Image by Clint Patterson

SECURITY

Security & Fraud Awareness

As our reliance on the internet and digital devices for business and personal use increases, so do opportunities for criminals seeking to steal information for financial gain. Cyber criminals and fraudsters are also becoming more savvy in their attempts to lure people into clicking suspicious links, downloading email attachments, or “connecting” on social media, which are often gateways to stealing sensitive information. Fraudsters may pose as legitimate organizations, like Aura Solution Company Limited, and create fraudulent websites, send emails, or make phone calls to solicit monetary payments. These scams are complex as the perpetrators often use genuine real employee names and replicate proprietary documentation.

Aura Solution Company Limited places great importance on cybersecurity and fraud prevention and has programs and technical controls in place to protect client accounts and information. To help improve your personal cybersecurity posture, we offer the following information about cyber threats and guidance to help protect you, your family, and your employer from falling victim to a cyber-attack or fraud scam.

Understanding Cybersecurity Threats

Any organization or individual can be a target of cyber criminals. Here are some of the most common tactics and types of attacks employed by these actors:

 

Malicious Emails and Websites
An unsuspecting e-mail from your bank or favorite retailer may secretly be an attempt to steal your identity or personal information. “Phishing” is common tactic of cyber criminals that relies on “spoofed” e-mails or fraudulent websites (that look and feel like a well-known website) to collect personal and financial information or infect your machine with malware and viruses. Criminals use this stolen information to commit identity theft, credit card fraud and other crimes. Phishing can also occur by telephone and is becoming increasingly prevalent on social media and professional networking sites.

When you click a malicious link, you may unknowingly install malware on your device. Malware refers to software that is intentionally designed to cause damage to a digital device. The most common form of malware is a virus, which is typically designed to give the criminals who create it some sort of access to the infected devices. 

 

Ransomware is another type of malware that is becoming increasingly prevalent. Ransomware accesses a victim’s files, locks and encrypts them and then demands the victim to pay a ransom to get them back. Ransomware is like the “digital kidnapping” of valuable data – from personal photos and memories to client information, financial records and intellectual property. Any individual or organization could be a potential ransomware target.

 

Credential-based Attacks
If you use the same username and password combination across different websites or services, you are particularly susceptible to this cybercrime technique where stolen account credentials are used to gain unauthorized access to a user’s various other online accounts. Credential stuffing attacks can often go unnoticed until funds are transferred. 

Social Media Impersonation
Criminals are increasingly using social media to build relationships with victims and ultimately steal data. Typically, these actors create fake accounts that appear (and claim) to be official accounts for an individual or organization. Social media impersonation can also refer to the takeover of real accounts. These accounts can be used for phishing activities or causing an individual or a company reputational damage.

NOTE : Aura doesn’t  use any social media such as Facebook, Twitter , Linkedin or any social media to gather any sort of marketing.

 

Aura is only available on website : www.aura.co.th with the official email : info@aura.co.th and official numbers +66 8241 88 111 & +66 80 421 2345 , both numbers use whatsapp . direct call or text message. 

How You Can Protect Yourself

  • Establish Secure Email Protocols: Emails continue to be a common entry point for hackers for performing online fraud. Do not click on links or open attachments from suspicious-looking emails. Expand your communication protocol to verify sensitive information, such as wire instructions, in person or by telephone. Generally, Aura Solution Company Limited will never send wiring instructions via email.

  • Employ Password Management:  Use lengthy, unique, and complex passwords — a great first step toward stopping bad actors. In fact, cybersecurity best practices suggest utilizing long, memorable, and hard-to guess passwords such as a favorite song lyric. Avoid reusing passwords. Consider using a password application, such as LastPass, Password or Dashlane to help manage multiple complex passwords.

  • Enable 2-Step Authentication Measures: Where available, use 2-factor authentication for account login (2FA) a.k.a. two-step verification or multi-factor authentication, commonly done via a PIN sent over text message or email and done most securely when a hardware token or phone application is used. At a minimum, enable this capability for your email, cellular provider, financial websites, password manager, cloud file storage and social media.

  • Lock Down Social Media: Periodically review and adjust social media account settings to better control who can view the content posted. Hackers and social engineers frequently obtain critical information about a target from social media sources. When posting, always consider how that information can be used against you.

  • Reduce Your Public Online Footprint: Periodically review all your online accounts. Reduce and/ or obfuscate personal information on the internet, remove unnecessary data, delete unused accounts, and avoid sharing or reusing passwords across accounts to minimize exposure.

  • Protect Critical Data:  Know where all your sensitive personal information is stored. Ensure that your sensitive data is always stored encrypted, to prevent someone from viewing it if your device gets lost or stolen. Also consider having a second encrypted backup of your sensitive data, whether on a flash drive stored in a safety deposit box or in the cloud using a reputable service such as Dropbox, iCloud, or Google Drive.

