Failure to recognize or respond to workplace fraud costs U.S. businesses millions each year. While circumstances leading to fraudulent behavior vary widely among companies, recent studies may reveal why some institutions ignore illegal activity – even when it’s happening in plain view.

Here are some reasons companies turn a blind eye to expensive, systemic insider fraud:

Trust & Seniority

Let’s say you suspect a senior colleague may be guilty of workplace fraud. What if that person has already built trust with your department for over a decade? What if you feel at risk for professional or personal reprisal were you to report your suspicions?

What if the suspect is your boss?

According to a recent Symantec report on insider intellectual property (IP) theft, a majority of IP thieves are males in their mid-30s. Their positions are high enough in the corporate value chain that their own signatures regularly appear on IP agreements, and many are managers.

Similarly, a 2011 global fraud analysis by KPMG finds that fraudsters have typically been with their employer for over 10 years with more than half in upper management or board positions. With so many guilty parties in positions of authority, it’s no mystery why many of their colleagues choose to ignore dubious activity.

Ignorance of Warning Signs

Of course, not every fraudster operates in the company’s upper echelons. What’s more, many instances of unreported fraud may not be intentional but due instead to a lack of knowledge about fraud’s warning signs.

KPMG’s report names certain “red flag” behaviors that could indicate an employee is committing insider fraud. The employee’s colleagues simply must be aware of what those behaviors are. Some of them include:

• Maintaining exclusive relationships with vendors
• Refusal to take leave or time off for holidays
• Unexpected disappearances from the office
• Not producing certain records or information upon request
• Excessive lifestyle for his or her income
• Developing a serious addiction to alcohol, drugs, or gambling

A better understanding of these behaviors by all employees – especially those in HR departments – could go a long way toward averting future fraud prevention failures.

Lack of Prevention Policies

The absence of effective fraud protocols is another big reason companies brush aside fraud prevention failures.

Developing and enforcing fraud prevention policies isn’t just a formality – it’s an investment in the continued prosperity of your company. The specifics of that policy will depend on the types of fraud to which your organization is most vulnerable, and many may choose to build enterprise fraud management software into their long-term strategies.

After all, software may very well identify suspicious activity that employees – for fear of reprisal or otherwise – fail to report to management.

Creating teams of legal and HR experts, implementing fraud education programs for employees, and a performing a thorough evaluation of your unique fraud risks are preventative measures all organizations should take.

Organizations lose millions to fraud. According to the most recent ACFE Report to the Nations, organizations lose about 5% of their annual revenue to fraud. That number is staggering. What’s even more troubling is all the different ways organizations are “paying” for the hidden fraud in their companies today. Here are just a few of the ways that fraud impacts the bottom line:

The Reality of Fines
Regulations have been part of data protection for over a decade. The heavy hitters, HIPAA, GLBA, FISMA, NIST, PCI-DSS, are all designed to reduce risk of information loss or exposure. And increasingly, these regulations carry fines. Think of it as a “carrot and stick” approach to regulation. Fines in banking are fairly common and regularly metered out. What’s interesting from an industry watcher’s perspective is the growing maturity of fines in other industries.

Most recently, eyes have been on HIPAA. The U.S. Department of Health and Human Services issued a $4.3M HIPAA fine to Maryland healthcare provider Cignet. In May of 2012, the agency also levied a HIPAA fine of $100,000 against a private practice. In doing so, the agency indicated that the size of violator is not an indication of the likelihood of getting fined. It’s a trend that’s likely to continue and put a laser focus on correcting HIPAA violations.

What about Reputational Risk?
By far, the biggest opportunity for losses is brand damage. These costs only grow when you tot up things like litigation, loss of customers, a slide in shareholder value, etc. If there is one issue troubling the C-Suite, it’s this one. It consistently outranks other concerns like theft of IP and theft of assets. It even trups privacy concerns at many institutions. Why might that be, you ask? It’s a top concern year after year because reputational damage, damage to your brand, can wipe out profits in an instant. Customer leave institutions that fail to protect privacy in droves. And they oftentimes don’t come back. So in addition to the loss generated by the theft or breach, the drop in shareholder value, reduced business and litigation expense, you can add the cost of attracting new customers. If you’re industry is private banking, it may only take the loss of a handful of key accounts to really feel a pinch. Doesn’t it make sense to protect the data entrusted to you with the same zeal you have for making money for your clients?

