|
The threat from within
By Linda More
Computing 19 Apr 2007
Internal fraud is on the rise and IT organisations must be prepared to address the problem
In a recent survey 78 per cent of IT professionals claimed that their companies had suffered unreported insider-related security breaches. It seems that internal crime is one of the most secret and prevalent activities going on in our institutions today, and is costing billions of pounds.
Few organisations are prepared to come clean and admit the full extent of any security breaches, leading to the conclusion that internal fraud is much more rampant than most firms are prepared to disclose.
According to Tony Bourne, senior partner at legal expert Glovers, 80 per cent of corporate fraud involves an employee.
More than 40m is lost every day to fraud in the UK, he says. And while you may think that you have a loyal workforce, 90 per cent of fraudulent employees have been with their employer for more than a year, and 20 per cent for more than a decade.
The insider threat from accidental or deliberate action by employees, contractors or customers has become the biggest challenge to firms. Internal users have unprecedented levels of connectivity and access to enterprise systems, as well as powerful tools available to download or transmit large amounts of data.
Insiders have trust and access two things unavailable to outsiders making fraud hard to detect and prevent and, once discovered, politically challenging to manage. Three areas of concern are fraud, sabotage and data leakage or theft. Insurance premiums also reflect trust and opportunity risks with employee infidelity accounting for more than 75 per cent of the premium for a crime insurance product.
Jonathan Butcher, deputy active underwriter at Lloyds syndicate Novae, says that technology and electronic trading has significantly raised the ceiling on crime.
The physical limitation of the sheer weight of bank notes has been removed, making it possible to steal very large amounts of money. I have knowledge of an employee infidelity incident exceeding 50m, he says.
A lot of claims come to light some way down the line. Many a scam would have gone undetected if the perpetrators had not become too avaricious.
Insider fraud is not new, although there is increased awareness of it happening.
David Porter, a senior fraud expert and head of security and risk at consultant Detica, believes that uncovering fraud is not too difficult if you look in the right place.
Most companies have their security radar systems pointing externally, he says. Somebody predisposed to insider fraud will keep testing the boundaries, and will be uncovered by their greed.
Applying business intelligence to audit trails of people's activities photocopying routines, where they go in the building, as well as IT system access often shows up interesting abnormalities, especially when you start discovering that multiple parts of the building are apparently occupied by the same person at the same time.
Firms need to look at people, process and technology to combat the risk of internal fraudulent activities.
Robert Myatt, director at business psychologist Kaisen Consulting, believes that most people are not criminally minded, and that when recruiting staff it is important there is an emotional fit with the job.
There is a tendency for companies to make the job more attractive, so it is important to emphasise the good and bad bits, he says.
There has to be a psychological contract between the firm and the candidate. If the expectations they hold for the job are not met, they may feel resentful and that is when they will start to think about sabotage or working for their own means.
Finding candidates whose motivation matches the job, rather than previous experience, is also important. Myatt says that most organisations do not do this they only look at candidates who have done the job and have experience.
If someone has the right emotional core skills, you can teach them the know-how, he says. However, you cannot reprogramme their behavioural tendencies.
One of the biggest motivations for fraud, according to Myatt, is dissatisfaction.
If the job is not meeting expectations, or people are not being recognised and valued sufficiently, then they stop putting in the effort, he says.
This grievance towards the company might lead to action and doing things to benefit themselves.
Fortunately, there is only a tiny minority of people who will happily step outside the legal and moral boundaries and break laws the most likely way to spot them is if they already have a criminal record. Full screening of potential candidates is recommended for high-security industries such as financial services.
Looking at a person's computer can also offer interesting insight into the crime, says Chris Paley-Menzies, head of forensic technology at forensic accountant RGL.
Often people will keep a spreadsheet detailing the money they are embezzling, and even if it has been deleted there are ways of finding it, he says.
You can also uncover evidence of the motive for the crime, for example a web browsing history can confirm an online gambling habit.
Fraudbuster clauses should be included in every employment contract and communicated to the employee at the beginning of their service. This should include clauses compelling staff to take part in fraud awareness training and a monitoring policy covering web access, email, desk and even briefcase searches. The contract should make clear that fraud will be pursued rigorously to recover all sums stolen and that instant dismissal will follow.
While putting a price tag on insider fraud is almost impossible, Lisa Osofsky, ex-FBI officer and legal consultant at independent risk consultancy Control Risks, says there are measures that companies can take to guard against it.
Double signatures, anti-nepotism policies and the division of functions, so that everyone can see what each other is doing, are excellent ways of reducing opportunity for internal fraud, she says.
|