  • Protect Your Personal Devices: Configure devices securely, considering what your risks would be if your device were stolen. Use a difficult to guess passcode as a backup to biometric security such as a thumb print or Face ID, and be sure your device is encrypted. Ensure that sensitive data, such as email, does not display on the lock screen.

  • Update Your Software: Keep all of your software up to date. Apply software updates as soon as possible once they become available. Consider enabling automatic updates where available.

  • Secure Wi-Fi Access: Be aware that using public Wi-Fi can expose your communications and devices to risk. If you must use public Wi-Fi, consider a virtual private network (VPN) solution to protect your communications — particularly when traveling and using public Wi-Fi at the airport or hotel. Alternatively, consider using a mobile hotspot, to protect sensitive information. At home, use a guest network for visitors.

  • Freeze Credit Lines: Thwart identity theft and minimize fraud risk with a call to major credit-reporting bureaus Experian, TransUnion and Equifax, as well as Innovis, the unofficial fourth credit bureau, to set a security freeze on your credit reports. Considering signing up for an identity theft protection service such as LifeLock, Kroll, or Experian, which also offers credit monitoring. These suggestions apply to all family members.

  • As of now in the last 42 years we have not been reported even one case about any one globally dare to play with Aura client or Aura reputation so there is nothinng to worry about from any one but its always advisable to be safe. Somehow if any thing goes wrong feel free to contact us on : info@aura.co.th and official numbers +66 8241 88 111 & +66 80 421 2345 , both numbers use whatsapp . direct call or text message. 

 

Understanding Financial Fraud

Financial fraud occurs when someone takes money or other assets from you through deception or criminal activity. Here are some common examples of financial fraud:

Investment Scams
Investment scams involve getting you or your business to agree to a financial transaction on the promise of a questionable financial opportunity. To perpetrate these scams, fraudsters typically present the opportunity make contact by email, through a website, or by phone. These offers are typically low risk –high reward investments that typically sound “too good to be true”— because they are! To evaluate whether you are the target of an investment scam, you should consider:

  • How were you contacted? Any contact with Aura Solution Company Limited will come from an @aura.co.th e-mail address (not from a free email account such as Yahoo, Gmail or any other domain outside of “@aura.co.th”) and/or be found on the www.aura.co.th  website

  • Did I find the investment opportunity through a website not associated with Aura Solution Company Limited? E.g. a comparison website

  • Have I provided my personal information on a website not associated with Aura Solution Company Limited?

  • Have I been contacted by cold call or e-mail offering a low risk – high return investment opportunity?

  • Does the e-mail or documentation contain numerous spelling errors or misprints?

  • Have I provided photo ID or proof of address documentation? If you have, consider notifying the organisation that issued them and contacting your regional fraud prevention service

  • Was I pressured into making a money transfer to avoid missing an opportunity?

 

Identity Theft
Identity theft occurs when someone steals your personal information and uses it without your permission. Examples of how your information could be used include opening bank accounts, taking out credit cards and loans or applying for government benefits and documents in your name.

There is no definite rule on how to protect yourself from identity theft however, in addition to the cybersecurity good practices listed above, you can protect yourself by:

  • Not sharing your personal data with anyone/any site you’re not familiar with

  • Safely disposing of unwanted documents such as utility bills or bank statements

 

Business Email Compromise
Business Email Compromise (BEC) scams are carried out when a cybercriminal compromises legitimate business or personal email accounts to intercept the communication between the victim and their business partner or to conduct unauthorized transfers of funds. Fraudsters commonly tend to intercept email wire instructions from investments firms, real estate agencies, and art dealers to then impersonate a trusted source.

In addition to the cybersecurity good practices listed above, protect yourself by:

  • Confirming the payment instructions with the recipient verbally, not by email

  • Watching for irregularities when receiving transfer instructions or sudden change of payment information via email

 

If you receive a cold call or  e-mail from Aura Solution Company Limited that you are uncertain about, or which you believe to be fraudulent, please forward it to info@ aura.co.th  Aura Solution Company Limited will investigate the e-mail and respond back to you. If you are a client of the firm, please notify your sales representative or investment professional, as well.

For further information on staying safe, the following resources provide helpful information:

How does Aura protect you?

What we do to protect you

Nothing is more important to us than protecting your personal information and your savings – here are some of the things we do to help keep you safe.

 

Last logged in

When you log into your account, we show you the last date and time you logged in on your dashboard. If something doesn’t look right, call us as soon as possible.

