Open Source Intelligence, or OSINT services, has become an irrevocable part of a business in the modern world. Having information on clients and counterparties is critical to ensuring the security and uninterrupted nature of operations.

The open sources available reveal vast amounts of data about anyone who has ever left a digital footprint, allowing companies or interested parties to gather intelligence on individuals or companies without surpassing the boundaries of the law or any regulations on the use of personal information.

Given that social network and internet users freely and voluntarily share information on their behavior habits and statuses, having access to such data can allow businesses to reveal critical weaknesses in their structures, potentially harmful behavior among employees, or detect fraud or misconduct on the part of clients and counterparties. The benefits of using OSINT are numerous.

There is a downside to refraining from resorting to such services in daily operations. Companies that do not use OSINT face multiple risks, regardless of their area of business.

Examples of neglecting OSINT and allowing bad reputations to destroy or significantly harm a company's image are numerous. In 2016, Facebook defamed itself during the highly controversial US presidential elections and started looking like a disseminator of toxic misinformation. In 2018, Facebook's brand image was tarnished by a massive personal data breach that released millions of personal account details to the open public. In 2019, the company's image suffered another blow when employees started complaining about appalling working conditions.

Boeing is another shining example of lousy reputation management and OSINT neglect. In 2019, the company suffered heavy reputational damages when it was revealed that after a series of plane disasters, the company had been neglecting open claims about poor engineering and aircraft servicing and did not correctly screen its contractors for quality conduct. The result is hundreds of deaths in aircraft crashes and the loss of multi-billion contracts on the ill-fated Boeing 737-Max model.

The given material will examine the risks that are affected by information breaches, as OSINT is all about conducting searches for information in open sources.

In addition to the aforementioned, risks can also be divided into two types by the nature of their emergence.

The first type of risk is internal. Such risks are caused by the company's operations based on its management and specific indicators, such as productivity, marketing strategy, equipment used, and others.

The second type of risk is external and is not directly related to the company's production processes. The given risks are formed by economic, political, and geographical reasons and other external factors.

Market Risks

Market risks incurred by companies include the risk of losses due to changes in the value of the business' portfolio. The given assets include products and manufactured goods that bear market value and were purchased for further resale. Market risks are characterized by their macroeconomic nature and rely on the financial system's indicators, such as market indices. All market risks are divided into:

  • Interest rate based
  • Currency exchange rate based
  • Stock price based

OSINT services are best applied for negating stock price-based risks, as negative information in social media can rapidly deteriorate the value of a company's shares.

A vivid example is that of Elon Musk's Twitter posts, which have historically had a detrimental effect on the share price of Tesla stocks.

By refraining from using OSINT services, a company bears the risk of being the last to know about data theft and its subsequent sale on Darknet channels. The company will also not have access to information about counterparties in M&A transactions and will not conduct background and cross-checking to screen candidates for employment.

Credit Risk

Managing credit risks is the main task of banks and other credit organizations. Credit risk management consists of many steps needed to determine the cost of borrowed funds, formulate principles for working with a loan portfolio, and outline a credit policy's main provisions. Subsequent monitoring and in-depth analysis of creditworthiness and dealing with problematic debtors is the routine of banks. Analysis of the effectiveness of the measures undertaken is the final stage of the process.

Credit risk assessment involves analyzing the maximum losses that a bank can incur over a certain period with a pre-calculated probability fraction. Among the common causes of failure is a decrease in the loan portfolio’s value, which occurs due to the complete or partial loss of solvency of a large number of borrowers. The qualitative assessment concept involves collecting detailed information about borrowers and its analysis for determining the financial stability of a potential client, the liquidity of collateral, their business activities, and other similar indicators.

If a bank does not resort to OSINT, it risks missing out on an immense stratum of information about its borrowers. The digital footprint that people leave in social media networks is sometimes a reliable indicator of their lifestyle than what they try not to show in business relations. Most importantly, it is easier to seek out information in social networks, and banks do not even need to conduct in-depth investigations to reveal important details about their clients. More importantly, OSINT should be applied to monitor clients during the loan period to keep track of their status.

