The Insider Threat: how serious is staff dishonesty and what do we do about it?
Chair: Martin Gill
David Butler – Dispute Resolution Partner at Fox Williams LLP (UK)
Egidijus Gailiunas – AVSEC Adviser at Transport Competence Agency (Lithuania)
Martin Speed – Safety & Loss Program Manager at River Island (UK)
Elsine Van Os – Founder and CEO at Signpost Six (Netherlands)
David Butler notes that any assessment of the seriousness of the insider threat depends on one’s perspective. At the macro level it is staggering, 5% of revenues generated, it occurs at all levels although the majority of losses are under £1 million, with the more common offences (misappropriation of assets say by falsifying stock) generally generating the lowest losses; there is a link between seriousness and seniority. The consequences are not just the loss for the company, they also include and undermining of trust. One can characterise offences in terms of incentive, opportunity, and rationalisation and each of these provides a potential point of intervention. That people are not working together post Covid represents a challenge for companies not least if in addition to being in relative isolation people fear losing their jobs. David invites us to think about incentivising prevention.
Egidijus Gailiunas reminds us there is nothing new in having insiders undermine companies, the history of espionage tells us that. And there are very different types of insider threats, you will hear Egidijus discuss intentional and unintentional harm, organised offenders and terrorists and also plants, people based in an organisation precisely to defraud it. He reminds us you cannot be 100% effective at prevention, but you can be better and he recommends we start with the simple things and look for the red flags. Note also that the costs of prevention are considerably less than the costs of being a victim.
Martin Speed speaks about retail loss generally composed of many individual little crimes which create a big business loss. He invites us to consider three points. First that detecting and arresting is rarely economical, that prevention is way more effective. Secondly, the majority of staff understand systems nowadays so catching people that way is more of a challenge, and he invites organisations to simply be nicer to staff. Third, despite the aspirations of security teams they will not be good at detecting dishonesty but can be effective at preventing it, so focus on continual improvement, and don’t set bad examples, for example unrealistic incentives which encourages people to break rules. He has found losses have gone down as we emerge from the pandemic, reasons may include: a lot of the processes changed; customers are being monitored more closely when stock touched in store for example; suddenly management are not being lax since Covid presents a danger with serious impacts.
Elsine van Os discusses the impact of Covid-19 and the elevated threat it has brought about, with people working from home there are now different opportunities (so much information is easily transportable and 80% of employees take sensitive data with them when they leave), but because of the pressures the pandemic has caused for people and concerns about health and jobs there is a risk more people will make mistakes. You will hear Elsine discuss offenders’ approaches to social engineering. As she says organisations need to be really good at managing people working from home, it is far from clear this has been recognised in a way that matches its importance.
The problem of insider dishonesty is massive, the opportunities have increased, Covid has exasperated that general lack of commitment to tackling the risks of staff turning rogue. Prevention has much to commend it and we need to think about making that process easy (but organisations often don’t) and incentivising good practice (which is rarely a priority). The extent of loss of rogue staff during the pandemic won’t be apparent yet, another reason to take a close look at the shortcomings of current approaches. Important though that is, it seems the focus is elsewhere, it often is with staff dishonesty and that can be very dangerous indeed.
25th May 2021