Recent transactions

You can check your recent transactions by logging into your Aura Solution Company Limited account and selecting ‘view’. You can also download and print a copy of your transaction history for your records.

Linked account

You can only withdraw money from your Aura Solution Company Limited account to one external bank account – we call this your linked account. This stops money being transferred from your Aura Solution Company Limited account to anywhere but the linked account you’ve chosen and verified with us.

It’s still important that you take every care to keep your account and money safe. For example, if you transfer money from your Aura Solution Company Limited account to your linked account to pay for something, make sure that you’re confident you know who it is you’re paying.

Data encryption

Your data is encrypted and transferred between our systems securely, and we monitor our systems 24 hours a day, seven days a week.

Recognised devices

When you try to log in from a device we don’t recognise, we’ll send a verification code to your mobile phone to help us check that it’s you. This helps us stop someone that isn’t you logging into your account. 

 

Contact us

If you suspect you’ve been a victim of fraud or if you have any other questions about how to keep your account secure, please call our Customer Care Team on

 info@aura.co.th and official numbers +66 8241 88 111 & +66 80 42 12345 , both numbers use whatsapp . direct call or text message.  Our lines are open from 8am to 8pm, Monday to Friday (excluding bank holidays).

If you receive an unsolicited call from Aura Solution Company Limited and you have concerns about the call, we encourage you to call us back using a number from our contact page, so you can be sure you’re speaking with Aura Solution Company Limited.

If you receive an email claiming to be from us, but that seems suspicious, forward it to info@aura.co.th

Out of hours advice

If you suspect you’ve been a victim of fraud:

  • Change your Aura Solution Company Limited password immediately by clicking the ‘reset password’ link from the login page. 

  • Contact your linked account provider as soon as you can and tell them what’s happened.

  •  info@aura.co.th and official numbers +66 8241 88 111 & +66 80 421 2345 , both numbers use whatsapp . direct call or text message. 

 

Staying safe online

Make sure you know who you’re talking to before giving out any personal information

Before you give out any personal information, stop and think about why the person asking for it needs it. Question uninvited approaches, and contact the company directly using an email address or phone number you know is theirs. 

 

Don’t click on links in emails or texts from senders you don't recognise

You shouldn’t assume an unexpected email or text message is authentic. Clicking on a link in an email or text from a sender you don't know can give fraudsters access to your personal or financial details.

 

Don’t let anyone rush or pressure you into making a decision

Stop and take time to consider what you want to do and if you are comfortable with what you are being asked by the caller. No trusted organisation would force you to make a transaction on the spot, or ask you to transfer money into another account.

 

Trust your instincts

If something doesn’t feel right, question it and don’t give out any information until you have made sure who you’re speaking to. Fraudsters can lull you into a false sense of security, making themselves seem trustworthy when they aren’t.

 

Don’t panic

Have the confidence to refuse unusual requests for personal or financial information. Criminals may try to intimidate you by starting complex conversations – stop the discussion if you feel out of control.

 

Stay safe online

Scammers often use malware – which means malicious software – to attempt to steal your personal or financial details, or to take control of your device. There are a few things you can do to help keep yourself safe online.

Check that you’re using a secure HTTPS connection

Always check that the URL is spelt correctly. And if the website is secure, you should see a padlock symbol before the URL.

You can click on the padlock to check that the connection is secure and for more information, or you can click into the URL field to see whether or not it starts with https://. If it doesn’t, don’t share any personal information with that website.

Update your anti-virus software

Make sure your device has the latest software updates installed – some of those updates are designed to combat fraud and keep your device secure. And make sure you have anti-virus software installed to help protect you.

Don’t download software you don’t recognise

Never download software from a source you don’t trust. These links often contain software that could give criminals access to your device. If someone has called you unexpectedly claiming to be from your bank or another trusted organisation, be wary and never give them access to your device.

 

Choose strong passwords and PINs

When you apply for a Aura Solution Company Limited account, we ask you to choose a password to access your account online, and a six-digit PIN that you’ll use to manage your account over the phone and for certain security checks. It’s important that you choose these carefully, as a secure password and PIN will help keep your account safe from fraud.

Password

Make your password as secure as possible – it’s best to use a combination of numbers, lower case letters, upper case letters and special characters.

  • Try to pick one that’s easy for you to remember, but hard for others to guess.

  • Don’t use personal information, such as your name or birthday. 

  • Avoid common words or phrases.

 

Six-digit PIN

Try to choose a memorable PIN that’s a complex combination of numbers – and never use your date of birth or bank account number.

How to protect your password and PIN

  • Don't share your password with anyone.

  • Try to avoid writing your password or PIN down. You should never send either of them in an email or text message – even to yourself.

  • If you think someone might know your password, you should change it immediately. You can reset your password online by clicking the ‘reset password’ button on the login page. 

