Whether it’s a stolen stapler or a series of illegal trades, companies need to address crime committed by their own staff proportionately
No one likes to think their own employees are stealing from them, but it is a fact that crime committed by staff is a major business risk. From stealing office supplies to making illegal trades, firms need to be aware of the threat.
But they need to address it intelligently without compromising their corporate culture with excessive security.
“The insider risk varies from organisation to organisation,” says Angela Sasse, professor of human-centered technology at University College London. “In low-wage, high-turnover places, in which people don’t see a career path, businesses will experience more insider fraud than in more professional organisations.”
Generally, the problem can be divided into three areas: staff set out to defraud their employer; staff complacency makes it easier for other criminals to steal from or defraud the firm; and staff being blackmailed or otherwise manipulated into committing crimes. “Insider fraud can be a particularly emotional thing,” says Sasse. “It’s often quite uncomfortable to think that your own colleagues will act against you and so some firms will avoid the issue.”
While the number of insider attacks may not be as high as those by external criminals, they tend to have a higher success rate and more of a financial and operational impact. “Particularly where employees are defrauding from inside the company, they often know how to cover their tracks and they can be hard to catch,” says Sasse. “Some attacks can go on for years without being discovered.”
But protecting the business is easier than many might think.
Saving their blushes
When frauds are investigated, it often turns out that the criminal has committed similar crimes in other companies, which could have been identified through better screening at the recruitment stage.
“Often a problem arises because a previous employer was embarrassed to have been caught out, and so they let people go quietly to save their blushes,” says Sasse. “Thorough screening is important, particularly if businesses are recruiting to positions where staff have a lot of access to valuable material, money or sensitive data, or in businesses where working practice can be hard to monitor continuously. In these cases, there needs to be appropriate screening.”
There also needs to be appropriate wording in employment contracts. “Psychological contracts [the perceptions of the two parties, employee and employer, of what their mutual obligations are towards each other] that explicitly point out that certain behaviours are forbidden, such as harassing or bullying colleagues, are becoming more common,” says Sasse.
It is also critical to design your security system so that it actually works on a practical level and staff can comply without compromising their ability to do their job.
“Many attacks are carried out by disgruntled employees and often more work can be done to identify when workers are likely to fall out with their employers and thus become more likely to commit fraud,” says Sasse. Businesses can (i) actively manage the problem and work to provide training or other opportunities to help mitigate the situation; or (ii) put a watching brief in place and monitor an individual or situation closely.
Monitoring IT networks is important, but it should not be relied upon too much. “Monitoring software could catch some very emotive people, but many will slip through the net,” says Sasse. “It is also quite expensive to do continuously. A better approach is to have the capability to turn monitoring systems on when companies have intelligence to indicate that something is wrong. Continuous monitoring can also have a negative impact on staff, as most people don’t enjoy the feeling that they are being constantly spied on.”
Perhaps the single most significant step a firm can take to mitigate the risk is creating an open and engaging culture whereby staff value their workplace and treat each other with genuine respect.
Often, when there is an investigation after an attack, it turns out that co-workers were aware that their colleague was stealing or defrauding and were either too intimidated or apathetic to take any action.
“For this reason, it is vital for businesses to have some kind of no-fault reporting process in place to ensure staff feel comfortable to speak up if something is wrong – even if the crime involves their manager or if they are worried they might have made a mistake,” says Sasse
Trying to do the right thing
Not all fraud by employees is deliberate and many may be the victims of fraud themselves. For example, the so-called ‘fake presidents’ scam involves criminals convincing an employee that they need to make an emergency bank transfer to a third party to fulfil some essential function, such as pay off a debt, service a provision in contract or make a deposit.
This type of scam is usually carried out by well-organised groups who carry out a great deal of research into market conditions, the structure and the customers of the companies they are attacking.
However, the central premise of the scam – a request by a senior member of staff – is often enough to coerce employees into action through fear of repercussions from disobeying authority.
According to experts at Deloitte, the criminals typically use persuasive dialogue such as: “It is an order to do this”, “I count on you for your efficiency and discretion”, and “The success of the project rests on your shoulders”. The only way to prevent this kind of attack is through staff training that emphasises: these cons exist and staff need to be vigilant for anything unusual; always stick to established protocol around transfer; and always verify a request by using your own contact info, not those provided in an email. SR