Opportunity Makes a Thief
Opportunity Makes a Thief – How to Avoid Embezzlement in Organizations
By: Shlomi Adar, Security and Information Security Specialist
Companies greatly invest in technologies that assist dealing with the problem of misuse of information they possess, in order to protect sensitive information and meet standards and regulatory requirements.
It was found that one of the problematic factors threatening organizations' financial and image resilience is employees' illegitimate use of organizational information thefts, completely contradicting the common belief that information is usually stolen by factors and people external to the organization. One of the most prevalent mistakes among many organizations is the fact they do not ascribe proper and adequate importance to the performance of inspection and control processes based on the perception which is mainly – thwarting and preventing information leakage, fraud or embezzlement even before they are enacted, doing that by using computerized means available to managers and employees in almost any organization in the modern society in which we live.
An amazing fact…
Data from a survey conducted among leading companies, show that one out of ten businesses in the past five years had an employee using inside information for personal benefits - as "supplementary income" by illegitimate and criminal use of the company's resources to perform financial embezzlement, allegedly using budgets meant for the organization and allocating them to personal purposes.
The reasons…
Most of the reasons mentioned in the survey are materialistic, the race for greed and employees' intense will to improve their standard of living immediately. Such thoughts are naturally running around people's minds no matter what their rank is in an organization.
Such thoughts largely lead to inflation in the amount and circumference of workplace embezzlements. Among some the most famous cases are the collapse of the Israeli Bank of Commerce due to systematic thefts throughout many years by the Bank's employee – Eti Alon. A similar case in its form of action was caused by the Head of Accounting in YES Company – Israeli satellite TV Company, who caused a damage of more than 10 million NIS by systematically stealing for a long period of time from the company that employed her.
We are also familiar with the story about the trader Jerome Kerviel that burned a billion Euros to Société Générale.
Staff behavior you should consider as Red Flag:
1. Senior managers/employees who are caught in financial hardship or have a member of the family who has a medical problem fall into bad habits like gambling, drugs or alcohol abuse.
2. Employees who are more exposed to sensitive information in their line of duty might pass it to competitors.
3. Employees who frequently change their computer and Smartphone passwords.
4. Employees who encode or encrypt information which is usually defined as public.
5. Employees who overuse automatic recording program in phone calls and computer calls.
6. Many of the embezzlements are discovered when the employee takes a vacation and is replaced by another employee. Although the employees/managers are not necessarily rewarded as the rest of their colleagues, they avoid taking vacations, fearing they will be exposed once they are absent.
7. Employees who use a separate computer and/or Smartphone in addition to the devices provided to them by the company.
8. Senior managers/employees who use designated budgets for other necessities than their original purposes.
9. Senior managers/employees who frequently leave the office during work time, not as part of their job requirements.
10. Printing acquisitions and orders documentation and erasing them from the company's public database.
11. Senior managers/employees who are excessively taking physical information and paperwork outside of the office.
12. Senior managers/employees who shift their work and perform it outside the office, although their main activity is supposed to take place inside the organization.
13. Using additional e-mails from a single account in addition to those provided by the organization.
14. Frequent use of personal laptop or detachable devices that are not part of the company's computer network in the manager/employee's office.
15. Excessive use of analog facsimile and separate phone extension that is not connected to the organization's main operator.
Crucial examinations organizations should embrace and implement:
1. Performing external inspection by an independent body rather than using only internal control. This action might be a significantly deterring factor since the external inspection body is not subjected to the managers/employees in the organization.
2. Sampling polygraph testing as an additional legitimate deterrent in the organization.
3. Conducting randomized reviews of inventory lists, accounting audits, cross-referencing information with the acquisition/warehouses managers, searches etc.
4. Monitoring employees' entrance and exit (using a Smart Card/biometric system) and intelligent use of cameras to make sure they are not present at the workplace when the organization is inactive.
5. As banks and other institutions do, it is recommended to initiate activity meant to set a fixed and random mechanism that enables personnel turnover in sensitive positions, sometimes without prior notice (so that in case of fraud, a different employee will probably expose the fraud by chance).
6. Creating supervision mechanisms that do not enable a single employee to perform a significant action with the information but rather decentralizing the sensitive activity, necessitating three or four employees to complete it (to avoid a one-man or two-man plot and to make such actions difficult).
7. Performing sample reviews of the same computer systems in different time frames, including monitoring e-mail systems – without actually entering the mail's content, but by its framework data and making sure that there is no correspondence with competitors etc.
Shlomi Adar is a well known expert in implementation of Administrative Strategies in the business sector in the field of Preparation and Emergency Preparedness, sudden mass casualty events and reviewing work processes and customizing them to organizations.
Shlomi has over 25 years of experience in the fields of Industry, High-Tech companies and Infrastructures.
>> Click here for more information about Information security procedures