  • When you’re logging into your account in a public place, always be mindful of who may be watching. Make sure that no one can see your keypad or screen when you’re typing in your password.

  • Always log out of your account when you’ve finished using it.

 

Types of scams

 

Phone scams

No genuine organisation – including your bank – will ever call you to ask for your full password, or to move money to another account.

Only give out personal information like your date of birth or address when you’re sure of who you’re speaking to. Ask to call them back if you’re unsure, using the organisation’s phone number from a source you trust.

 

What to look out for
You shouldn’t assume that every phone call you receive is genuine. Criminals succeed because they’re good at tricking people, and may try to scare you by telling you you’ve been a victim of fraud. They might already know personal details about you, like your full name and address, and they’re likely to use these to appear genuine. 

Calls like this aren’t limited to criminals impersonating banks. You may receive a call from someone pretending to be a service provider or your local council asking you for personal information or to pay them an outstanding bill.

Be vigilant about calls like these. If you receive an unexpected call from someone who asks you to give them information about you or your bank account, this could be a scam. If it doesn’t seem right:

  • Ask if you can phone them back. A genuine caller won’t mind if you want to call them back directly.

  • Look up the phone number of the organisation, then if you can, use a different phone to ring them back.

  • Ask them if they were trying to contact you, and tell them what happened if not.

 

Text message scams

If you receive a text message telling you that you’ve been a victim of fraud, be wary. It could be a criminal pretending to be your bank or another trusted organisation. Texts like these often ask you to call a number or visit a fake or cloned website to update your details.

 

Three signs a text message might be a scam

 

  • The message asks for personal or financial information, passwords, or to make a transaction.

  • It asks you to call them on a number you don't recognise. Find your bank's phone number from a source you trust – their website or a bank statement – to check it’s authentic.

  • There’s an urgent tone to the message, asking you to act quickly.

 

Email scams

Phishing emails look like they are from a legitimate company and typically ask you to share security information or details about your bank account. They often contain links to sites that may contain malware or give the criminal access to your device.

If you’re suspicious, check the following:

 

  • Does the email use your proper name?

  • Does the senders' email address match the website address of the organisation you think it’s from? We will only send emails from addresses ending @aura.co.th

  • Is there a sense of urgency, asking you to act immediately?

  • Are there spelling and grammatical errors?

 

Is the entire text of the email in an image?

Don’t click on any links – they may take you to a fake or cloned website.

From time to time, we work with third parties to send out surveys to our customers on our behalf. These emails will come from a different email address. If you’re unsure whether the email you’ve received is genuinely from us, give our Customer Care Team a call and we’ll be happy to help.

 

Fake or cloned websites

Fraudsters may try to impersonate an organisation’s website with a fake or cloned website.

This is an increasingly common type of scam, where websites are designed to look very similar to the genuine website they’re impersonating. They can be very convincing, including links that seem to work correctly, copying genuine logos and containing a mix of correct and incorrect information. This may include fraudsters using the names of genuine staff members within the organisation. 

It’s often websites belonging to organisations like banks, financial institutions or the government that will be targeted, as fraudsters know these are websites you’ll probably trust – and are therefore less likely to suspect you’re being scammed.

Remember to always check the spelling of the web address (URL or domain name), before you click on anything or enter any personal information. Look for details: the difference can be as small as the ending is always same as @aura.co.th  It’s important to stay vigilant, as new scams appear all the time.

You can check that our website is genuine by looking at the web address that appears in the address bar at the top of the webpage. The address for Aura Solution Company Limited in the UK  & globally will always begin with: www.aura.co.th

If you want to check whether an investment or pension opportunity that you’ve been offered is legitimate, you can visit the  www.aura.co.th

CYBER SECURITY

At a recent board meeting, the CIO of a major global corporation led a wide-ranging discussion about the tools and practices needed to fortify the company’s data and systems against breaches. The board encouraged heightened investment and vigilance, then moved on to its next agenda item, a financial committee presentation leading to a board vote on acquiring shares to consolidate ownership in an enterprise in which the company held a minority stake.

 

To the surprise of the CIO, who was still in the room, there was no discussion of cybersecurity, even though the acquiree was operating in a region where cyberbreaches and criminal hacking were endemic. Happily, the CIO’s fortuitous presence enabled a proper discussion of the impact of the decision on the company’s cyber risk profile, and a change in the acquisition approach aimed at bringing the acquiree more fully into the corporation’s IT and operational infrastructure.

