If they are caught, the consequences are often minimal.

There’s also a saying, "Opportunity makes thieves," which applies to the case of Stephan Brannys at HP, where he initially discovered a weakness unintentionally and without intent, only to exploit it later.

To identify such weaknesses, companies often hire external security consultants, but rarely involve their engaged employees. This additional input should not be underestimated, as employees are often well aware of the problems with processes and systems.

Concealment of Physical Goods Misappropriation
In addition to measures against the misappropriation of physical goods, it’s useful to analyze concealment methods used after the theft. Unlike the misappropriation of financial assets through fictitious business transactions, significant goods will be missing from inventories after their theft. To avoid detection and continue misappropriating, perpetrators use methods to adjust the inventory to the fraudulent, reduced reality. This often involves pretending the goods were of poor quality, scrapped, or given away as free samples, or intentionally bypassing inventory management to create opacity, allowing mid-year inventory discrepancies to be written off as adjustments.

To detect concealment entries in inventory management, examine the combinations of movement types (essentially reasons for inventory changes) for the respective materials and compare them with the programs, functions, and user types involved in the booking. This comparison is recommended because inventory systems often use terminal stations without individual user credentials.

After creating these combinations, it is advisable to first review rare combinations with high monetary impacts and then question materials involved in special processes such as scrapping and inventory discrepancy bookings, assessing their resale potential.

As mentioned earlier, physical goods must usually be liquidated. For this reason, goods with high resale value are particularly vulnerable. These typically include finished consumer products or raw materials. Regarding the HP thefts, it's worth noting that with a bit of entrepreneurial criminality, server components intended for business customers were modified to work in standard consumer computers, making them easy to sell to end consumers. For this reason, inventories of such goods should be closely monitored.

To detect suspicious inventory changes, it’s advisable to conduct trend analyses. If thefts are not covered up by adjustment entries, unusually high inventories will build up. With mass data analysis, you can calculate inventories per day, per material, and per location. While higher fluctuations are expected and not necessarily suspicious, focus on materials with consistently high inventories or those whose long-term trends show a sharp increase, deviating from the norm.

Transport items such as Euro pallets and mesh boxes, which are easily resold in secondary markets, are also particularly vulnerable. Due to their frequent turnover and trading between companies and shipping firms, these transport items are often not recorded in inventory or are tracked without a book value. Actual inventory levels are usually determined during the year-end audit, and any theft is included in these adjustments.

It is worth noting that in early April 2022, Tagesschau.de reported a shortage of steel wires, leading to a potential shortage of pallets. This would add another challenge to already strained supply chains and could boost the black market for transport materials. Therefore, it is advisable to keep a close eye on these items, both physically and in the system.

To combat such misappropriations, companies should reassess their established inventory management and possibly adjust the dates of inventory checks, securing the inventories of these goods with trend analyses.

Special Case: Procurement without Genuine Need for Direct Misappropriation
In the fraud case at Testo, there was a particularly sophisticated form of misappropriation. Here, vouchers were stolen and used personally, even though they were supposed to be distributed by sales to potential new customers or to maintain relationships with existing customers. Since there is rarely full traceability of the voucher recipients, and the redemption is linked to the perpetrator through a third-party company, such cases are often only identified through time-consuming contact with the supposed voucher recipients.

This case can be generalized as procurement without genuine need for direct misappropriation. Similar to financial assets, such purchases are usually made by a limited number of employees, meaning additional procedures and controls can be implemented to address these transactions.

The challenge often lies in timely detection. To identify such cases, you can use a similar approach as described earlier for financial misappropriations. This time, however, you analyze orders for expected goods deliveries where the quantities, for example, are in units but there are no inventory entries, and the goods receipt is confirmed differently. You’ll likely receive many results, so you should now analyze these orders regarding the referenced or described products or product classes. It is also helpful to link the orders to the corresponding expense accounts in the accounting system. This allows you to identify outliers through descriptive statistics for each expense account and to identify high-value, high-risk uses based on the general ledger account names.

As previously mentioned, follow-up on these cases often requires a disproportionate amount of effort, so it’s advisable to perform such analyses regularly to identify recurring or high-value transactions early, allowing for an individual risk assessment. For instance, a four-eye principle can be implemented when sending such vouchers.

