Procurement compliance and security are often put on the back burner when companies try to save money. They see the same devices they could buy from a reputable source for a much lower price on an eCommerce site. So they buy the cheaper version without a second thought. But as the old saying goes, “you get what you pay for.”
A recent $1 billion counterfeit Cisco device scheme is the perfect example of what happens when companies try to cut costs and ignore the warning signs that a deal is too good to be true.
According to recent reports, Onur Aksoy was arrested for allegedly selling counterfeit Cisco devices. Mr. Aksoy bought counterfeit devices from China and sold them on eCommerce sites such as Amazon and eBay.
Once customers set up the equipment, they quickly discovered that the devices they bought from Aksoy’s online stores were defective. “Often, they would simply fail or otherwise malfunction, causing significant damage to their users’ networks and operations—in some cases, costing users tens of thousands of dollars,” the Justice Department said. “Customers of Aksoy’s fraudulent and counterfeit devices included hospitals, schools, government agencies, and the military.”
Through customer complaints, both Amazon and eBay shut down his online stores. However, he continued to sell the device on these sites by changing his company’s name, operating under 19 different company names from 2013 – 2020.
Cisco also caught on to the scheme, sending seven cease and desist letters to Aksoy from 2014 – 2020. Cisco said, “We are committed to maintaining the integrity and quality of Cisco products and services. Cisco is grateful to law enforcement and customs officials for their tremendous collaboration in this investigation and to the DOJ for bringing the perpetrator to justice.”
How did he get away with the scheme for so long? Other than changing his company name multiple times and using an alias (Dave Durden), the devices that Aksoy was selling looked genuine. The counterfeit devices were older and inexpensive equipment retrofitted to appear as newer, more expensive models. They were also packaged with realistic-looking boxes, labels, and documentation.
“As alleged, the Chinese counterfeiters often added pirated Cisco software and unauthorized, low-quality, or unreliable components—including components to circumvent technological measures added by Cisco to the software to check for software license compliance and to authenticate the hardware,” the Justice Department said.
In July 2022, the fraudulent scheme finally caught up to Aksoy when the Department of Justice indicted him. However, the government has long known about his scheme, with the US Customs and Border Protection seizing approximately 180 shipments of his Chinese counterfeiters since he started his scheme. U.S. agents also raided one of his warehouses in July 2021 and seized 1,156 counterfeit Cisco devices (worth $7 million).
Procurement Security: Mitigating Procurement Compliance Risk
There is a lot to be learned from a case like this. When it comes to procurement security, saving a few bucks is definitely not worth the risk. Using these faulty devices can cost a business infinitely more than it may have “saved” by buying devices from an untrusted source. Procurement compliance rules and regulations were put in place for a reason, to protect business and customer data.
When working in the healthcare space, ensuring the devices, you use to run your business is even more critical. Patient protected health information is a top target for hackers. When a healthcare organization is breached, the incident can take years and millions of dollars to recover from (as evident by the 2022 Cost of a Data Breach Report published by IBM).
Paul Redding, VP Partner Engagement and Cybersecurity, Compliancy Group, commented on the counterfeit scheme, “What happened here is exactly why you need to talk to your client about procurement as a part of their security and compliance. Many business owners believe that the IT provider gets hardware at some incredibly low rate before marking it up astronomically for resale. We as the service providers know that not only is that untrue, but there is also serious risk when buying IT equipment from some random website.”
Redding furthered, “HIPAA and other regulatory acts include controls for procurement compliance with good reason. There’s no giant conspiracy by IT nerds to drive up the price of firewalls and switches.”
“When I put on my old MSP cap, cliche or not, as my client’s “trusted advisor,” I needed to be able to help manage their procurement security process. I was never getting rich on hardware. That wasn’t the deal,” Redding said. “I knew if I sourced it, we would get the right equipment. It’s that simple. If I was still an MSP today, I’d share this with my clients. Sure they might see that same device on some website for less than they paid you for it. But how do they know what they are getting from that site? Is it actually that model you’re going to receive? Is the license valid? Can Chinese hackers use it to access your network?! If it’s a medical professional- is this going to put my compliance at risk?”