By Will Sturgeon, 15 September 2005 12:10
NEWS Companies are being urged to do what they can to protect themselves against potential fraudsters within their organisation before an individual has the chance to strike - and it's a process which can begin as early as the application stage.
It sounds impossible - to spot something which is by its very nature unexpected - but it falls within the remit of risk management and risk mitigation and there are practical steps many companies are currently not taking, according to security experts.
Non-obvious relationship analysis and CV analysis are among the methods being proposed at the earliest stages of the detection process. And further on down the line companies must do all they can to ensure employees only have access to data they need for the jobs and can only access it and use it in ways identified as necessary for their job, said Peter Dorrington, fraud investigator at software vendor SAS.
Companies are slowly waking up to the fact that their greatest threat may be posed by individuals within the organisation, especially if they put a high value on their intellectual property.
Jay Heiser, research VP at Gartner, said it is impossible to gather "statistical evidence on how much stuff is leaking out through the door" because it is dealing with the unknown. It is certainly going on but those who have been caught could represent the tip of the iceberg.
And even when a company knows how much data has been leaked that figure still offers no indication of the damage which could be caused in the short and long term.
Heiser said: "How can you ever quantify the damage that could be caused if somebody walks out the door with your list of prospects? What is the value of losing that information? It could be nothing or it could put you out of business."
CV analysis is an area of growing interest, although its accuracy and relevance have been widely questioned.
SAS' Dorrington said: "Only the discursive parts of a CV are relevant for analysis but within those there are certainly statements of falsehoods or crossovers with other CVs which can be identified."
A computer can recognise statements which have occurred in multiple CVs or CVs which are identical in all but a few details but this is still a case of flagging up CVs for human scrutiny rather than accepting or refusing them automatically.
Dorrington said some people think they can spot a fraudster as soon as they walk in the room but he believes judging people by the strength of their handshake, or whether they make eye contact, is about as reliable as judging them on the colour of their hair.
And don't expect any help from HR. Dorrington said: "HR departments aren't trained to detect fraud and probably aren't even trained to know how a fraud might be committed within the organisation."
Non-obvious relationship analysis is another area of growing interest, with its roots in US government.
Such systems will cross-reference all data on individuals within a defined group of employees, partners and suppliers, for example, and will spot the relationships which aren't immediately evident. Employees who have past addresses in common, similar educations, former employers in common and other similarities are no cause for concern but if they appear not to know one another or start to conduct similar flag-raising activities further investigation may be called for.
But there are also warnings about an over-reliance upon technology, accepting systems may not be able to tell the difference between a conscientious worker and a potential fraudster.
Dorrington said: "A computer can show you correlation but any investigation should be carried out by a human being. A typical fraudster will be somebody who gets their head down, works hard, doesn't take days off, works their hours and tries not to stand out. But that also matches the profile of a very conscientious worker."
But even if companies could effectively weed out all problem individuals early, which is highly unlikely, they still cannot assume they are protected in the long term.
"People's circumstances can change," said Dorrington, citing debts as one reason an individual may turn to stealing data from their employer.
They may be approached by a rival company soliciting information for cash or they may look for a job elsewhere and take prospects or leads with them as an incentive to being hired.
As such, Dorrington said, companies must constantly monitor which information is being accessed and what it is being used for, and put blocks on anything where the risks outweigh the benefits.
Companies should ask themselves whether somebody who needs to access a file should be able to print it, save it locally or move it. Likewise they should ask themselves whether employees should be able to plug in removable media or, in extreme cases, even be allowed to bring removable media, devices and mobile phones into the office.
Comments
There are 3 comments. Join the discussion
1. Matt Fisher
Or perhaps a more simple approach is to invest in software controls that stop the unauthorised use of portable storage devices, so that company secrets can't be hidden on USB sticks and iPods and simply carried out the front door?
That way you don't need to worry about who 'might' be a fraudster.
2. Mark Stanley
I can imagine a very long queue of talented staff waiting to leave an organisation that imposed such opressive measures, and a big problem attracting new staff.
It is interesting that the public sector is becoming more open with the Freedom of Information Act, and the private sector wants to go the other way.
Perhaps they need security classification to protect the few truly sensitive documents? This would be more justifiable and less of a barrier to delivering good service than tight controls over staff only being able to see the information they need for their job - which only leads to inflexibility and unhelpfulness.
We should also think about how secure our paper systems really are before panicking about electronic info.
3. Alex Masih
In my 16 years experience in Security & Risk Management, I believe ideas proposed by Will Stugeon are absolutely unworkable rubbish.
(Ed note. You seem to have completely failed to grasp how the media works, Alex. The comments in the article which you take issue with are not those of Will Sturgeon. He was the journalist reporting the opinions of other people. What next? Will you be blaming the newsreaders on the BBC if there is bad news on the TV news?)
Most of high-end Fraud is normally committed by probably very senior people. If everyone in the executive teams start to put each other security checks you are going to have very serious problems in the company.
In my experience, working for very large blue-chip organisations, significant of company business is still conducted on Trust. If you cannot truct people they won't want to work for you.
You need to address the balance, and make sure people are educated and valued so they don't feel the need to commit crime at work.
Obviously, there will always be some so are facinated by CRIME, which you are never going to complete erdicate it.
Let me tell you, loss of productivity from demotivated & demoralised employees cost much more to companies than Fraud.
I am absolutely, advocate of preventing Fraud in every walk of life, but it shouldn't be done at all cost certainly not at the expense of creating an enviornment where everyone at work thinks of each others as crooks and trying to catch colleague for fun.