People have been employed in various social contracts since they started cooperating with each other for survival. Today we have reached technological and organizational heights never imagined by our ancestors. This is an incredible achievement; however, it does come with many risks that must be proactively managed. These include a blending of human and technology risks and risk management techniques.


In an era of legal and industry-mandated compliance, merchants are in need of best practices from an operations and technology standpoint to monitor internal threats. Today, there are many human risks that need to be considered for a business to preserve its financial and public well being from employees who may be prone to stealing or susceptible of being forced physically or emotionally to steal from their employers.


In a world of ongoing breaches of consumers’ private information and skyrocketing costs to clean up data and come into compliance, it is easy to get lost trying to get the data within your walls in order. Everyday employees take critical information with them and transmit it around the world. While this data may not be Social Security numbers or payment card track data, it is information that organizations are contractually bound to protect. This includes confidential information and intellectual property. If a salesman loses a USB stick with a list of customers and orders, would your competitors be interested in that information? If a business partner’s marketing plan was lost in the same way, is notification required? Would the person who found or stole the USB stick be able to find a buyer for that information on the Internet?


The amount of confidential information that permeates outside of an organization is absolutely enormous. From laptops to smart phones, dumb phones, storage devices and emails, security risks are eminent. Access to a smart phone calendar can include file attachments. Access to any phone includes phone call logs, SMS and contact lists. Using devices that encrypt that data is the logical next step. Using password protection features on phones that erase their memory after failed login attempts or when they resurface on the network after being reported missing will reduce this risk.


Criminal groups on the Internet and on the street are targeting businesses’ private information for resale and use more than ever by targeting employees and potential candidates through social engineering tactics such as email phishing — providing direct threats to employees within a given business. Identifying these risks is possible with improved screening processes.


Employee Risk - Know Who You’re Hiring


The hiring process starts with criminal and financial checks to make sure a candidate is worthy of a trusted position in an organization. There are also industry-shared employee fraud databases that will record serious employee infractions. Employers can subscribe to these databases to identify if a candidate has been involved in a theft situation. These databases do require, as part of participation, that the employer reports back any individuals who are terminated for causes resulting from criminal acts. Therein lies the rub. An employer needs the employees to agree to have their names entered into the database. This can be incorporated into a new hire’s employment agreement. It does give current employees an out, so it makes sense to revisit your current employees’ agreements across your organization - from entry level to senior management.


In addition to shared employee databases, searches on the World Wide Web can be leveraged during a background check. It is always best to check at least 11 pages into the search results to make sure you get adequate coverage of your search. Many people post things on the Internet about themselves and their exploits that may give an HR department reason to pause on a particular candidate. If you choose to use Internet searches as part of your background review process, it must be made a standard practice in your organization. Also, it is illegal to discriminate based on a candidate’s personal background.


While the review work takes place up front in the hiring process, it should also be ongoing throughout an employee’s tenure. Many times an employee will come in without any significant red flags, however, they may start to develop over time. Ongoing background checks will identify if someone starts having changes in his or her behavior, such as run-ins with the law or suddenly taking on a large amount of debt compared to their salary.


Reviewing backgrounds is particularly important when an employee is up for a promotion. As employees advance in an organization and take on new responsibility, they have more power to steal, more time to rationalize their actions and fewer people to challenge them. As noted above, this should be added to new hires’ employment agreements and added to current employees’ agreements.


Another way to improve background checks is to give employees a background, by way of formal prosecution, if they perform a criminal act. Many organizations resist perceptions of public embarrassment from employee prosecutions. However, a key part of an organization’s internal antifraud efforts surround the employees’ perception of how tolerant the culture is to fraud by the organization’s controls and the integrity of their leaders.


Creating an operationally specific fraud policy and code of conduct helps employees to understand their boundaries. This is critical because it helps other employees identify when another employee goes over the line.


Employees can be a great line of defense, when they are involved and active in identifying new gaps in controls and other employees taking advantage of those gaps. In order to fully leverage employees as a line of defense, organizations need a whistleblower policy with a 24/7 hotline. It is best to have this service outside of your organization if possible to eliminate any conflicts of interest. It is also important to have a standardized process and group of people responsible for handling any whistleblower events. There is always the risk that the whistleblower may turn in an innocent person due to a personal conflict or misunderstanding of the employee’s actions.


If there appears to be enough evidence to warrant a full investigation of an employee, it is best to involve an outside specialty firm that is trained in interviewing and computer forensics. Jumping right into a situation could put your organization on the defensive or destroy evidence.


Another way to get your employees involved and interactive is to stage a mock breach. A mock breach is a situation where someone breaches a business facility with management’s approval. It could be someone hanging out on the loading dock having a smoke and tailgating other employees back into the building and trying to gain as much access as possible. When the breach is presented to the affected employees, they suddenly become much more security conscious and new gaps are uncovered.


Technology - Know Your Options


Technology approaches in addition to operational best practices are necessary to bolster defenses. Neural network technology has been used for years to monitor for anomalies within the credit card payments industry. In 1993, when the first neural network technology was introduced to the payments industry, credit card fraud was at 18 basis points. Today it has dropped to less than five basis points.


The same type of neural network profiling can monitor employee behavior as well. Today this technology is available for merchants to monitor computer access, network activity and physical security logs. By building profiles of users’ activity, merchants are able to make comparisons with other employees who perform the same job. When there is out-of-pattern activity for a particular employee, an investigation can be performed to identify if a breach has taken place. Models can also be built which will use these profiles to identify patterns of known fraud faster and earlier in the process. When several customers’ data has been used fraudulently, the data logs can be used to identify the point of compromise where a particular employee accessed those records. The investigation may turn up additional compromised customer data that has not been used fraudulently and potentially organized fraud activity among other employees.


Risk management is not just for the security department or the office of the chief financial officer. All employees have a responsibility to protect their employer and their customers. Technology and operations has to work together to create effective policies that balance these risks. The policies need to adapt to a constantly changing business environment. These changes include technology and both social and customer/partner relationships.


Due to the size and scale of most organizations, it is impossible to monitor all aspects of employee risk with manual processes. Leveraging technology solutions that identify patterns of unusual activity which are too subtle for us to detect on our own will further protect our organizations.



Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access