Like many other business owners, I have again this week received a number of emails from those in the know warning me of the ever-growing threat of cyber-crime.
Fraudsters are after our assets and data we are told and there exists a near constant reminder to upgrade IT security systems and to be on the look-out for attempts to hack into our networks.
I'm worried of course and rightly so. The threat of fraud is a real one and businesses owe a duty to both its customers and stakeholders alike to mitigate against the risks posed from those on the outside with an unhealthy interest in the things that we value. Trojan cyber horses are not a thing of myth and vigilance at all levels is key.
These are important concerns of course. Like charity though, fraud invariably begins at home and the biggest and most challenging risk to an operation still comes from those on the inside. The vast majority of staff act at all times in the best interests of the business but there will always exist rogue individuals who deliberately buck the trend. Expenses get fiddled, confidential information gets taken and directors get caught with their hands in the till. The list goes on.
A sorry tale
And the consequence to the business and its reputation can be equally damaging. Take the recent case involving the supermarket chain Morrisons as a stark example.
Mr Skelton was a senior IT internal auditor employed by Morrisons. Following a disciplinary hearing for an internal incident regarding his misuse of the postal services for private purposes, Mr Skelton was given a formal verbal warning. He was annoyed by the disciplinary proceedings and the sanction which appeared to leave him with a (very serious) grudge against Morrisons.
Not long later, Morrisons' external auditor requested a number of categories of data from the business in order to undertake the annual audit. That request included a copy of Morrisons' payroll data. That data was copied onto an encrypted USB stick by the HR department and was then given the Mr Skelton who in turn supplied the data to the auditor. So far, so good.
Things took a turn for the worse though. Mr Skelton had (unbeknownst to anyone else) also copied the payroll data onto a personal USB. Still bearing his grudge no doubt, he then posted a file containing the personal details of almost 100,000 employees of Morrisons on a file sharing website (using the initials and date of birth of another employee in a deliberate attempt to frame him).
Shortly afterwards, links to the website were also placed elsewhere on the web. Mr Skelton also, acting anonymously, sent a CD containing a copy of the data to three newspapers in the UK. It was no coincidence for Skelton that Morrisons was about to announce its annual financial reports. The revelation of the data leak would be likely to have serious implications for the share value of Morrisons
The information was not published by any of the newspapers concerned and Morrisons was duly alerted to the web disclosure. Within a few hours they had taken steps to ensure that the website had been removed and had also alerted the Police. Mr Skelton was arrested on fraud charges and was sentenced to eight years in prison.
It wasn’t a good outcome for Morrisons either. In addition to the adverse publicity created by the incident, a claim was brought against it by over 5000 employees seeking damages for breach of confidentiality. It was held by the Judge that Morrisons was vicariously liable for the acts of Mr Skelton (despite Morrisons being in one sense the party who Mr Skelton had intended to harm). The Court of Appeal recently endorsed this view in a judgement given in October this year.
And the moral is…
This case provides little comfort then for business owners. So how can they protect against such conduct? You can of course try and insure against the risk but there is another - far more beneficial -way of tackling fraud. And it’s this: if you want to protect your assets then first look after your employees.
Who knows why Mr Skelton behaved in the way he did. No doubt Morrisons is a fabulous place to work and perhaps Mr Skelton was destined to act fraudulently in any event. The fact remains though that employees are people and possess both the inherent strengths and frailties that make up the human condition. Staff need and want to feel respected and involved in their place of work. They are drawn to cultures and environments where there exists a sense of inclusion and empowerment and in turn a mutual respect between employee and employer.
Get that balance right and your staff will have a vested interest in your success. Get it wrong and any sense of duty to protect the business and its assets can quickly evaporate. For the wrong individuals, it’s a slippery slope from there to the perpetration of fraud.
And this isn’t just wishful thinking. Research shows that disgruntled employees pose a greater security risk to businesses than cyber-attacks (with one study revealing that 80% of damaging incidents were the work of employees including accidental disclosure of confidential information and misuse of social media through to fraud, bribery and industrial espionage).
As Richard Branson says: “Train people well enough so they can leave. Treat them well enough so they don’t want to“. Quite right and it doesn’t take much to work out that well treated staff also won’t want to hurt your business whether they leave or not. Look after them and they will look after your business. Not only that but they will also be naturally inclined to vigilance with a view to protecting your assets from external threats. Everyone’s a winner (except the cyber criminals).