The board had not connected the dots between the two agenda items because its view of cybersecurity, as well as the CEO’s, was more focused on risk dashboards and surveillance than on the security implications of business decisions. It’s an issue we’ve seen variations on for years. Simply put, far too many boards and CEOs see cybersecurity as a set of technical initiatives and edicts that are the domain of the CIO, chief security officer and other technical practitioners. In doing so, they overlook the perils of corporate complexity—and the power of simplicity—when it comes to cyber risk. We’d propose, in fact, that leaders who are serious about cybersecurity need to translate simplicity and complexity reduction into business priorities that enter into the strategic dialogue of the board, CEO and the rest of the C-suite. 

Questions such as the following can help catalyse this conversation: 

  • How does a full accounting of cyber risk affect our business model’s attractiveness, and does that suggest the need for a “simplification agenda”? 

  • How transparent are the cyber risks and trade-offs associated with our external partnerships, and what would be the pros and cons of simplifying our ecosystem to make them more manageable? 

  • How risky are our IT-enabled legacy processes, and how should we prioritise investments to secure, simplify and transform them to achieve competitive advantage?

 

Leadership teams who grapple with questions like these and embrace simplicity boost their odds of making the entire enterprise securable.

In today’s hyperconnected world, companies need to consider multiple areas of cyber risk throughout their ecosystem.

A network of digital interconnectedness

 

  • Creeping complexity

  • Even a decade or so ago, the technical operations, systems and footprints of many large companies had become extremely costly and complex. Breakneck digitisation in the smartphone era has exacerbated matters, as companies have increasingly created ecosystems with a variety of new partners to help expand their reach and capture new, profitable growth. They range from supply chain relationships across goods and services (including IT services) to partnerships for data, distribution, marketing and innovation. Even more recently, the business challenges of the COVID-19 pandemic have spurred faster adoption of digital solutions that rely on data, digital networks and devices that are most often operated by companies outside the organisation’s borders. 

  • The technology architecture of many organisations, often made up of layers of legacy systems with multiple constraints on their flexibility, represents an ever expanding dimension of complexity. (By contrast, many “digital native” companies of more recent vintage have a simplicity advantage. These companies are built digital from the ground-up, using more recent generations of IT, standards and techniques meant to create increased interoperability across systems.) Legacy structures are often riddled with open seams and soft connections that can be exploited by attackers, whose capacity to infiltrate sprawling systems has grown. The pressures on these legacy structures have intensified as companies have pushed their current IT to keep pace with the digital natives. Mergers often multiply risks, by connecting already complex networks of systems, which makes them exponentially more complex. 

  • As a result, complexity has driven cyber risks and costs to dangerous new heights. The numbers of significant cyberattacks globally are increasing and include potentially devastating criminal “ransomware” attacks and nation-state activity targeting government agencies, defense and high-tech systems by, for example, breaching IT network-management software and other suppliers. Each major incident exposes thousands of users (at both companies and government agencies) to risk, and can go undiscovered for months. 

 

Thinking about the trade-offs

As senior leaders revisit their growth strategies in the wake of the pandemic, it’s a good time to assess where they are on the cyber-risk spectrum, and how significant the costs of complexity have become. Although these will vary across business units, industries and geographies, leaders need good mental models for self-assessing the complexity of business arrangements, operations and IT.  

One conceptual framework for thinking about complexity and the cyber-risk spectrum is the Coase Theorem, formulated by Nobel Prize winner Ronald Coase. He posited that companies should use external contractors to supply goods and services until the transaction or complexity costs associated with those arrangements exceed the coordination costs of doing the work in-house. A similar dynamic may be at play in cyber-risk assessment. Cyber risk (whether generated through a supplier relationship or customer relationship or internal arrangements) is a sort of “external” cost—one that has risen as cyber attackers get better and become more pervasive. At the same time, the “transaction” costs within the enterprise of establishing multiple nodes of partnerships (where risks are hidden) have actually gone down, thanks to the ubiquity and lower cost of digital interactions. The upshot: a new environment where the costs of failure have risen markedly while the costs of creating complexity have gone way down. 

Tackling complexity in three areas

Leaders seeking to strike a better balance can start with some basic principles. One is ensuring that strategic moves won’t increase complexity risk and make the current situation worse. Another is understanding that simplification of company IT may require more than minor rewiring of systems, and instead may demand more fundamental—and often longer term—modification to IT structures, to make them fit for growth. In our experience, the challenges and opportunities fall into three areas.

