Sergey Ozhegov, Chief Executive Officer at SearchInform, discusses fraud management, information security, data leakage and insider activity.
The growing number of corporate fraud cases concern competent risk management and information security officers. According to PwC’s 2018 Global Economic Crime and Fraud Survey, 49% of companies worldwide have been victims of fraud and economic crime. That number increased by 13% over the past year.
The media and experts highlight such incidents – corporate fraud cases, information leaks and staff incompetence are of great interest to the public. The problem is not only that of financial losses but also a tarnished reputation. In the age of digitalisation, companies are in crosshairs. One negative post – travelling through social networks – spreads in the media rapidly and widely.
Fighting consequences doesn’t bring results since post factum control concerns only past events. Prevention is the basis of modern risk management. The horizons of risk management are very broad, the experts are responsible for regulatory compliance, IT security, internal auditing, fraud prevention and internal incident investigation.
The aim of any company is to simplify and secure business processes, and therefore it is necessary to promptly identify and eliminate the source of problems. Online monitoring helps to fight against all types of HR risks. As developers of corporate fraud protection and financial losses prevention solutions, we provide control over internal risks connected with the human factor.
I think we all realise that insider activities related to corporate data is a problem. Employees siphon databases, disclose know-how and company’s business plans, leak personal data. Besides competitors’ advantage-making, these activities could result in bankruptcy and penalties in terms of compliance regulations.
However, the above-mentioned threats are evident and extensively discussed. Let’s use the examples of real clients’ cases to consider hidden threats, attributable to human factor risks.
Analysis of workplace morale and employee loyalty management
Sometimes an employee can demonstrate negative emotions or job dissatisfaction to colleagues and thus undermine the team’s mood. An employer can quickly learn about such situations and take actions to counter them correctly.
The risk officer of a retail service company detected that a sales manager expressed dissatisfaction with the tasks and working conditions in conversations with his colleagues.
The employee even talked about leaving the company for competitors. An investigation was launched to prevent data leakage because the employee had access to client databases and confidential documents. It turned out that the employee was an experienced and diligent worker but hadn’t had a salary rise for two years. The head of sales talked to the employee and solved the problem – the salary was raised and the scope of tasks was amended.
This situation could be solved with the help of data encryption and access rights control. However, if a company wants to save valuable employees and return them to their workplace with a more positive outlook, it needs to perform employee loyalty monitoring.
Profiting from corporate resources
Unfortunately, the use of corporate resources for personal benefit is a common thing. An employee might get an access to confidential data but an abnormal event detection system will minimise negative impact.
One of our clients had a high-profile incident:
The IS department of a development company found out that one of the employees installed Photoshop on his PC, which wasn’t a necessary software to perform duties. The system also alerted on constant copying of commercial offers. An internal investigation revealed that the sums of money in these documents were falsified: changed to bigger ones. Thanks to abnormal events monitoring, the company was able to detect the fraud scheme.
Internal corporate risks prevention
Understanding the influence of the human factor on a company’s processes is already half the work done, but to make a success you have to ensure an integrated approach to risk management.
And to perform this you need to answer the following questions:
Who is in charge of risk management in your company?
One aspect of the risk management landscape is the responsibility of organisations and its employees. In most companies, a risk manager is in charge of employee monitoring, fraud detection and internal investigation. Analysis of the level of internal corporate risks, provision of practices in internal investigations and anti-corruption programmes is also a task for the internal audit officer. Yet in smaller companies, employees of the information security department can perform these duties. The main point is that a person assuming responsibilities has to understand business processes, be in the know of who is who in a company, have investigation experience and strong analytical mindset.
What tools will allow you to monitor internal corporate risks online?
In my opinion, two main systems help to secure internal control: DLP solution and employee monitoring software (EMS). On the one hand, DLP is a major priority for enterprises these days to protect confidential information from leakage and analyse huge amount of data. On the other hand, the solution doesn’t have enough resources to facilitate regulatory compliance and investigation processes.
Employee monitoring tools intercept and collect loads of information on a company’s staff, which enables corporate fraud investigation and abnormal behaviour detection. However, this software, as well as UEBA, has no convenient analytical instruments and readable reports, and thus raw data is accumulating.
As a result, to perform investigations and detect employees involved in fraudulent schemes, a company has to implement a solution that includes the features of EMS and DLP with modern forensic technology and a wide range of reports.