There are steps employers can take to guard against internal threats.
by Mallory Hendry
While businesses are very aware of external threats and take steps to safeguard against them, there’s less attention paid to identifying and protecting themselves against threats that exist inside their walls.
“Companies often underestimate their own vulnerabilities to internal threats,” says Jordan Donich of Donich Law. “But I see it more as a defence lawyer, because employees hire us when they’re being investigated for these types of actions.”
Donich’s firm handles a lot of internal theft and fraud litigation, and he knows better than most that humans are complex — there are a host of things that can happen to previously trustworthy people that make them more susceptible to unlawful behaviour. Nobody wakes up one day and says, I want to be a criminal — there’s always more to the story. Usually what Donich sees is an employee behaving unlawfully within the organization because something in the employee’s life has changed — a gambling addiction, a divorce, a loss — and the employer has no idea.
“Businesses are naturally very obsessed at the point of hiring about vetting — they do criminal record checks, they check references — but where they’re not as prudent is double checking those initial safeguards over time,” he says. “That’s natural because we tend to trust people we let in the door, but employers discount the fact people change over time.”
While news of data breaches through hacking or ransomware are a regular occurrence and things like cyber crime insurance or two-factor authentications for log-ins are on the rise to combat it, “we don’t hear about the extent and scope of internal threats too often unless the employee is charged or sued,” Donich says. Whether that’s because there could be a greater risk of liability for the organization if they publicly disclose internal loss or it’s due to the fact it’s not great for PR, the question is: what can organizations do to better detect and prevent internal loss?
One simple step to get ahead of the problem is education. Employees may be unaware of the gravity of their actions — many employees don’t know you can go to jail pretty easily for a low amount, Donich says. It’s also a good idea to let employees know that things like passcodes or log ins — which are often shared among the staff for efficiency, an unofficial system that’s prone to abuse — are their responsibility to protect and they will be held responsible or as a party if someone else uses their codes to commit theft.
“By letting employees know the consequences of those actions helps deter behaviour in the first place by more or less creating a form of general deterrence,” he says. “The employee knows it’s on the company’s radar.”
Another step is completing criminal record checks on a more regular basis. Random checks are a good way to keep advised of issues that might impact their employees at work, as people get charged during employment all the time but the employer may never know because the employee hires a good defence lawyer who contains the damage and, within limits, shields it from discovery. It’s also important to remember that if charges were withdrawn or the person was discharged, it wouldn’t show up on a standard criminal record check so vulnerable sector checks are a deeper level check that offer a more complete picture. Unless the organization goes through the effort of redoing these checks, they may never know what’s going on with an employee that may impact them in the workplace.
“This doesn’t necessarily mean the employee is going to steal from work or turn on their employer, but it’s a change in circumstance the company may want information on,” Donich says.
It helps to remember not all internal fraud is cash coming out of the till. Companies should keep an eye out for indirect losses as well, which happen as a result of the employee’s behaviour. An example of this is insurance fraud — employees claim false benefits through their benefits insurer and receive money that way out of the pocket of their employer. This type of loss is generally only discovered through spot audits with the insurance company.
Employers should also look for blind spots in their surveillance systems: most theft happens right under your nose, Donich says. Some of the top, most secure data centres don’t have surveillance inside where their servers are, for example, because security clearance is so high. There’s an assumption that only trusted people can access the area, but that’s based on the assumption that those trusted people won’t ever be tempted to do something unlawful. The problem becomes that, if and when circumstances change and the employee does give into temptation, it’s harder to prove because the organization’s threat protection is so focused on external detection. If an employer does detect an employee stealing or committing fraud, Donich suggests hiring an expert for advice before tipping off the employee as “this often become a game of cat and mouse.”
Overall, Donich urges employers to remember their employees are human. People make mistakes, and there’s always more to the story. Even though it may be hard at the time, employers should consider looking at things through the eyes of the employee — even before they’ve crossed a line. Recognizing changes in behaviour, changes in life circumstances and changes in patterns of work could stop someone from doing something abnormal at work and even end up being the lifeline the employee needs.
“Employers should be vigilant for underlying issues that may make the employee more prone to irrational behaviour,” Donich says. “Be as vigilant with red flags with your staff’s behaviour through the lens of criminality as you would be with legal liability.”