Internal hacking: Stopping the mole within

With e-commerce fraud costing AU$1.5m (£551,0000) each quarter and 80 percent of it happening internally, Stuart King, director of KWS Consulting and a Victorian Police Inspector, outlines best practices to effectively manage your people and smother insider moles dealing in corporate theft. "If someone keeps pulling down your pants every week...you become used to it," King said, explaining that fraud is rarely a one-off event and often goes undetected because it is routinely committed. With 55 percent of fraud incidents due to poor internal controls, and 40 percent of internal fraud involving collusion between an employee and a 'shonky' third-party: "quite clearly security starts at home," King said. "Organisations must look at who's within the family." Speaking at Sydney's Hack 2002 Conference this week, King exemplified an educational institution in which an employee who had been involved with the payroll system for a number of years fraudulently forwarded payments to his own account. The system wasn't cranked up to recognise the abnormal, fraudulent behaviour and in a very short space of time he'd earned himself AU$400,000, King said. With flashing dollar signs and intellectual challenge the key motivational factors driving some workers to attack corporate systems, King said companies must have effective ethical controls and deterrents in place. Companies must effectively manage their systems and understand the people who have key roles and present a risk to the company. Be alert to your risk
Workers in key risk areas must be supervised closely, according to King. Managers should be alert to what employees are doing -- if they're working evenings and weekends, what are they at work for? It should also be a high priority for organisations to have security policies and guidelines in place, clearly updated and distributed. King advises organisations to establish and communicate a code of ethics. "If you don't, how can you give someone a whack for doing the wrong thing?" he said. Confidentiality and ethical behaviour contracts that clearly inform people that if they're found to have acted unethically, termination may result, should become common practice in the workplace, he said. "You need to be upfront with people," he said. "Tell them what the consequences are if they breach the code of conduct...it all boils down to the employee buying into your business activity." Police checks
With a police career spanning 24 years, King is a clear advocate of organisations checking up on potential employees' backgrounds. Careful consideration of recruitment, he said, must be at the forefront of every employer's mind. While no one is going to tell you that they've been ripped off AU$200,000 by someone who is now applying to work within your organisation, "You need to do some investigation, put your copper's hat on," King said. Potential employers should inform applicants that they'll be subject to successful police clearance and if a threat is uncovered within the organisation "don't simply handball it on", he said, or the insider hacker will spread "like a human virus" around organisations, ripping off everyone. Workplace culture
According to King, half of all employees that defraud companies have no remorse or guilt about their actions. Corporate crime is often regarded as a victimless crime and often occurs after resentment has built-up, or workers have been provoked by not feeling part of the team or having been overlooked for promotion, for example. Therefore, it is important for business mangers to know what their organisation is like to work in, and should be asking themselves the following questions:

• What is the workplace culture and climate like?
• Are employees working 14-hour days, six days a week?
• Is that appreciated? Expected?
• Does the current workplace culture hinder or support security management?

King encourages managers to conduct culture-climate surveys to determine if there is a 'them against us' mentality amongst workers. Managers must then identify the negative aspects of the corporate culture and make changes. However, King conceded that people often present barriers to change in an organisation out of fear of losing what they have. "They need to know that there are bigger things at stake here, otherwise they can work against change," King said. Managers should present some hard data on how change can affect the company in order to get employees to buy into the situation, he suggested. King also encouraged business managers to reward effective and appropriate activity, "then everyone can accept the whacks as they come along," he said. Furthermore, organisations should have whistle-blower polices in place to protect those who come forward and report colleagues. Complicated by the fact that if e-commerce fraud is constantly occurring, it can be difficult to see, organisations need to have an historical benchmark to work from, King said, pushing the need for historical auditing within organisations. The escalating global trend of e-commerce fraud underpins the need for organisations to have a greater holistic approach to stamping out unethical conduct, King said, especially as Australia is now being used as a "soft target" by worldwide hackers. Companies must give high priority to the protection of their information and spend the time assessing their risk, he stressed.

---