Not every threat of fraud to an organisation comes from a stranger. One of the biggest fraud risks to an organisation comes from within – from those who know the relevant controls, policies and procedures.
Action Fraud listed corporate employee fraud in the top ten most reported cases in 2015-2016. Fraud can cause significant loss to an organisation and potentially threaten its continued existence.
Although increasingly fraud is perpetrated through cybercrime, it remains the case, that in essence, for fraud to occur three factors must be present; pressure, rationalisation and opportunity.
Pressure comes from factors incentivising the individuals to commit fraud, such as personal finance issues or professional progression. Fraudsters, many of whom have no criminal past, often rationalise their crime by believing they have a sense of entitlement to what they are stealing. Lastly an opportunity needs to be present for the fraud to occur.
Fraudsters differ, but it continues to amaze how many were once highly trusted employees with apparent impeccable records, were long serving and held management positions. Whilst the list of controls and procedures that could be implemented in order to mitigate against all three motivating factors is almost endless, adopting a number of relatively simply mechanisms can go some way to protecting an organisation from this internal threat.
- Recruit effectively – ensure recruitment procedures are robust, consistent and up to date, not only to get the best person for the job but to gain reasonable assurance of their integrity. Ensure gaps in experience are queried, follow up references and obtain appropriate proof of identification;
- Controls – controls are important to ensure correct assignment of roles, responsibility and authorisation. Ensure segregation of duties and any one individual does not have the opportunity to assert significant influence over areas of the business;
- Vigilance – with the benefit of hindsight, numerous organisations who have been a victim of insider threats citied that behavioural changes were prevalent throughout the ongoing threat, so be aware of changes in individual behaviours such as someone suddenly staying late, high levels of stress or secrecy; and
- Compliancy – ensure security controls are updated on a regular basis and communicated appropriately; safeguarding systems and information from both outsiders and previous employees.
Unfortunately, it is not possible to completely protect an organisation from these types of threats. Only by ensuring the correct policies, procedures and controls are in place can an organisation substantially mitigate against this risk. But management of employees should not stop there. Increasingly employees are being targeted by cyber criminals as part of a plan to defraud an organisation of money, intellectual property, or other valuable data. How organisations can combat these risks will be the subject of a future article.