Over-paying for Insurance Premiums
Banks, financial institutions, hospitals and even insurers have insurance policies to cover fraud losses. While carrying those protections is probably prudent (after all, there has to be real risk or people wouldn’t need to hedge against it), those policies cost real money and any step to reduce risk and reduce premiums is more money in your pocket.

The Problem with Write Offs
For years, there’s been an acknowledged problem with banking fraud. In an interview, noted security expert Juval Aviv, reported the scope of the problem a few years back when he stated, “People are stealing billions every year (from banks) and getting away with it. Fraudsters know that if they are going to do it, they have to do it big and then complicate the investigation by moving the money across several banks in several countries.” He added, “Banks then write off these losses and the fraudsters know this.” The problem with this attitude is that it contributes to the problem. By failing to prosecute, banks are giving a kind of tacit permission to thieves to operate in their systems. I know that prosecution is hard. I know that information trails are notoriously incomplete—logs just don’t have the data to make an effective case against fraudsters the majority of the time. But there are technologies out there that can create a more comprehensive trail and contribute greatly to a layered security model. Looking at those tools, like Luminet from Attachmate, has got to be better than turning a blind eye.

Conclusion
It’s fairly common in this industry to hear the refrain, “Fraud is just a cost of doing business.” It doesn’t have to be. If you’re interested in moving the bar on security and risk, it shouldn’t be. Permitting an “acceptable level of loss” means the bad guys are allowed to operate freely in your systems. Is that really OK?

The National Institute of Standards and Technology (NIST) released its proposed guidelines last week, which call for organizations to develop capabilities for continuous monitoring and enterprise-wide tracking of information to better measure the effectiveness of security policies and calculate risk of fraudulent activity.

This is a forward-thinking approach by NIST, and we believe this is a step in the right direction.

Securing information management systems is essential for the wellbeing of companies. The value of information within today’s organizations is unprecedented, and companies should prioritize investments in ways to better protect and manage their information from insider attacks and fraud. Unfortunately, due to vulnerabilities in organizations’ infrastructure, organizations average approximately 53 employee-related incidents of fraud annually, which translates to approximately one incident per week.

From data storage to file transfers, many companies have distributed information systems that control many different tasks related to content management; companies grant specific permissions to employees to access the information in these repositories. While nearly all employees will access this information in order to complete their work, there is a risk that someone could have more devious intentions. A single case of insider abuse can have detrimental consequences.

The NIST guidelines call for organizations to adopt a “trust-but-verify” approach to information security, granting access to employees while monitoring for suspicious activity. Continuous monitoring provides a full picture of an organization’s security posture, measures the extent to which the organization is threatened by a potential circumstance or event, and enables the organization to make informed decisions to address risk.

Companies can start securing their information now by taking three actions:

1. Audit your company’s current information management infrastructure to identify where information is being accessed, processed and stored. Because many companies have information spread across multiple systems, it is essential for you to understand all the access points and how different solutions are securing (or not securing) your organization’s important content and data.

2. Understand the privacy and security policies that are currently in place at your organization and identify where improvements can be made with the NIST guidance. By understanding the policies your organization currently has established and comparing that to the NIST guidance, you can identify areas where your information management systems could be more secure and your information better protected against insider fraud.

3. Compare information management systems that can help consolidate the monitoring and auditing practices outlined by NIST. Attachmate’s Luminet solution can help companies stop fraud and misuse of important information, gain compliancy with industry regulations without additional coding, and more easily create accurate, detailed audits of network access.

It is important for organizations to trust the people they hire, but it is also essential organizations take steps to protect themselves from the possibility of an insider attack on information. Be sure to check out the proposed NIST guidelines today to protect your information tomorrow.

