Insider fraud can be devastating to organisations, their executives, and their employees. But companies, both public and private, can control loss due to insider fraud by developing some simple safety measures and setting up a framework through which all of the departments work together as a team to identify threats and prevent them from escalating into significant losses.
A recent KPMG webinar featured a panel of experts who examined insider fraud and discussed strategies for mitigating threats.
“When someone you’ve trusted with your money, your life, your business turns on you, those consequences can really be devastating,” said David Buckley, managing director of the federal forensic division of KPMG. “So whether you’re talking about fraud, espionage, or sabotage, there’s been a violation of trust and an internal breach of rules.”
A survey by the Association of Certified Fraud Examiners (ACFE) found that a typical organisation loses an estimated 5% of revenues in a given year as a result of fraud. The survey results, which were reported in the 2016 Report to the Nations on Occupational Fraud and Abuse, are based on an analysis of 2,410 cases of occupational fraud, investigated in 114 countries between January 2014 and October 2015. The total losses exceeded $6.3 billion, with 23% of the cases resulting in losses of $1 million or more. That’s a similar percentage to 2014, when 22% of the cases resulted in losses of at least $1 million.
According to the study, a perpetrators’ level of authority is directly related to the magnitude of fraud cases, with the median loss in a scheme by an owner or executive tallied at $703,000 – more than four times the median loss by managers at $173,000 and nearly 11 times as much as the $65,000 loss caused by rank-and-file employees.
But the ACFE study also found that when organisations had anti-fraud control measures in place, their losses were as much as 54% lower, and fraud was detected up to 50% faster.
A KPMG survey of 750 frauds in over 80 countries found the same issue – weak controls. The study also found that perpetrators of fraud are usually well-respected top executives who have worked in their firm for more than six years, according to Phil Ostwalt, CPA, a KMPG partner and global investigations leader, who moderated the webinar.
“Oftentimes a perpetrator is not necessarily someone you might expect,” Ostwalt said. “It is four times more likely to be someone well-respected than someone who has a lower reputation, and generally it’s someone who is characterised as working well with others.”
One key to preventing fraud is to understand why employees steal from their companies in the first place. The KPMG study found that 66% commit fraud for personal gain or greed. Another 27% stole from their employer because the systems in place enabled access. Other reasons were a desire to meet certain revenue or performance targets, hide losses, save their jobs, or earn their bonuses.
“Most are going after something that will enrich them or put them in a position to meet objectives inside or outside the organisation,” Ostwalt said. “Lots of times it’s just because they can – because they have access to the systems because the control was not tight enough.”
Systems to control loss and devastation don’t need to be complicated or expensive. Strategies the panel discussed for mitigating threats, limiting exposure to fraud, and curtailing losses include:
Define the threat. Take a look at who might present a threat – employees who have or once had authorised access to information, facilities, networks, people, or resources. It could be anyone who either intentionally or unintentionally uses that access to harm an organisation.
“If you don’t define your threat well, you are likely going to be mitigating in a splintered environment,” Buckley said. “So you will want to protect against both malicious, intentional misconduct and those mistakes folks make that can give, unwittingly, access to your systems and your assets.”
Understand the threat to determine what steps to take to mitigate it. In 2011, Lockheed Martin developed a kill chain model depicting the stages of a cyberattack, which include information harvesting, creating malware, and planting it into company systems through email, social media, USB, or other outlets, then setting up a command channel for remote manipulation, and finally gaining access to systems.
Ron Plesco, a principal in cyber investigations with KPMG, suggested managers put in place keyword search indicators or other data loss prevention tools that search for threatening keywords inside emails or internal messaging. Data loss prevention tools may also reveal large volumes of information going out. Signs to look for include off-hours downloads, random thumb drives in USB devices, and the use of cloud-based storage, such as Dropbox.
“Some perpetrators may test systems by looking at what’s permitted and intentionally violate their company’s use policy, like sending out a PDF that may be somewhat sensitive to see if they can get away with it,” Plesco said. “I’ve seen a huge increase in cybersecurity shops locking access to external storage, such as Dropbox and others.”
Security is a team sport. Identifying threats and mitigating them is a team sport, according to Doug Thomas, director of counterintelligence operations for Lockheed Martin. He suggested companies identify appropriate departments and involve them in any protection strategy. Key departments might include human resources, IT, security, compliance, and even marketing and communications.
“It’s best to approach this from the standpoint that many company functions need to be engaged and involved throughout the entire process,” he said. “One big part of your team sport is communication, and that’s because it’s critical how you message this programme to the workforce.”
Thomas suggested that companies create a framework to enable all departments to work together. Often each department will acquire a small piece of information that can lead to a potential threat, which by itself seems small. But when added to other small pieces of information other departments have, it creates a big picture of the real threat.
HR may have information about upcoming layoffs, terminations, or resignations – all activities that can trigger fraud, theft, or workplace violence. The communication department can help inform the workforce of the company’s robust internal threat control programme and remind them of their individual obligations to protect company assets by being proactive and looking at any personal behaviour or digital behaviour atypical for each employee.
Test the system to ensure it works. Maintain a constant quest for information and evaluation by understanding the consequences of breaches and engaging in a system of smart controls to stop them from happening. Plesco suggested companies audit their programmes several times a year.
“You need to test it,” he said. “Hire an outside group or incentivise some employees who know the programme to actually game it. Hack into it; penetrate it to see if you can get data out and to see if the policies and procedures in place are effective.”
Since Lockheed Martin’s extensive security programme has been in place, Thomas has seen a sharp decrease in losses. While he concedes that no programme is 100% theft-proof, security measures can make a big difference.
“There’s no silver bullet, and there are no assurances you are going to catch everything,” Thomas said. “Until you have a programme in place that highlights the problem, you have no idea what’s walking out the door.”
—Teri Saylor is a freelance writer in Raleigh, N.C. To comment on this article, contact CGMA Magazine editorial director Ken Tysiac (firstname.lastname@example.org).