The need for SMBs to break bad cyber security habits has never been...
While cyber security has been an imperative in the corporate world for some time, it’s also become increasingly...READ MORE
Fraud – or ‘economic crime’ as it is now known – is never far from the headlines, as March’s revelations of alleged bribery in IT contracts awarded by the Commonwealth Bank would attest. And it can occur in companies big or small.
Accounting firm PwC says the ‘big five’ economic crimes are: asset misappropriation (number one globally), accounting fraud, bribery, procurement fraud and cybercrime, with human resources fraud another increasingly common form.
PwC says the incidence of fraud is rising in Australia. In its 2014 Australian Economic Crime Survey, researchers found that:
However, PwC says these increases do not necessarily mean that there is more economic crime in Australia – the rising incidence may indicate more effective detection. “Certainly, our statistics suggest
that Australian organisations are applying effective detective controls, such as data analytics and whistleblowing services, more commonly than in many other economies,” says PwC.
While many people may associate modern fraud with fiendishly clever cybercrime, fraud is still caused by human nature – which “has not changed a great deal over the centuries”, says Owain Stone, partner at KordaMentha Forensic.
“Technology provides some different tools, but it doesn’t mean that it’s easier for somebody skilled in technology to commit fraud; it just means that they have a particular avenue open to them,” says Stone, adding that with technology, “fraudsters have a faster getaway car and they have the capacity to blow safes that are bigger than the ones they used to blow, metaphorically speaking. But it also means that controls are in place that never existed before either: technology is also a great tool for prevention and investigation of fraud.”
Stone says the ‘fraud triangle’ holds that 3–8 per cent of people are completely moral and ethical, 3–8 per cent of people are completely amoral and unethical – some of whom are in jail already – and the rest “sit in the middle somewhere”. He says fraudsters require a combination of opportunity, motivation and rationalisation. Companies can’t do much about the second and third factors, but they can do a lot about opportunity.
At the very least, says Stone, companies should ensure that people are forced to change passwords regularly; employ systems that log how people are using their computers, to see whether or not information is being shared; and use email-monitoring tools like Commvault that record every single email sent into and out of an organisation.
Boaz Fischer, CEO of business protection systems provider CommsNet, recommends security technologies such as email filtering to reduce spam and email-borne malware; anti-virus systems; ‘white-listing’ to control what applications are running on which workstations; ensuring that all systems have the latest updates (operating system as well as applications) to minimise the attack surface; and removing administration rights from users because malware requires administration rights to be installed.
“These key controls will knock out about 85 per cent of all security threats, although they may be difficult for a small business to implement,” says Fischer.
Other effective controls include implementing compulsory security policies in areas such as internet use, social networking, email use and remote access, as well as making user security-awareness training mandatory.
In a 2012 survey of fraud, bribery and corruption in Australia and New Zealand, KPMG found a growing incidence of fraud committed by senior executives and company directors. The firm said fraud involving this constituency had more than doubled since 2006.
PwC said in its 2014 study that 65 per cent of internal fraud perpetrators were from middle management, up from 45 per cent in 2012. So, is management the place to look for fraud? “I’m not sure whether managers are committing more fraud or whether more fraud is being found, but it comes down to opportunity to access the company’s financial systems,” says Stone. “Larger organisations may offer more opportunity for fraud in that there’s more money around, but the perceived opportunity may also be lower, because there may be more controls in place. In contrast, smaller organisations may have people who are more highly trusted, who have wider access, and there are fewer controls around.”
Aside from technical controls, Stone says companies should be aware of some of the classic signs. “If someone never seems to go on holiday, is always working late, these can be the early signs of fraud,” he says. “Often, fraud perpetrators can’t afford to take holidays because the time requirement of their fraud is too big – they need to be constantly covering it, getting rid of things in the system. People not taking leave is a major red flag.”
A company’s people can be a strong source of intelligence, adds Stone. “Addictions of any form will provide motivation,” he says. “People usually know in an organisation if someone’s behaviour is changing dramatically. Who has been passed over for promotion? Who didn’t get a bonus? Who is a moaner and unhappy? Quite often, there are correlations after the fact.
“Part of protecting yourself is about systems, but the key aspect is, you have to make fraud part of the conversation – to reach out and engage employees about fraud.”
Fischer says security is built on three key premises: technology, processes and people. “We tend to do the first two points really well, but people are the weakest link,” he says. “Sure, if the organisation had ample money, it could invest in the appropriate technologies and processes, but, still, you can’t fix your people.
“Fraud doesn’t discriminate between small and large enterprises: if a company is vulnerable, it will most likely get hit.”