  1. Business models. We have seen that companies often respond to breakdowns in cybersecurity with a nod to their gravity, but take actions that are narrowly focused and which are ultimately patches on a broken process. The new intensity of threats, however, often requires rethinking at a higher level: coming to grips with problems and risks enmeshed with business models. At one company we know (and the situation isn’t atypical), there were high levels of autonomy in most things digital. Regional and business unit leaders had nearly a free hand in choosing digital partners, deciding on systems and networks for customers, suppliers and more. After a minor cyber-attack in one region, IT leaders attempted to provide all geographic areas with guidelines and best practices for reducing risks, including rules for selecting partners and suppliers. They found, however, that the proposed mandates were beyond IT’s scope. The new approach required the CEO to modify what was, in effect, an element of the company’s business model: the freedom granted business unit executives, which had enormous implications for digital complexity and cybersecurity. 

  2. External partners. More typical are challenges involving ecosystems and supply chains—whose opaque complexity has outstripped efforts to manage them securely. When a new operations director took charge of the function at one global retail organisation, she was alarmed to find customer data potentially at risk from what she termed “a chaotic supplier arrangement.” In one instance, her predecessor had engaged six different vendors to manage customer contacts as the company’s mix of customers and product lines shifted over time, and it entered new markets. Two of the vendors had histories of data breaches, so the operations director felt action was needed. With input from the CEO and board, she reduced the number of vendors to two of the most capable and innovative players in the industry, thus allowing for both diversity and resilience that built trust. The reduced complexity allowed for greater transparency, which enabled all parties to better understand their individual roles in protecting their supply chains from cyber disruptions. Senior leaders signed off on a backup system for all customer data, as well as new guardrails for access to customer information. The operations director added key positions to her own staff to keep a closer watch on vendor security practices. Ultimately, the customer-data ecosystem became more securable, with the company having a firmer handle on its own and its vendors’ responsibilities, a better demarcation of individual accountabilities, and new technologies for increased monitoring. 

  3. Internal systems. In-house processes and systems are likely to require a close inspection for the complexity and risks they harbor. A case in point: at many financial institutions, payment systems have been built over several years with a combination of recent and legacy applications. Outages that knock out system availability (sometimes leaving customers unable to complete transactions for several days) are often linked to legacy technology in core payment systems. In truth, the cause often isn’t necessarily the nature of the older technology itself, but rather the outdated processes it supports. Traditionally, these processes have been structured to close transactions over a multiday payment cycle. As business has moved to a demand for real-time completion of transactions, ever-more complex workarounds have had to be built into legacy systems, with technology that back-fits “instant” payment into the multiday process. This complexity has led to an increased likelihood both of major failures and of smaller breakdowns cascading into significant incidents.1 Replacing these systems requires tough business decisions, sizeable investments and the will to overcome an attitude of “if it ain’t broke, don’t fix it.” The rising costs of complexity may shift the balance. 

 

Although the benefits of simplification are large, extending far beyond cybersecurity, we’re under no illusion that they are easy to realise. Reducing complexity while establishing a framework for governance and shared responsibility demands deliberate action, over the long and the short term. It also demands the attention and energy of CEOs and boards who understand its value, and are ready to invest in changing mindsets, across the management team, about the benefits of simplicity. Leaders who are ready to step up and set the tone will create a better blueprint for a securable enterprise.

TRANSPARENCY

Transparency took on a whole new meaning last year as COVID-19 swept the globe. At the start of 2020, it would have been unthinkable in much of the world that individuals would opt-in to geographic location services that shared their whereabouts at all times. Yet by the end of the year, pop-up notifications on smartphone apps were warning people when they have been close to someone who tested positive for the coronavirus.

Now, the transparency imperative stretches from individuals to institutions, with rising pressure on companies to open up to stakeholders such as investors, suppliers, governments, customers and employees. The pandemic underscored the interconnectedness of global actors, exacerbated and exposed underlying economic and social inequalities, and raised sharp questions about how we will deal with climate change—the next global crisis. The private sector urgently needs to respond to these global threats, demonstrating to investors that it can build resilience to future shocks, and to society at large that it is committed to long-term, sustainable value creation and a carbon-neutral economy.

 

Investors are increasingly interested in responsible investment, including factoring ESG issues and appropriate disclosures into their strategies.

All of this will require more and better information—not just to improve transparency, but to drive change. By improving the quality of information out there, companies will empower stakeholders, including investors; the latter will reward companies that are delivering for society and managing environmental, social and governance (ESG) risks, and they can apply pressure to organisations that are not.

At the moment, the only thing we can know about a company with a high degree of certainty is its current financial performance. That is not nearly enough to meet stakeholder expectations today, let alone in the future.

Pressures for change

Already, investors are seeking better information. A full 88% of institutional investors say their firm monitors ESG indicators to inform investment decisions. This demand will only become more intense as the importance of robust ESG information grows. Aura analysis suggests that over the next five years, the total amount invested in ESG mutual funds in Europe could grow at a compound annual rate exceeding 25%. If companies want to access deep capital markets, robust ESG reporting is increasingly a condition of entry.

