Employees Pose the Greatest Risk

By Henry Bagdasarian

Company employees pose the greatest risk to an organization for many reasons. First, certain employees of any company from top to bottom have certain access to information which may be extremely useful to the employees and sometimes their outside perpetrators. In fact, some employees may collude with other employees or outsiders to commit a criminal act which not only facilitates the crime but also benefits everyone.

There are in general two types of employees who commit most of the criminal acts:

  • Senior level positions (company owners, executives, managers), and
  • Junior level staff

You may be wondering why a company owner might commit a criminal act against its own property, however, as we will discuss the 3 fraud elements, you will notice that a company owner may have the justification, incentive and opportunity to commit fraud. For example, a property owner may burn down its own property to collect cash from the insurance company and get out of debt or other business obligations because he thinks that the insurance companies and himself deserve the consequences and he can easily do it without being detected because he has access to entry when no one is around.

An employee may also believe that defrauding his company may be worth the risk because the company deserves it or he deserves it for putting in so many years, etc. As you can see the justifications for committing fraud alone or with the help of others who share similar motives or incentives are not limited. The main risk is around the opportunity that an employee may have due to his access to information and company assets. This is why access must be authorized and the appropriateness of access level must be considered for the employee position. Then, access which might adversely affect the company and its customers must be monitored to detect suspicious activities. For example, monitoring the network activities may have detected unusual network traffic and prevented the huge movie downloads that Sony experienced.

As you see, the criminal aspect of the employee activity is not always related to one specific target. A company can be damaged in various ways and it’s not always through financial fraud or information theft. It can also be tied to destruction of property for personal gain, self satisfaction or revenge, or ideological reasons. A proper risk assessment should identify the various threats, consequences, and risk mitigation strategies depending on the nature of the company and associated risks.

Other reasons for employees who violate company policies by changing or overriding them on purpose include their belief that they have the right and authority to do so for whatever reason which goes back to their justification and opportunity factors.

Accidental errors and violations may occur but they can be corrected with training. 

The Fraud Elements

There are usually three (3) factors which criminals must consider before committing the crime:

  1. Incentive - An incentive to commit a crime using one’s given authority may be for personal reasons whether financial, ideological, political, or, due to pressure or cohesion from other parties with dire consequences if orders are not followed. An incentive may also provide self satisfaction for the perceived revenge against the organization and the parties associated with the company.
  2. Opportunities -  Given access and authority, a criminal insider with an incentive has a  great opportunity to execute the crime. 
  3. Rationalization - A person with strong rationalization overcomes the resistance to commit fraud by justifying himself that he or the company deserves the consequences or that the overall result will benefit his financial position, religion, ideology, country, or mankind.

Read the expanded article about fraud elements.

Criminal Approach

The most successful criminal employees are the ones who act small and slowly over a period of time to reach their goals. Typically, an unauthorized activity when committed in smaller portions and steps over a long period of time has less potential for detection as most systems are designed to detect obviously suspicious activities. The majority of crimes are committed with a low tech approach with previously granted approved access.

Solutions

Consider one or more of the following to manage the insider risks:

  • Align various groups within the company to work together and manage risks on a continuous basis.
  • Identify employee attitude risk indicators and monitor them to detect  suspicious patterns and activities.
  • Automate as much as possible to detect and respond quickly.
  • Review and restrict access privileges to an absolute minimum. Not too many people should be able to change system security settings, system logs, camera settings and recordings, and system or file access.
  • Review access appropriateness and Separation of Duties periodically and address the root cause of all issues.
  • Educate employees to be on the alert for suspicious activity and how to report the activity.
  • Consider allowing anonymous reporting of suspicious activities by employees.
  • Ensure full and independent investigations and prevent casual dismissal of cases which may end the investigation and leave the criminals off the hook.

Read another article about employee fraud risks to understand why employees pose the greatest risk to their organizations.

Identity Management Certifications

Identity Theft Courses