The current case at London's High Court, in which Morrisons staff are suing the supermarket chain for damages following a data leak, teaches us two things. First, the potential cost for an organisation failing to keep its information safe keeps getting higher and higher. Second, internal fraud is a huge problem that companies must tackle head on.
In the case of Morrisons, payroll information of almost 100,000 staff was posted on the Internet in 2014 by a disgruntled internal auditor. The lawsuit brought by 5,500 current and former workers claims that the company failed to prevent the leak and exposed them to potential identity theft.
Cifas is a leader in fraud prevention, so we see plenty of instances where fraud is not just perpetuated by organised criminals trying to glean valuable information from individuals and organisations. Too often it is an inside job.
There are some simple measures an organisation can take to stop dishonest staff leaking client data to malicious third parties. Clear anti-fraud policies that support staff ‘whistleblowing’ demonstrate a zero tolerance approach to fraudulent or corrupt behaviour. Smart technology can monitor an employees’ access to data and systems – a useful vapour trail. Being open and frank about instances of fraud helps to bring the issue to light and deter other employees from following the same route. So too does swift and effective action taken against the perpetrator once they are found out.
Of course, no organisation can fully protect themselves from insider threats by simply introducing a robust screening process at the job application stage – although this is a good idea. Cifas research has previously highlighted that the average length of service before a fraud is identified is six and a half years. These findings also correlate with a study from KPMG which found that 41% of internal fraud is committed by those who have been in the organisation for more than six years.
Why do they do it? Financial gain is a major incentive of course, whether the fraud is carried out by a serial offender or an opportunist. Too often the opportunity presents itself and they did not expect to get caught. Our partner organisations across sectors including banking, insurance and retail report cases where employees move department or job role and still have access to the same systems and data they no longer require. By organisations failing to put the right controls and procedures in place to prevent this they are helping potential internal fraudsters access data they are not entitled to. Drug, alcohol and gambling addictions are also motivations.
One of the ways Cifas helps organisations is by allowing them to share details of confirmed internal fraudsters through the Internal Fraud Database. This database allows organisations to screen new and existing employees to see that no known fraudsters are working for them. It also means that dishonest staff cannot move about undetected from one organisation to another and commit further crimes.
Many members of the Internal Fraud Database say that signing up acts as an effective deterrent in itself. It is also why the Financial Conduct Authority, Unison, Chartered Institute of Personal Development (CIPD), Fighting Fraud Locally and others have suggested that using the system is good practice. Of course, good practice will not in itself prevent the next internal fraud, but it is a good place to start.
Young people may be the most digitally savvy generation yet, but they still need educating about keeping their personal details secure when going online.CONTINUE READING
Cifas’ CEO Simon Dukes discusses how the Dutch are looking to adopt a similar model to Cifas in their fight against fraud and financial crime.CONTINUE READING