A thief might be in your workplace at this very moment, typing away at the computer or chatting with co-workers.
For employers, theft committed by insiders is a growing problem. And it goes well beyond snatching notebooks, pens or other common office supplies. In many cases, they’re stealing expensive devices, money or even intellectual property.
Asset misappropriation -- which includes theft of cash, inventory and confidential information -- accounted for 86.7% of all internal fraud in the workplace in 2012, according to a global report from the Association of Certified Fraud Examiners (ACFE). That figure is up from 86.3% in 2010. The group estimates that employers typically lose 5% of their revenues annually because of internal fraud.
To protect the workplace, it’s a good idea to know who generally commits these crimes, and which employers are most susceptible. Businesses can minimize the risks by enacting a wide range of policies and procedures. If employers suspect that an insider is stealing, help is available from technology and the law.
Perpetrators and victims
According to the ACFE, perpetrators of internal fraud tend to have “clean” work histories, yet there are often warning signs. Some of the group’s findings:
• Most perpetrators are first-time offenders.
• Insiders with more authority typically cause larger losses than people with lower rank.
• In the ACFE study, 77% of all the fraud was committed by people in one of six departments: accounting, operations, sales, executive/upper management, customer service and purchasing.
• The red flags frequently associated with misconduct include: living beyond one’s means, financial problems, an unusually close relationship with vendors or customers, and excessive control issues.
The U.S. Chamber of Commerce also urges employers to be aware of warning signs, such as working unusual hours, performing poorly on the job, and being defensive.
A Symantec study released earlier this year raised alarm bells about behaviors and attitudes. The research, based on findings from about 3,300 people worldwide, studied the threat posed by workers who changed jobs over the past year. The study found that half of these workers kept sensitive information, and 40% intended to use it at their new workplace.
Many don’t even think it’s a big deal. In the study, 62% said there’s nothing wrong with transferring employer data to personal computers, tablets, smartphones or cloud file-sharing applications. And 56% said it’s acceptable to use competitive data from a previous employer.
Small businesses are especially vulnerable to internal fraud, because they usually have fewer resources to fight the problem, according to the ACFE report.
Protecting against workplace theft
To prevent and detect wrongdoing, employers can take the following steps:
Screen job candidates thoroughly. Even though the ACFE study found that most perpetrators have clean work histories, screening still provides another layer of protection. According to the Small Business Administration, background checks are especially important for candidates who would handle cash or expensive merchandise, and those who would have access to sensitive corporate information. Checking references is another smart step.
Pay special attention to the wording of the company handbook. In general, workers have no reasonable expectation of privacy when using the employer’s computer system, and the handbook should convey this to employees, according to San Francisco attorney Alan Levins of Littler. That way, employers can monitor and investigate if they learn of a breach, Levins told SHRM Online. “Otherwise, you could be limited in terms of what you can do,” he said.
Use confidentiality agreements. The confidentiality agreement should clearly state the employee’s obligation to keep the information confidential, both during employment and afterward, said Ulrico Rosales, a Palo Alto attorney at Wilson Sonsini Goodrich & Rosati. It also should describe the worker’s duty to return confidential information when leaving the company, he told SHRM Online.
Confidentiality agreements shouldn’t be too broad, according to Levins. The National Labor Relations Board (NLRB) has taken an interest in the specific wording of these documents—even if the employees don’t belong to a union. For instance, if an employer states that salaries and benefits are considered confidential, the agency could say that provision inhibits employees from talking among themselves about this issue, and it could regard that as an unfair labor practice, Levins noted. Employers should be familiar with the NLRB’s position, and they should be careful what they label as “confidential.”
Restrict access to sensitive information. Employers should limit access to confidential information on a need-to-know basis, through the use of passwords and other procedures, Levins said. Also, they should make it clear that the information is proprietary, according to Rosales. “Designate the information in ways that call attention to the fact that it’s sensitive information,” Rosales said.
Provide ongoing training. Levins advises companies to train employees on the need to protect confidential information. They could do this through meetings, newsletters, memos, and other ways. Be clear that protecting this information is a condition of employment, Levins said. This is a good way to reinforce the rules the company has discussed in its handbook, he added.
Conduct audits. The Small Business Administration recommends that employers identify their business’ high-risk areas, and then audit for violations every six months to a year. Some examples are expense reports, and cash and sales reconciliation.
Set up a hotline. An employer is more likely to discover wrongdoing through a tip than by any other method, according to ACFE. In its 2012 report, the group stated that hotlines should allow tips from both internal and external sources, and they should allow anonymity. Also, companies should encourage employees to report suspicious activity, and they should enact an anti-retaliation policy.
Use workforce monitoring technology. The digital forensics firm Sensei Enterprises recommends using monitoring technology to track employees’ computer activity. One option is “data loss prevention” technology, which automatically flags potential misconduct, such as accessing confidential files, according to a blog post by Sensei President Sharon Nelson.
Another option is logging. When employers enable logging, the logs are stored on a server, providing a tool that companies could use to investigate potential wrongdoing. Companies can set up their logging systems in different ways, Sensei Vice President John Simek told SHRM Online. For instance, a company could keep the logs for three months, and then overwrite them. In cases of suspected theft, the company could review the logs to see if there’s any evidence.
With the advances in technology over the past decade, people are using different methods to take sensitive corporate data, Simek said. Previously, employees planning to quit their jobs often used their personal e-mail accounts for this purpose. For instance, they might have copied confidential corporate data and sent it as an attachment to their Gmail or Yahoo account.
Now, people are turning to more sophisticated techniques.
“They’re using flash drives, because they’re small, and they can get such a large amount of data on them,” Simek said. “Most companies are not monitoring what’s happening through the USB port.”
Logging can help detect this problem. For example, it can track every instance in which an employee plugs a flash drive or other device into a computer’s USB port. This method also can track all files that are copied onto the flash drive, Simek noted.
Meanwhile, as the BYOD (bring your own device) trend gains steam, Sensei urges companies to be especially careful.
Develop specific procedures for departing employees. During exit interviews, an employer should provide a copy of the confidentiality agreement to the departing employee, Rosales said. The employer should get written acknowledgment that the employee understands the agreement, and the employee should certify that all copies of the company’s trade-secret information have been returned.
Employers also should emphasize that any violations would have negative consequences, according to Symantec.
Sensei suggests developing a “Departing employee checklist,” regardless of whether the worker is leaving on bad terms or good terms. The specific items on the checklist would vary by employer, but it could include changing office lock codes and collecting keys, Nelson wrote in the blog post.
The checklist should include a crucial step: terminating the employee’s remote access to the network. In many cases, employers could have prevented theft if they had just taken this step, Simek said. This could thwart a disgruntled employee who wants to “get even” with the company by copying or deleting files.
In a law.com article, Orrick, Herrington & Sutcliffe attorneys Sid Venkatesan and Elizabeth McBride also emphasize the importance of terminating remote access. Companies also should ensure that employees return all company-issued electronic devices, and they should store them in a safe location to prevent tampering, they wrote on law.com.
What not to do. The U.S. Chamber of Commerce warns employers not to detain or restrain employees suspected of theft, and not to defame them. Also, if a company is unsure about whether to bring charges, it shouldn’t threaten to prosecute.
Toni Vranjes is a freelance business writer in San Pedro, Calif.
© 2013, Society for Human Resource Management.
Have HR-related questions and concerns? Get access to essential forms, policies and guides, plus a live call center, at ToolkitHR.com, powered by HCN and the Society for Human Resource Management (SHRM).