Liquidity Risks

Asymmetric information in microeconomics is the uneven distribution of communication between parties to a contract. In a situation of asymmetric distribution of information, one of the parties knows more than the other about the subject of the agreement, the conditions for its conclusion, or its behavior in the process of execution. Kenneth Arrow was the first to attend to the presence of information asymmetry in an article in 1963, “Uncertainty and the Economics of Welfare in Health Care,” in the American Economic Review.

Not using OSINT means aggravating information asymmetry, as open-source information remains concealed, and decisions are made without proper intelligence, thus increasing the risk of making wrong decisions.

Operational Risks

According to the Basel Committee's decision (Basel II, 2004), operational risk is the risk of losses associated with inadequate or unsuccessful internal processes, systems or human errors, or external events. The Basel Committee identified seven main categories of events that lead to losses:

  • Fraud within the company
  • External fraud
  • Occupational practice and labor safety
  • Customers, products, and business practices
  • Damage to physical resources
  • Business crashes and system failures
  • Execution, supply, and process control

The use of OSINT is implied for monitoring employees’ and customers’ actions and searching for affiliations and connections. Access control systems can also be combined with information from social media to identify relationships using OSINT. Personal privacy concerns may arise in such a scenario. Still, high-ranking employees understand the risks of conflicts of interest and must be ready to sign consents on personal information analysis.

Changes in legislation during the transaction period, incorrect documentation, and the inconsistency of different states' laws can mean risks for companies operating with cross-border clients.

If a company does not rely on OSINT, legal risks can arise for it and increase due to numerous regulations affecting sanctions, anti-terrorism, anti-money laundering, and other activities. OSINT can help companies identify potential threats from counterparties regarding such laws.

If a company does not rely on OSINT, legal risks can arise for it and increase due to numerous regulations affecting sanctions, anti-terrorism, anti-money laundering, and other activities. OSINT can help companies identify potential threats from counterparties regarding such laws.

Reputational Risks

Reputation is one of the main assets of a company that garners the trust of clients and partners. Reputation management services are gigantic, and companies are eager to pay third-party OSINT companies to keep their reputations pristine.

Tarnishing a company's reputation is as simple as having an employee or contractor release an unethical post on any social network or make an inconvenient statement to the press. Internet users will do the rest by disseminating the information and reflecting on the company's image, and ultimately – on its share price and profits.

External factors can also affect a company's image. Such factors include competitors' or contractors' actions, poor logistics, catastrophes, god acts, etc.

OSINT is critical for managing reputational risks before an adverse event and its circumstance for damage control purposes. OSINT allows companies to conduct an in-depth analysis of employees and contractors to identify the potential for unethical or threatening conduct. Such services also act as a defense and counterattack when dealing with negative comments in social networks and other media channels.

Methodology For Using OSINT In Mitigating Risks

The methodology for dealing with all risks is the same and involves three steps:

  1. Identification
  2. Damage assessment
  3. Formation of defensive measures

The main applications for OSINT in mitigating risks are the following:

  • Minimizing risks when working with counterparties
  • Minimizing operational risks when working with partners for product purchases
  • HR screening, recruitment and teambuilding
  • Mitigating information security risks
  • Mitigating reputational risks and ensuring brand security
  • Ensuring successful mergers and acquisitions
  • Preventing internal data theft by employees
  • Preventing reputational damages
Photo: Ivan Samkov: Pexels

All the risks arising from such situations can be categorized into three types:

Permissible – when the company is threatened with the loss of profits if specific actions were not taken. In this case, commercial activity is not deprived of economic feasibility since the number of potential losses does not exceed projected income.

Critical – when an organization faces the possibility of a loss of revenues exceeding projected income. In the worst-case scenario, the company risks losing all the funds allocated for the transaction.

Catastrophic – when the company loses solvency. The amount of losses exceeds equity. This category includes situations like environmental catastrophes or those threatening the safety of citizens.

Conclusion

OSINT services are vital for mitigating all manner of risks faced by companies. It is immeasurably to rely on OSINT than risk-mitigating threatening situations and solving their consequences.

Companies of all sizes need to understand that OSINT is currently the best, cheapest, and most reliable source of information on employees, clients, and counterparties obtained from Social Media and even the Darknet continuously. Such intelligence mining operations must always be conducted to monitor the surrounding environment for potential threats and respond proactively to risks.