The obsolesence of trust
Can all our tech tools prevent workplace theft? No.
By Laura Haight
Trust.
Once a bedrock principle, workplace technology is pushing trust up the obsolescence list. It’s not that we don’t value trustworthiness, it's just that now we can database it.
The Fraud Triangle
Three conditions need to exist together for a trusted employee to defraud or steal from their employer.
Pressure: Most often this is financial pressure – a divorce, a family illness, a job loss. It could also be social pressure that drives someone to want to elevate their position.
Rationalization: Even with pressure, good people need to rationalize doing bad things. Hours of uncompensated overtime, years without a decent raise, ‘you wouldn’t have these clients’ if it weren’t for their efforts, are among some of the ways an employee might justify their decisions.
A business cannot control or anticipate these two conditions, but the third is in the business’s hands.
Opportunity: Do they have access to the information they want and can they get away with it? In financial operations, the internal controls diligently followed will often prevent, but certainly detect the fraud. On the technology side, well-managed security increases the risk of getting caught. That’s a powerful deterrent.
We don’t have to ask employees where they’ve been anymore, GPS tracking in vehicles or even mobile devices will tell us. How much time do employees spend shopping online (or exhibiting far worse browsing habits)? There’s no guesswork there, your firewalls can track that and even block certain sites to keep employees focused on tasks, not sales.
But can technology really protect our businesses from authenticated employees or - as many studies show - even terminated employees who behave in a risky way, make bad decisions or even consciously choose to steal sensitive or proprietary company information?
The short answer is, no.
Good fences make good neighbors
In some ways, technology can facilitate practices and behaviors that puts company data at risk. This is especially true for businesses that don’t effectively and proactively manage data security.
A 2014 survey of 1,000 employees in business in the US, UK and Europe, found that 20 percent had uploaded company data – client information, contracts, or other sensitive data – to cloud services like Dropbox or Google with the specific intent of sharing it outside the company. The survey also found an alarming 66 percent of employees still had access to company data online after they left their jobs. Another survey reported that 72 percent of temporary employees were given administrator access to applications and services.
The explosion of cloud-based services has made internal company theft a much greater risk, easier to accomplish, harder to detect and often impossible to prevent, according to a 2014 alert issued by the FBI.
“The exploitation of business networks and servers by disgruntled and/or former employees has resulted in several significant FBI investigations in which individuals used their access to destroy data, steal proprietary software, obtain customer information, purchase unauthorized goods and services using customer accounts, and gain a competitive edge at a new company,” the alert warned.
Trust but verify
So knowing this, why can’t we get control of it? For one, many businesses view security as a barrier to effective operations. It’s that perception that results in too much authority in the hands of too many people. Consider this very common scenario: A manager in department A is going to be on vacation. Another employee is tasked to fill in. To do the manager’s job, the substitute needs increased systems access. The manager returns from vacation. And everything goes back to normal, except that the additional access given to the substitute is not removed.
Now multiply that occurrence by 10 or more, depending on the size of your business, and you get a good idea of how out of control your high-level administrative access may be.
But you don’t need elevated permissions to steal or expose company data that you have a job-related reason to access. Just a USB key or flash drive will do. Because of the security risk they pose, many financial institutions bar the use of these devices by locking them down on company laptops or desktop computers. But most firms don’t do this, making it possible for employees to download company information from business plans and contracts, to document templates or CRM databases. In many cases this exposure may be innocent, even altruistic. Employees want to get work done over the weekend and take material home. But these shadow databases or copies of company information then become exposed to potential hackers who breach the employee’s home network, or the employee themselves.
Even without a device to transfer them to, employees can still run off with company information. A common tool, the FBI notes, is connecting their personal cloud accounts to company data so they can access them outside of the office. Data can also be emailed to a personal account.
Hope is not a strategy
When 66 percent of employees say they still have access to accounts from a former employer, we know we have a problem with off-boarding. Whether they are “good”, “disgruntled” or “fired”, all employees should be subjected to the same checklist review on their way out the door. In addition to turning in their keys and ID cards, access to everything from email and internal systems, to cloud services needs to be deleted immediately. In cases where the employee’s accounts need to be preserved so a manager can access any work in progress, passwords on those accounts must to be immediately changed so even if the accounts remain active, the user cannot access them.
There is no 100-percent guarantee that you can prevent a motivated employee from stealing information or defrauding your business. It’s very likely that it has already happened. But establishing policies that limit system authority to the lowest level possible, controlling the mobility of information, and doggedly committing to regular reviews of employee privileges can prevent these insider risks from becoming active threats and breaches. And let your employees know that you take data security seriously. I’m less likely to attempt a malicious act if I know you might be watching.