-Christine Meyers, senior product marketing manager, Attachmate Luminet

Stratfor specializes in “strategic intelligence on global business, economic, security and geopolitical affairs,”

It appears Stratfor failed to encrypt any of its credit card information, despite promises “to maintain safeguards to protect the security of these servers and your personally identifiable information,” according to its privacy policy.”

http://www.scmagazine.com/anonymous-shreds-intelligence-firm-stratfor-in-latest-hack/article/220781/?DCMP=EMC-SCUS_Newswire

I just wonder when will corporations and their executives start being held criminally liable for such egregious security blunders? Until then, there is very little reason for many of them to change….just my two pennies. Sales point is that no one is safe and all should at least entertain a conversation with you about your security solutions, right?

Happy New Year.

Today’s next generation of fraud detection technologies can go a long way to supporting a HIPAA HITECH compliance effort and prevent privacy violations, misuse and abuse. Simply put, these systems provide visibility across multiple data channels to offer a comprehensive view of what is going on in your environment. Leading solutions offer screen-by-screen replay of user activity which offers “context to keystrokes” and provides the ability to look at each screen viewed by a particular user. Through this method, organizations can understand and capture the “why” of data access. Monitoring and alerting on specific events is also available. These solutions can actively target violations and unauthorized access.

More and more, leading healthcare institutions are migrating to the new fraud monitoring technologies. This new approach moves far beyond the logging and monitoring solutions that may “check a box” for compliance, but do little to address advanced audit requirements or fill in the “gaps” inherent in traditional logging systems. The benefits of monitoring data across applications and extending visibility beyond healthcare applications are essential to leading organizations seeking to protect patient privacy and their brand.

Let’s explore some of the areas that this new approach can assist with:

Common Healthcare Monitoring Scenarios

• Is a given user is logged in at multiple locations or while on vacation or absent from work? Accessing systems after hours?
• Is a particular user is accessing areas not appropriate for their job or function?
• Are physicians are accessing records outside their specialty?
• Are employees accessing high profile or VIP accounts inappropriately? Are staff members inappropriately accessing PHI within the institution?
• Are users accessing accounts more than 30 days after the date of service? Has key information on the account changed (address, services rendered, etc.)?

In healthcare, one of the most pernicious issues is accidental access of PHI rather than outright fraud (although fraud is still an issue). Take for example, improper record access in healthcare. While certainly a HIPAA violation, few would consider the desire to “sneak a peek” at an admission file fraud. Even so, these violations cost hospitals hundreds of thousands of dollars in fines annually and the resulting personnel action results in loss of staff and productivity. Fortunately, there is a better way.

Developing A Rules Based Approach

Continuous monitoring of user activity provides a comprehensive view of who, did what, when, and often even provides insight into why a particular activity occurred. Capturing data in this manner and applying a rules based approach to identifying risks and possible abuse, misuse and error in data can significantly improve audit performance.

Auditing Needs We Commonly Encounter and Assist With

• Developing a baseline of activity across a healthcare organization and using that to uncover and target areas at higher risk for patient privacy violations.
• Monitoring third-party activities, including call centers and claims processors and service providers, for a higher than baseline occurrence of out of band activity.
• Monitoring access to medical record, specifically highly sensitive material such as HIV test results where the inappropriate disclosure of such information may cause a patient harm.
• Identifying employees or other providers who demonstrate patterns of unauthorized access. Providing visibility into record access of VIP, high profile or opt out patients.
• Examining employee or provider look ups along high risk patterns: same last name, same street address, same zip code, etc.
• Enabling review of physician access and review of employee as patient access (employees as patients create a potential for misuse and/or abuse often out of concern or curiosity).
• Reviewing and auditing access by remote users. Providing the ability to review external third-party record access as well as the ability to monitor third-party activity for fraud, out-of-band approvals or requests and access appropriate to role.

Monitoring and Data Capture During a “Break Glass” Emergency

In many healthcare provider settings, there is the potential for a “break-the-glass” emergency which refers to an instance where it becomes necessary for individuals to violate access protocols to provide lifesaving or critical care. In these scenarios, it is essential to capture, document and retain user activity and information access for future audit and review. With enterprise fraud management solutions in place, this special audit trail is automatically created, encrypted and digitally signed. The records are retained in a sealed repository preserving the records as required.

