Employee Fraud: The Enemy Within
9 August 2007 Edward Wilding
Employee fraud and computer misuse is a growing problem in today's workplace. Edward Wilding of Data Genetics International (DGI) outlines the importance of internal IT security.
The first hint of wrongdoing is often detected on Friday afternoons – typically just before the close of business or soon thereafter, when people gather at pubs or bars and alcohol loosens tongues.
Senior management's perception of risk – and technology-based threats in particular – is misconstrued. According to Wilding, "With few exceptions fraud and serious wrongdoing in business is an insider issue, overwhelmingly conducted through the misuse of the victim's own systems, processes or technology.
"Without exception, the major crises that we see emanate from inside the firewall – it is the trusted insider who has the access, the knowledge and the motive to commit mayhem."
AN INSIDE JOB
There have been many publicly reported catastrophic frauds including those of Barings, Daiwa, BCCI, WorldCom, Enron, Tyco, Xerox, Orange County and AllFirst Bank – these were all the result of internal fraud, corruption or unsupervised speculation committed by trusted employees, and in most cases these comprised senior managers or directors."Senior management's perception of risk, particularly technology-based threats, is misconstrued."
It is a paradox that so much IT security effort is expended on preventing external breaches – viruses and hackers – when so many latent and potentially catastrophic threats reside internally.
To illustrate further, we can look at two recent cataclysms. Despite the thousands of deaths, injuries and colossal damage inflicted by the 9/11 disaster, the businesses based in the World Trade Centre survived. Compare this with Barings bank, which was brought down by the actions of Nick Leeson, a single employee, acting alone.
These are not isolated incidents. According to Wilding, "Many crisis meetings are held where the reputations and even the survival of the victim organisations concerned were on a knife edge. In most instances, the risk could have been mitigated through pre-emptive investigation or audit."
A major potential trap for senior management is the fraudulent misrepresentation of sales and turnover in order to inflate stock value, driven by commercial pressures and shareholder expectations.
The US Sarbanes Oxley Act of 2002, enacted in the wake of the Enron debacle, renders any such misrepresentation a criminal offence with severe punishments for any managerial collusion. Fraud often emanates from the top down, which can render investigation difficult. The implementation of independent audit committees in US corporations will be a welcome addition.
There are hundreds of examples of fraud, sabotage, extortion, espionage, data theft and other malevolence and subterfuge by managers and employees. The stakes can be very high – in 1997 for example, Volkswagen paid General Motors $100m restitution for espionage committed by one of its senior managers, while the theft of email addresses by an America Online employee in 2003 resulted in the transmission of seven billion spam emails worldwide.
EMPLOYEE DATA THEFT
The theft of valuable corporate data by employees, contractors and service engineers is by far the most prevalent threat to businesses. The ease with which information can be copied seamlessly and undetected, using a range of high-capacity data storage devices and transmission methods, combined with unsupervised employee access to electronic mail, the internet and high-speed communications, has compounded the risk.
"We have seen the contents of entire corporate servers copied over the internal network onto high-capacity USB drives that have been walked out of the front door," says Wilding.
"Software giant Oracle is alleging that service engineers from a SAP subsidiary downloaded software and patches and misappropriated code – the whole issue of IP protection and infringement is generally overlooked or ignored, until it is too late."
HONESTY: STILL THE BEST POLICY?
Are people inherently dishonest? It is said that one person in five is inherently honest and will never steal or lie, three are opportunist and will do wrong if they believe their actions will go undetected or unpunished, and one person in five will always submit to temptation, regardless of the consequences.
Wilding quotes a June 2007 survey by Keele University in the UK in which 61% of those interviewed admitted to committing crimes against their employers, business or government. Equally alarming was a 2002 survey in London in which 64% of commuters questioned at Victoria railway station admitted to giving their password to a colleague, and the majority said they would download contacts or competitive information to take with them to their next job.
The effects of employee fraud, dishonesty and deception are generally not taught at business school – perhaps they should be.