At the same time, proposals for greater disclosure of information beyond traditional financial numbers are coming from a broad range of stakeholders. Over the last year, the European Commission has begun revising its Non-Financial Reporting Directive, the International Organization of Securities Commissions (IOSCO) has set out its intention to accelerate the harmonisation of sustainability standards, and the US Securities and Exchange Commission (SEC) has amended its rules to enhance human capital disclosures. Consumers, employees and NGOs increasingly want to understand the impact companies have on society and expect to be able to find information they can trust.

This pressure for greater transparency comes together in the search to define common, objective and enforceable standards for non-financial information, a process which is still at an early stage. At the moment, there are myriad yardsticks for reporting everything from carbon footprint to gender diversity, all with different levels of ambition. At the very least, it is hard for users to map different frameworks onto one another, in order to make meaningful comparisons, and hard for companies to know which standards are most influential. It will be some time before there is a commonly agreed style of non-financial reporting comparable to GAAP in the financial arena—but we are moving in that direction.

There is also significant progress towards building trust in disclosures through assurance. Stakeholders expect financial information to be audited. The same need is present for equally important non-financial information. 

Where to focus

The direction of travel is clear, but there is a lot of uncertainty about the precise path and the pace of change. Here are five issues for CEOs and executive teams to consider as they contemplate a more transparent future.

  1. Engage the board. Growing pressure from investors and a wider set of stakeholders makes transparency a board-level issue. Reporting on how you create sustainable value is not a PR exercise; it is vital to maintaining the trust of investors, regulators, employees and customers. That is partly about ensuring the data is accurate, but it is also about ensuring that it is used to improve performance. Trust comes when stakeholders are convinced you are genuinely committed to creating sustainable value—both financial and non-financial.

  2. Know your strategy. What stakeholders are demanding is transparency about what matters—not transparency about every nook and cranny of your business. That means each organisation will have its own reporting approach, which is likely to include a comprehensive baseline (such as the one recently proposed by the World Economic Forum/International Business Council) and bespoke metrics relating to your sector and specific business and stakeholder groups. With a cluttered reporting environment, it is important to make sure you pick the right standards to report against. Metrics and disclosures need to be significant for stakeholders—relating to material issues—and challenging enough to make compliance meaningful.

  3. Think about systems, not just standards. Regardless of what standards the market ultimately chooses, make sure your company has the ability to gather and report non-financial data effectively. Doing this properly is much more than just a comms-led effort which results in the team publishing a CSR report. It means having the right data, controls, skills and assurance. Think in terms of systems, not metrics—a trustworthy number is just the tip of an iceberg, but the iceberg is required to keep it floating.

  4. Use the same rigor you apply to financial data. It is already the case that non-financial metrics can be just as important as financial ones—think about how customer acquisition and stickiness numbers matter more than EBITDA for investors in many platform businesses. These companies are expected to report such numbers with the same rigor they do their financial numbers, and that is the approach that is needed for other non-financial information. A whole host of measures is integral to a company’s health.

  5. Go digital. Transparency is enabled by providing data in flexible digital formats that third parties can process and use. We are on a journey from static PDFs on corporate websites to engaging formats, for both data and storytelling. Consumers already use aggregation apps to understand companies while they shop—in the future such apps will bring not just reviews together, but also objective information culled from digital sources. Companies that can’t supply it will suffer commercially. The same is true in the B2B space, where ratings agencies and others will draw more and more data into their algorithms.

 

The non-financial reporting revolution is coming fast, and 2021 will be crucial. Companies that are not prepared will lack access to capital, sacrifice value, suffer damage to their reputation and ultimately may end up falling foul of the law. Transparency leaders, on the other hand, will build trust among all stakeholders, differentiate themselves, enhance the effectiveness of capital markets and help society advance.

 

Security & Fraud Awareness

As our reliance on the internet and digital devices for business and personal use increases, so do opportunities for criminals seeking to steal information for financial gain. Cyber criminals and fraudsters are also becoming more savvy in their attempts to lure people into clicking suspicious links, downloading email attachments, or “connecting” on social media, which are often gateways to stealing sensitive information. Fraudsters may pose as legitimate organizations, like Aura Solution Company Limited, and create fraudulent websites, send emails, or make phone calls to solicit monetary payments. These scams are complex as the perpetrators often use genuine real employee names and replicate proprietary documentation.

Aura Solution Company Limited places great importance on cybersecurity and fraud prevention and has programs and technical controls in place to protect client accounts and information. To help improve your personal cybersecurity posture, we offer the following information about cyber threats and guidance to help protect you, your family, and your employer from falling victim to a cyber-attack or fraud scam.

