Risk of Employee Fraud on the Rise
Article date: Tue, 22 Mar 2011 09:27 GMT
The chances of businesses falling victim to fraud and hack attacks will continue to rise over the next three years and employees will be the common culprits.
IT security and fraud experts, who gathered at a round table event held by hosting specialist UKFast, identified the tough economic climate as one of the main factors contributing to the rising number of UK businesses falling victim to the murky world of cybercrime. The panel warned employers that the offenders are often trusted individuals in positions of power within an organisation.
Martin Dougall, partner and head of forensic for KPMG in the North West, said bosses that have sacrificed investment in IT and security as a result of the financial crisis are inviting attacks from fraudsters and hackers that could cause untold damage to their businesses.
Describing the typical fraudster, Dougall said: "It is someone in mid-to-senior management who's been there a long time and is in a trusted position. In my opinion, the potential internal threat from those individuals is much greater than that from external hackers - much greater."
He said that since the financial crisis, investment in IT and security has, to some extent, fallen by the wayside as firms have focused on survival.
"The crisis of the last few years has increased the potential for fraud to take place in the workplace. The opportunity to commit fraud is greater because businesses have cut costs, cut people and their controls have been under strain. The incentives for employees to commit fraud are greater because pay freezes have been introduced and money is tighter. And their ability to rationalise fraudulent behaviour is on the increase because employees are seeing senior staff or executives getting bonuses while they are at a greater risk of redundancy.
"For all of those reasons, fraud will be a high risk for the next three to five years at least."
Neil Lathwood, UKFast's IT director, described the different kinds of modern day hacker. Lathwood described "ethical" or "white hat" hackers as individuals who are motivated by the challenge of accessing secured assets. They are not malicious and often operate within a contractual agreement and have certificates to prove their authenticity.
"Black hats" are criminal hackers who break security with force and without authorisation and are most often motivated by the prospect of a cash reward.
The panel agreed that most infections today are designed specifically for financial gain and businesses are struggling to create safeguards that keep up with increasingly sophisticated hacking attempts.
Dougall continued: "Technology continues to move on and the underinvestment plays into the hands of hackers who move faster than business. We need to redress that balance.
"Businesses need to have a policy on fraud and hack attacks but, more importantly, they need to communicate it in a newsletter and on the staff notice board. Opportunity is the biggest driver for fraudsters and that kind of communication will act as a huge deterrent."
Stuart Coulson, of data security specialists Secarma, offered this advice: "Why should sales people have access to financial info? Putting it in the wrong hands - if they accidentally attach it to an email for example - could be the ruin of a company."
Adam Brown, UK manager at Quotium Technologies warned that CEOs and MDs who aren't technically savvy have the ability to jeopardise their firms' confidential data as they access information when on the move. He said: "The mobile phone of the CEO is the gateway to the heart of a business and all of its confidential information. If someone installs a Trojan, like a shell script, they can start making requests to the CRM [customer relationship management] system and direct that valuable data back to themselves."
Coulson continued: "We take technology for granted and don't understand the risks. A lot of staff, including top CEOs and directors, don't have a firewall or anti-virus on their phones yet they access information that they would consider strictly confidential.
Tony Richardson, data protection specialist and managing director of Octree, said it is technology companies with the largest market share that are most likely to have vulnerabilities exploited. "These guys are constantly developing their tools and their exploits will be aimed at those popular easy targets. Last year Adobe had more vulnerabilities simply because every operating system has flash player or shockwave so hackers know it's quite likely to be on most systems."
The panel's thoughts echoed the findings of a study carried out by Check Point Technologies and the Ponemon Institute, that highlighted drastically low levels of employee awareness of security issues.
Almost half of 2,400 respondents thought that staff had little or even no awareness of data protection issues, or corporate security policy.
Dave Whitelegg, of ITSecurityExpert.co.uk and Philippe Jan, a cyber security specialist and lecturer at Lancaster University, offered the following tips to guard your business from hack attacks:
- Start with a thorough review of your business, identify your key assets (machines, software, processes, people)
- Assess the threats that could materialise against those assets
- Implement a program to mitigate those risks
- Remember the biggest weakness is the people inside the business. Educate them on what they can and can't do in every area of the business including what they can say on social networks and in the train carriage
- Don't wait until you have a serious security breach to take action. Do it today.
- 75 per cent of attacks are aimed at the application layer and 85 per cent of vulnerabilities lie in the source code. Train the people designing the applications, and the developers to take a secure approach. Testers need to test more for security flaws.
- Highlight your policy around the workplace. Opportunity is the greatest driver so make it clear that you take the matter seriously.
print this article.Return to Press Releases