By: Andreas Immanuel Mulianto, SKom, MM, PMP, PSP

An organization cannot operate without security. Many if not most people when hear the word “security” will think about security guard that secure the facility. And because of that perception, many if not most people will think that security is all about protecting organization from external threats (as mirrored by the security guard). This paper will discuss about the premise stated above “Losses due to crime in the workplace are often the result of the actions of employees or insiders.” It will explore the case in two stages, before the perpetrator commits the crime, and after the crime. Before the crime, we will look into the motivation of the inside perpetrators based on some of the criminology theories, and discuss some of the best practice to prevent internal theft. After the crime, we will look at the things that can be done by the company to lessen the impact of the crime and/or to prevent reoccurrence of the internal crime.

The purpose of having security in place is to prevent crime. Is the crime always committed by outsider? It is not always the case. Some crimes are actually committed by insider. What is the definition of insider? According to Carantzos (2010) insider is a trusted employee who betrays their allegiance to their employer and commits workplace theft, violence, sabotage, espionage, and other harmful acts. Garcia (2008) describes an insider as anyone with knowledge of operations or security systems and who has unescorted access to facilities or security interests.

Taylor (2005) argues that in addition to causing monetary losses, crime by insiders can destroy trust, undermine confidence in a company’s controls and processes, and even raise questions about the integrity or competence of management. Losses by insiders often can be much greater by losses by outsiders as found by Hayes (2015). Opportunities for crime by insiders are growing because of increasingly complex business structures, the geographic dispersal of operations and the spread of powerful technologies. Many organizations realize this, and also put some measures, as described by Purpura (2010), internal control prevention focuses on threats from inside an organization. Crimes, fires and accidents are major internal loss problems. Fires and accidents may not fall under security department’s responsibilities, however crimes always are.

What would be the motivation of perpetrators to commit crime? There are some theories related to this matter. According to Rational Choice Theory, people generally act in their self-interest and make decisions to commit crime after weighing the potential risks (including getting caught and punished) against the rewards. From the perspective of insider, the potential risks may be relatively lower, because they are already inside the perimeter and have closer access to the target. The attractiveness of reward may be different from one employee to another, and this could also be caused by job satisfaction among other factors. A satisfied employee may see that there is a little incentive for him or her to commit crime, because he or she already gets everything that he or she wants from the organization. A disgruntled employee however can be tempted to do something so that he can get “compensation” to neutralize his dissatisfaction.

There is also an interesting theory called Strain Theory that argues most people have similar aspirations, but they don’t all have the same opportunities or abilities. When people fail to achieve society’s expectations through approved means such as hard work and delayed gratification, they may attempt to achieve success through crime. Whenever we have employee who feels that he or she not treated fairly, this can lead to another problem. The problem might be because assessment treatment is based on perception. And people may perceive differently although treated similarly. If they perceive that they are not treated fairly, then they feel that they have “rights” to commit crime. Potential to commit crime also can happen to the people with lesser ability. Since they don’t have enough abilities in the form of knowledge or skills, they will be lagging behind others in the work environment. And because of that, they will just cut corners and commit crime.

There are some suggestions for preventing the internal losses suggested by FBI. Mostly are based on the common sense. First, unsurprisingly, we need to screen employees’ personal and financial background. This must be done prior to hiring an employee. Search for history of gambling, drug problems, debt or other factors that might pressure him to pilfer. Determine the potential employees’ behavior and work attitude through his references from past employment. You must provide full disclosure of this beforehand not only because the law requires it from employers. Also, this eliminates the perception that the company does not implement strict measures for preventing and dealing with employment theft. Although background screening is important, it is not a silver bullet. Many company stop at this step to prevent the internal losses, but that is not a really wise move. We need to continue to the second step, which is to implement data and office area access restrictions. The FBI also suggests that being lenient with employee access to classified data and other valued properties provide opportunity for stealing. Limit the right to open or use company files, storage facilities and computer data to those who need it. Do not grant access of company development plans, to those in the sales or customer service department. To explore further regarding the protection from asset or information loss, usually people will turn back to physical protection system. However we need to consider that for the physical protection, usually the protection system is designed based on Detect, Delay, and Respond functions with layered approach (Garcia, 2008). This principle may work for outsider but may face problem with insiders. This is because those perpetrators are already within the perimeter, and already close to the target. Garcia (2008) states that insiders have three characteristics that distinguishes them from other adversaries. First, they have system knowledge that can be used to their advantage. Second, they possess authorized access to the facility, assets, or physical protection system without raising suspicions of others. And third, they have the opportunity to choose the best time to commit an act. It is clear that insider has clear benefit compared to outsider that puts them in the better position to commit crimes against their own organizations. Protection against insiders can be very challenging. Insiders may exploit their knowledge of facility operations and security system performance. They may also maximize their chance of success because they have access to critical areas or information and can choose their own time and strategy. Insiders also may abuse their authority, through their proximity to information and assets or as security personnel. It is interesting to point out that guard forces could represent a special and annoying problem. In one study at a facility presented by Hoffman et al., (1990), guards were responsible for 41% of crimes against asset.