Understanding Cybersecurity Threats

Any organization or individual can be a target of cyber criminals. Here are some of the most common tactics and types of attacks employed by these actors:

 

Malicious Emails and Websites
An unsuspecting e-mail from your bank or favorite retailer may secretly be an attempt to steal your identity or personal information. “Phishing” is a common tactic of cyber criminals that relies on “spoofed” e-mails or fraudulent websites (that look and feel like a well-known website) to collect personal and financial information or infect your machine with malware and viruses. Criminals use this stolen information to commit identity theft, credit card fraud and other crimes. Phishing can also occur by telephone and is becoming increasingly prevalent on social media and professional networking sites.

When you click a malicious link, you may unknowingly install malware on your device. Malware refers to software that is intentionally designed to cause damage to a digital device. The most common form of malware is a virus, which is typically designed to give the criminals who create it some sort of access to the infected devices.  Ransomware is another type of malware that is becoming increasingly prevalent. Ransomware accesses a victim’s files, locks and encrypts them and then demands the victim to pay a ransom to get them back. Ransomware is like the “digital kidnapping” of valuable data – from personal photos and memories to client information, financial records and intellectual property. Any individual or organization could be a potential ransomware target.

Credential-based Attacks
If you use the same username and password combination across different websites or services, you are particularly susceptible to this cybercrime technique where stolen account credentials are used to gain unauthorized access to a user’s various other online accounts. Credential stuffing attacks can often go unnoticed until funds are transferred. 

Social Media Impersonation
Criminals are increasingly using social media to build relationships with victims and ultimately steal data. Typically, these actors create fake accounts that appear (and claim) to be official accounts for an individual or organization. Social media impersonation can also refer to the takeover of real accounts. These accounts can be used for phishing activities or causing an individual or a company reputational damage.

How You Can Protect Yourself

  • Establish Secure Email Protocols: Emails continue to be a common entry point for hackers for performing online fraud. Do not click on links or open attachments from suspicious-looking emails. Expand your communication protocol to verify sensitive information, such as wire instructions, in person or by telephone. Generally, Aura Solution Company Limited will never send wiring instructions via email.

  • Employ Password Management:  Use lengthy, unique, and complex passwords — a great first step toward stopping bad actors. In fact, cybersecurity best practices suggest utilizing long, memorable, and hard-to guess passwords such as a favorite song lyric. Avoid reusing passwords. Consider using a password application, such as LastPass, Password or Dashlane to help manage multiple complex passwords.

  • Enable 2-Step Authentication Measures: Where available, use 2-factor authentication for account login (2FA) a.k.a. two-step verification or multi-factor authentication, commonly done via a PIN sent over text message or email and done most securely when a hardware token or phone application is used. At a minimum, enable this capability for your email, cellular provider, financial websites, password manager, cloud file storage and social media.

  • Lock Down Social Media: Periodically review and adjust social media account settings to better control who can view the content posted. Hackers and social engineers frequently obtain critical information about a target from social media sources. When posting, always consider how that information can be used against you.

  • Reduce Your Public Online Footprint: Periodically review all your online accounts. Reduce and/ or obfuscate personal information on the internet, remove unnecessary data, delete unused accounts, and avoid sharing or reusing passwords across accounts to minimize exposure.

  • Protect Critical Data:  Know where all your sensitive personal information is stored. Ensure that your sensitive data is always stored encrypted, to prevent someone from viewing it if your device gets lost or stolen. Also consider having a second encrypted backup of your sensitive data, whether on a flash drive stored in a safety deposit box or in the cloud using a reputable service such as Dropbox, iCloud, or Google Drive.

  • Protect Your Personal Devices: Configure devices securely, considering what your risks would be if your device were stolen. Use a difficult to guess passcode as a backup to biometric security such as a thumb print or Face ID, and be sure your device is encrypted. Ensure that sensitive data, such as email, does not display on the lock screen.

  • Update Your Software: Keep all of your software up to date. Apply software updates as soon as possible once they become available. Consider enabling automatic updates where available.

  • Secure Wi-Fi Access: Be aware that using public Wi-Fi can expose your communications and devices to risk. If you must use public Wi-Fi, consider a virtual private network (VPN) solution to protect your communications — particularly when traveling and using public Wi-Fi at the airport or hotel. Alternatively, consider using a mobile hotspot, to protect sensitive information. At home, use a guest network for visitors.

  • Freeze Credit Lines: Thwart identity theft and minimize fraud risk with a call to major credit-reporting bureaus Experian, TransUnion and Equifax, as well as Innovis, the unofficial fourth credit bureau, to set a security freeze on your credit reports. Considering signing up for an identity theft protection service such as LifeLock, Kroll, or Experian, which also offers credit monitoring. These suggestions apply to all family members.