Keeping insiders out

Insider fraud has become a major issue for organisations with recent research from the UK’s Financial Services Authority (FSA) indicating that financial firms consider it one of the biggest threats to their business. High-profile cases such as that of Joyti De-Laurey, who stole UK£4.3m from her bosses at Goldman Sachs, highlight the risks some people are willing to take in order to fund an extravagant lifestyle. Despite the lengthy prison sentences expected for former Enron executive Jeffrey Skilling when sentenced on 11 September, others have not been dissuaded from defrauding their own companies. Although tackling the problem is a difficult task preventative measure are being put in place. Most notably, some of largest US financial institutions are working towards setting up a database of employees who are known to be scam risks. The list will include details of untrustworthy ex-employees who have been fired because they have compromised customer data or knowingly caused financial losses. As a result, repeated security breeches will, hopefully, be avoided.

Mike Lee, CEO of ATMIA and Founder of the Global ATM Security Alliance, speaks to FST about the continuing problem insider fraud poses, the motivations behind betrayals and how organisations can prevent themselves becoming victims of such crimes.

FST. Just how big a problem would you say insider fraud is in the UK?

ML. Some experts regard it as the biggest threat to the industry. In the UK, it is a huge problem. The FSA estimates that insider fraud and organised crime cause 90 percent of UK fraud in financial services, namely over14 billion in yearly losses. I am not sure what portion of that 14 billion arises from insider fraud but KPMG would not have classified managers as the biggest perpetrator of fraud next to organised crime unless the role of the insider was not a major one.

FST. Can you explain about some of the most common examples of insider fraud?

ML. Computer-based fraud such as hacking into customer databases and selling sensitive information to fraudsters, or stealing sensitive documents are some of the most common examples. In the retail sector, examples of insider fraud would be skimming credit cards with hand-held devices and modified Point of Sale devices to enable them to record security data to produce counterfeit cards.

FST. Is money the sole driver for managers to betray their company or are there other reasons?

ML. Naturally, money would be the key driver but revenge and disaffection might also feature as a motivational factor. I suppose industrial sabotage could be a motivation in some extreme cases. The fraudster operating from within the company would need to be a person with weak integrity, low ethical values and a shallow conscience – how he or she came to be in a state of mind in which fraud could be committed against the very company which is providing his or her livelihood sure beats me. It represents treachery and betrayal of a serious nature. It is desperate, high-risk behaviour.

FST. What characteristics do these fraudsters have in common?

ML. Greed, cunning, weakened integrity and low ethical values. I also wonder if many of them do not have a drug addiction problem they need to finance!

FST. Some financial institutions in the US have joined forces to set up databases of employees known to be scam risks. How effective might this be? Has it been easy for scammers to move from one institution to the next?

ML. Cases of fraudsters being re-employed have been reported and so I am all in favour of an industry-wide ‘blacklist’ of people convicted of fraud. I believe such a blacklist would be very effective.

FST. What other measure have the industry taken to try and crack down on insider fraud? How effective have these precautions been?

ML. Best practices include tight recruitment procedures and background checks, coupled with a system of on-going monitoring and interviewing of staff as they progress through the ranks. So far, it is clear that existing practices are not working well enough otherwise we would not be sitting with this huge problem. Best practices for preventing insider fraud need to be tightened and implemented from top to bottom in all organisations. I am a great believer in modern corporate governance systems which include a whistle blowing function which is a vital part of fighting insider fraud.

FST. Could you outline the best practices a company should deploy to try and avoid insider fraud?

ML. Ensure a modern corporate governance system is in place, including the whistle blowing function. Benchmark recruitment practices against current best practice, including background checks, criminal checks and checking against industry-wide ‘blacklist’ of people previously involved in fraud. It is very important to review the system for ongoing monitoring of staff, perhaps introducing regular interviews for all staff on an annual, bi-annual or quarterly basis. Additionally, a company must ensure it continues to review its security access procedures and review its company information security policy. Finally, a company should implement a cyber security system.

FST. Do you think companies (particularly smaller ones) are doing enough to protect themselves from fraud?

ML. Neither small nor large companies are doing enough, as evidenced by the scale of the current problem. You are only doing enough when the problem is no longer significant. Unfortunately, this is a problem that requires a permanent state of vigilance. The FSA found that companies which under-invested in anti-fraud systems and technology were the ones most likely to become victims of fraud. Security is an investment!