Summary Recommendations:

1. Review business processes and data for systematic misappropriation risks and secure them.
2. Secure especially critical processes, such as manual payouts in accounting, with follow-up controls and mass data analyses.
3. Ensure that rare stock movements, such as scrapping, are traceable and conducted by individual users.
4. Analyze unusual inventories and trends regularly using data analyses.
5. Continuously detect and address process bypasses and deviations using data analyses.
6. In risk workshops, specifically address misappropriation risks and ask employees about potential scenarios.
7. Allow risk management and internal audit employees to gain hands-on experience with potential misappropriation scenarios.
8. Engage external consultants for training on possible misappropriations and to help detect loopholes.

Sources and Further Reading:

➡️ Association of Certified Fraud Examiners, Occupational Fraud 2022: A Report to the Nations

➡️ Badische Zeitung, Employee accused of defrauding Testo of €1.6 million

➡️ WDR documentary "The Million Thieves of Metro – A Spectacular Heist"

➡️ Tagesschau.de, Steel shortage: What if the pallets run out?

➡️ Welt.de, "Companies are to blame if they get robbed"

📘 Odenthal, Corruption and Employee Crime, Wiesbaden, 2009

The collapse of Wirecard in the summer of 2020, one of the biggest accounting scandals in post-war Germany, brought the issue of accounting fraud into the spotlight. This book was created in response to the growing demand for practical, up-to-date literature on the early detection and analysis of balance sheet manipulation. It is aimed at professionals in financial accounting, auditing, risk management, and compliance who are seeking effective methods to uncover such manipulations.

This work offers insights into forensic data analysis and explains how early warning signals can be identified and assessed without disclosing specific manipulation techniques in detail. The authors aim to share knowledge that supports the prevention and detection of fraud while promoting the development of auditing standards.

Overview of Contents

Chapter 2: Fraud and Balance Sheet Manipulation
This chapter defines various forms of fraud, explains their impact on financial statements, and differentiates them from simple errors. Special attention is given to the "Fraud Triangle," which highlights the risk factors for balance sheet manipulation. Typical examples and patterns of such manipulations from real cases are presented.

Chapter 3: Key Figures in Financial Statement Analysis
This chapter examines the impact of balance sheet manipulation on key financial figures, including assets, liabilities, and earnings. It explains how anomalies in these figures can be identified and analyzed to uncover potential manipulations.

Chapter 4: Business Processes and System Inputs
This chapter explores how manipulations often occur within accounting and business systems, disguised as regular transactions. It discusses how accounting systems in complex IT landscapes can be used to support and conceal manipulations.

Chapter 5: Warning Signs and Analytical Approaches
Various warning signs of balance sheet manipulation from the environment, IT systems, or transaction data are presented. The chapter explains how these warning signs should be examined using forensic data analysis to determine whether manipulation has occurred.

Chapter 6: Data Analysis Tools
This chapter highlights the importance of modern technologies and data analysis methods, including artificial neural networks, to detect inconsistencies and irregularities in financial statements. The focus is on using digitally recorded and rapidly processed datasets to detect fraud cases.

Chapter 7: Detection, Response, and Prevention
The implementation of whistleblower systems and real-time data analysis for early detection of violations is discussed. The increased protection for whistleblowers, provided by the new EU directive, aims to encourage employees to report suspected cases.

Chapter 8: Recent Cases
The cases of Wirecard, Greensill, and Grenke are examined to show how warning signs could have been recognized in the past and the consequences of these scandals. The Grenke case illustrates that not every anomaly leads to confirmed allegations.

Chapter 9: How to Get Started?
This chapter provides guidance on how companies can develop specific approaches to uncover balance sheet manipulations depending on their industry and IT architecture. It emphasizes the need for both business and technical knowledge to effectively address the challenges of digital and automated business processes.

Chapter and Topic Overview:

Interested?

Our book offers comprehensive information and practical guides on how to effectively detect and combat balance sheet manipulation. From theoretical foundations to current case studies and modern analysis methods – this work is an indispensable resource for professionals in financial accounting, auditing, compliance, and anyone committed to the integrity of corporate finances.

You can easily purchase your copy from Springer or Amazon. Visit the respective websites using the direct links below to learn more and secure your copy. Take the first step in safeguarding your company against balance sheet manipulation!

➡️ Visit Springer with free access from corporate networks with Springer corporate licenses. 
➡️ Visit Amazon.

Further Reading Recommendation:

Podcast: How Do I Detect Accounting Fraud in IT Systems?

➛

Read More

Fraud detection is more like solving a puzzle than searching for a needle in a haystack

➛

Read More