Possible scenarios where this data capture may be required include a) account problems such as a locked password due to failed entry attempts or lack of a user account (visiting clinician required to assist during an emergency), b) authentication problems such as an authentication system failure, or c) an emergency situation forces personnel to respond in a way that exceeds their authorization.

During such a situation, it is essential that the entire activity trail is captured and preserved for later review. With monitoring in place, no paper logging is required. Today’s enterprise fraud management technologies can even trigger alerts when such a scenario occurs. Having an automatic, comprehensive audit trail has the potential to limit any required disclosure to the actual event and activity rather than a “worst case” access scenario.

Responding to Emerging “Accounting of Disclosure Requirements”

Lastly, an additional area to consider is responding to patient requests for information surrounding PHI access. Current proposed Federal legislation would require that healthcare providers and their affiliates respond to requests for information with a detailed accounting of all access to a patient’s PHI going back three years. Many forward looking institutions are seeking a way to respond to this new proposed requirement as well as state disclosure laws governing PHI. Many Enterprise Fraud Management systems are designed to handle these information requests at the press of a button and can capture the history of information access across multiple systems. Having these systems in place can mean countless saved hours in responding to these requests.

In Conclusion:

Leading healthcare institutions seeking to get more out of their audit and compliance efforts should be exploring next generation solutions and not relying exclusively on incomplete or inadequate logs.

Enterprise fraud and workplace policy abuse come in many forms, and every business is at risk.

 Unfortunately, it’s not always obvious when workplace fraud occurs. Perpetrators are often insiders – long-time employees or trusted staff members who have access to sensitive information.

 The very idea that these people would cheat you can be hard to accept. It may even be tempting to think, “It could never happen here.” But it could. And the less you do to prevent it, the more likely it is to occur.

 Workplace fraud could mean failed compliance audits, hefty fines, or irreparable damage to your brand. It could also mean a serious blow to your bottom line.

 So don’t let others profit unethically at your expense – take steps to stop them. Here are four common types of workplace fraud and some suggestions for avoiding an all-out fraud nightmare.

1. Accounting mischief

 If your accounts are vulnerable, employees can use them to their advantage. Think “skimming” small amounts of money from the tops of checks or taking unreported cash payments.

 When the amounts are small, this type of fraud can be hard to detect. And if you never perform any audits, it could be virtually untraceable. While internal audits are an option, they’re often difficult to conduct. Slinging together data in an attempt to create a complete audit trail can quickly become a nightmare.

 On the other hand, by bringing in external auditors, you’ll be able to keep your accounts in check. Make external audits routine, and you can prevent accounting fraud before it even starts.

2. Exchanged credentials

 Or falsified ones. With counterfeit documents, records, or licenses, scammers may seek employment at your organization. They may also use someone else’s credentials to gain access to your office or work facility.

 Don’t forget: In hiring, even one fake reference represents a serious case of fraud.

 Always call professional references, verify credentials, and conduct background checks of each new hire. After all, you should be confident in the employees who represent your organization, not suspicious of them.

3. Unauthorized data access

 The use of false credentials can also help employees access data that was never theirs to consume.

 When this happens, the privacy of your patients or customers – not to mention confidential business information – could be in jeopardy. And what if employees don’t even need to use false credentials? What if they’re accessing sensitive information because it’s already easy to do so without being caught?

 That’s why you must implement data-handling policies that specify who has access to what. Also establish a system for verification before anyone can access sensitive material. Things like passwords and account numbers should never be shared and, if possible, should be changed often.

4. The address swap

 This is what happens when an employee changes the address to which a check is sent – presumably to his or her own – and then changes it back.

 To combat this kind of fraud, conduct regular reviews of all purchases. Consistent audits of accounts and contracts will also help protect you. While you don’t want to create a culture of surveillance that makes employees feel like Big Brother is lurking behind every corner, audits and reviews should create an atmosphere of accountability.

 Because when employees are accountable for their actions, you’ll enjoy greater security.

 For more information about Enterprise Fraud Management, be sure to check back here on Insider Fraud Spotlight!