Beware of the enemy within as many frauds are carried out by trusted members of staff with long service records
Human capital is the single greatest asset of almost every organisation. Without the right people businesses would cease to exist. They are the innovators and the force that makes everything happen. They are also its biggest enemy.
Risk managers can advise companies on taking all precautions necessary to guard against the broadest spectrum of threats but these measures are only as effective as the people within the business allow them to be. Purchase the most sophisticated cyber defence system available and you could be forgiven for sleeping easier at night. But what if someone in IT failed to install it properly, missed a service update or switched it off deliberately? That business would be rendered vulnerable to a cyber breach and could be in a worse position than having no protection at all because it would be assumed to be in place.
Perhaps this is an extreme example, but it is more than mere hypothesis and companies have been left open to attack by exactly such failings. Reality is sometimes even more basic. Before the advent of cloud computing one major international corporation came close to losing the entire contents of its server room to a gang of opportunist thieves after a member of staff left an external door open. A common cyber danger comes in the realm of bring your own devices, which are becoming increasingly popular as firms look to save money on hardware. Such financial cutbacks are often short term and short-sighted as they can leave companies exposed through individuals using equipment they have purchased independently that is not protected properly. Left unregulated, an entire network can be compromised.
Assumption, presumption and complacency are a fatal combination. Failing to undertake simple checks can bring down the most comprehensive defence mechanisms.
Stories abound of company insiders being ‘bought’ by criminal cyber gangs to extract information. In some cases, individuals act for their own financial gain, in others, they are responding to coercion. Such incidences do happen although they are relatively rare. A more likely danger is the disgruntled employee – the one who lost out on promotion or feels undermined by their boss or colleagues. There are many such employees and most will continue to act rationally and behave within normal constraints. Some, however, will seek to punish and damage. In these cases, their acts of vengeance can start out relatively low key to see if it gets noticed but eventually escalate into something far larger and more sinister.
Computer systems make the perfect target for employees who want to hurt a business. They don’t need to hack into it, they already have access and the smart ones will know that they can operate largely undetected, provided they are subtle. Tiny changes can still have a devastating effect. What if that employee accessed a spreadsheet and moved a couple of digits to the left? They have just increased order levels ten-fold but who would notice until it was too late?
Such behavioural threats are by no means limited to the cyber sphere – white-collar fraud is on the increase all over the world. Often, the perpetrators appear to be the least likely to offend – indeed many frauds are carried out by trusted members of staff with long service records who are skilled enough to cover their tracks. A not insignificant number of such fraudsters are women – those given the power to sign cheques or use credit cards on behalf of bosses with no time to check where the money is being spent until accounts detect the emergence of a large financial black hole. Such behaviour can put an SME out of business but it can be also damaging to a large multinational, perhaps not in terms of the bottom line but in terms of reputation. This is why many such thefts go unreported and are dealt with internally. Ultimately, that only adds to the general problem by inadvertently encouraging others to act fraudulently as they do not fear being caught. It also stops businesses learning from the mistakes of others and implementing systems to prevent this type of activity.
Trouble generated by staff can manifest itself in any number of ways within a business – a rogue email, an employee getting drunk and spilling company secrets to a rival or even just disgracing themselves in public. In our world of fast-moving social media, a salacious incident that may once have been seen by a handful of people with no connection to that employee or company can become a global reputational firestorm in a matter of minutes.
Risk managers deal with an ever-increasing portfolio of international threats that are becoming more sophisticated and, as a result of their complexity, more difficult to protect against. However, many will remain little more than theoretical. The biggest dangers are often more simple and much closer to home – and these are ones that are overlooked mostly.