Figure 1. Protection Approaches

The better approach to face the insider threat is to follow the protection approaches described by Garcia (2008) as described in the Figure 1 above, physical protection provides the most effective barrier to outsiders acting alone or in collusion with insiders, while control of and accounting for assets are useful against insiders. Control and accounting are accomplished through the use of procedures, audit and inventorying. Additional procedural protection measures against insiders include the use of personnel security assurance programs, such as pre-employment background checks and periodic updates and separation of job responsibilities (job segregation), so that two or more employees are required to complete sensitive tasks. For the third step that we should do to prevent losses, we need to watch employees from a distance. Sometimes, employees need to know that someone is watching them to keep them from doing a wrong move. Using internet protocol (IP) cameras allow employers and managers to record and monitor stealing occurrences and people’s productivity at work even if you’re at another location. This may cause inconvenience for the employees and might impact the company’s ability to attract talent, so use this with caution. In the United Kingdom, employers must explain the amount of monitoring clearly in the staff handbook or contract. They should tell workers: (1) if they’re being monitored (2) what counts as a reasonable number of personal emails and phone calls (3) if personal emails and calls are not allowed. Examples of monitoring could include: looking at which websites workers have visited, CCTV in the building, checking workers’ bags as they leave. Employers are not allowed to monitor workers everywhere (not in the toilet, for example). If they don’t respect this they could be in breach of the Data Protection Act. Fourth step, restrict unauthorized websites. With the use of web filters, the organization can restrict its Internet access to certain gaming and gambling websites, as well as social sites like Facebook or Twitter. Through this, the organization is already controlling employees from robbing off the time the organization pays them for work-related tasks. As mentioned on the step three, make sure that employees understand what is not allowed in by the organization. For the fifth step, FBI also suggests to use biometric identification systems. Employees’ tardiness may be one issue to handle but timesheet fraud related to this is definitely another to control. Utilizing biometric identification technology accurately monitors the employees’ at work. This also keeps colleagues from punching in other colleagues’ time card to cover up for their lateness and prolonged breaks. This is especially true for workers intensive industries. The sixth step is to avoid workers from bringing out items from office/company premises. Results from the 27th annual Retail Theft Survey carried out by inventory- protection consulting firm Jack L. Hayes International consultancy show that for every retail company, one out of 38 employees was caught pilfering in 2014. The total value stolen in that year amounted to more than $66 million in the retail business. The radio frequency identification system (RFID) is one of several types of wireless security systems that uses radio-frequency electromagnetic fields to transfer data from the products’ RFID tags to readers and enables easy tracking and retail inventory. The seventh step is to prevent company data piracy. According to a recent survey conducted by Iron Mountain, employees are more susceptible to steal data when he leaves the company. To avoid this, one must establish and implement strict policies of confidentiality, as well as those regarding accessing, transferring, and handling information. There are also online sources on information safety that suggest the restriction of using portable devices. Constantly changing a company’s online accounts like those for cloud data storage also blocks employees from accessing data after termination.

After the crime happens, how should the organization respond when it first suspects that it has been the victim of serious insider misconduct? According to Taylor (2005), in most cases, companies will want to take three steps as quickly as possible. The first step is to investigate as much as possible, as quickly as possible. Second, the company should take prompt action to contain the problem and prevent further harm. This may include determining why the company’s internal controls failed, changing controls to prevent similar losses and suspending or firing the wrongdoer. Third, the company should consider whether it is required to report the misconduct. As a general rule, companies are not required to report insider crime directed solely at the company. However, there are some notable exceptions and limitations on this general rule. Businesses in some highly regulated industries may have special disclosure obligations. See, for example, 41 U.S.C. § 57(c) (reporting of kickbacks related to government contracts), 12 C.F.R. pt. 21 (suspected bank crimes). And if the misconduct benefited the company or damaged third parties, such as investors, lenders or customers, then other reporting obligations and considerations may come into play.

In this paper, we have discussed about the losses due to crime in the workplace by employees or insiders. Considering the nature of the losses that could be much greater since they have insider’s knowledge not possessed by outsiders, it is very important by every organization to have comprehensive security measures to prevent internal losses. The measures are applicable before crime and also after crime. By applying those comprehensive measures, the likelihood of internal losses could be minimized. However every organization should also consider the legal aspects on the measures that it takes, so that it will not be exposed to another set of problems.

References

1. GARCIA, MARY LYNN (2008) The Design and Evaluation of Physical Protection Systems.
2. NORMAN, THOMAS L. (2014) Integrated Security Systems Design: Concepts, Specifications, and Implementation.
3. PURPURA, PHILIP (2013) Security and Loss Prevention: An Introduction.
4. TAYLOR, DAVID F. (2005) What if it’s an inside job? Available at: ABA Business Law Section http://www.americanbar.org/content/dam/aba/publications/blt/2005/09/what-if-its-an-inside-job-200509.authcheckdam.pdf [Accessed 21 August 2015]
5. FEDERAL BUREAU OF INVESTIGATION. Prevent Employee Theft. Available at: WikiHow

http://www.wikihow.com/Prevent-Employee-Theft

6. GOVERNMENT OF UNITED KINGDOM. Trade Unions and Workers Right – Being Monitored at Works. Available at:

https://www.gov.uk/monitoring-work-workers-rights/email-cctv-and-other-monitoring

7. HAYES INTERNATIONAL (2015). 27^th Annual Retail Theft Survey. Available at: http://hayesinternational.com/news/annual-retail-theft-survey/