Keeping insiders out

Insider fraud has become a major issue for organisations nationwide with the Association of Certified Fraud Examiners estimating that employee fraud costs businesses $600 billion annually or about 6 percent of an organization’s total revenues. Despite the lengthy prison sentences expected for former Enron executives Ken Lay and Jeffrey Skilling when sentenced on September 11th, others have not been dissuaded from defrauding their own companies. Although tackling the problem is a difficult task preventative measure are being put in place. Most notably, some of largest US financial institutions are working towards setting up a database of employees who are known to be scam risks. The list will include details of untrustworthy ex-employees who have been fired because they have compromised customer data or knowingly caused financial losses. As a result, repeated security breeches will, hopefully, be avoided

Mike Lee, CEO, ATMIA and Founder of the Global ATM Security Alliance speaks to FST about the continuing problem insider fraud poses, the motivations behind betrayals and how organizations can prevent themselves becoming victims of such crimes.

FST. How big a problem would you say insider fraud is in the US?

ML. It is clearly a significant problem worldwide and in the US. Some experts regard it as the biggest threat to the industry.

FST. Can you explain about some of the most common examples of insider fraud?

ML. Computer based fraud such as hacking into customer databases and selling sensitive information to fraudsters, or stealing sensitive documents are some of the most common examples. In the retail sector, examples of insider fraud would be skimming credit cards with hand-held devices and modified Point of Sale devices to enable them to record security data to produce counterfeit cards.

FST. Is money the sole driver for managers to betray their company or are there other reasons?

ML. Naturally, money would be the key driver but revenge and disaffection might also feature as a motivational factor. I suppose industrial sabotage could be a motivation in some extreme cases. The fraudster operating from within the company would need to be a person with weak integrity, low ethical values and a shallow conscience – how he or she came to be in a state of mind in which fraud could be committed against the very company which is providing his or her livelihood sure beats me. It represents treachery and betrayal of a serious nature. It is desperate, high-risk behaviour.

FST. What characteristics do these fraudsters have in common?

ML. Greed, cunning, weakened integrity and low ethical values. I also wonder if many of them do not have a drug addiction problem they need to finance!

FST. Some US Financial Institutions have joined forces to set up databases, which contains details of employees who are known to be scam risks. How effective do you think this measure will be? Has it been quite easy for scammers to move from one institution to the next?

ML. Cases of fraudsters being re-employed have been reported and so I am all in favour of an industry-wide “blacklist” of people convicted of fraud. I believe such a blacklist would be very effective.

FST. What other measure have the industry taken to try and crack down on insider fraud? How effective have these precautions been?

ML. Best practices include tight recruitment procedures and background checks, coupled with a system of on-going monitoring and interviewing of staff as they progress through the ranks. So far, it is clear that existing practices are not working well enough otherwise we would not be sitting with this huge problem. Best practices for preventing insider fraud need to be tightened and implemented from top to bottom in all organisations. I am a great believer in modern Corporate Governance systems which include a whistle blowing function which is a vital part of fighting insider fraud.

FST. Could you outline the best practices a company should deploy to try and avoid insider fraud?

ML. Ensure a modern Corporate Governance system is in place, including the whistle blowing function. Benchmark recruitment practices against current best practice, including background checks, criminal checks and checking against industry-wide “blacklist” of people previously involved in fraud. It is very important to review the system for on-going monitoring of staff, perhaps introducing regular interviews for all staff (Annual? Bi-annual? Quarterly?). Additionally, a company must ensure it continues to review its security access procedures and review its company information security policy. Finally, a company should implement a cyber security system.

FST. Do you think companies (particularly smaller ones) are doing enough to protect themselves from fraud?

ML. Neither small nor large companies are doing enough, as evidenced by the scale of the current problem. You are only doing enough when the problem is no longer significant. Unfortunately, this is a problem that requires a permanent state of vigilance. The FSA found that companies which under-invested in anti-fraud systems and technology were the ones most likely to become victims of fraud. Security is an investment!