The key vulnerabilities of a business to fraud and data loss are rooted in the four sins of hubris: thinking, looking, fighting and denying.
Hubris is defined as excessive pride or self-confidence, starting with the thought that fraud and data theft won’t happen to you. Most firms look in the wrong direction, by focussing on external threats and malware instead of trusted insiders and organized crime. They fight the wrong battle, by installing anti-virus on machines that are not vulnerable to virus attacks, and relying on firewalls for data loss prevention. By not monitoring outbound data flows they also gain plausible denial that there are issues of data loss and economic crime in the organization.
The sins of hubris lead to a situation where the bigger you are the harder you fall (“It can’t happen to me because we have governance, IT etc..”). According to PWC 2009 Global Economic Crime Survey – bigger companies experienced more fraud.
46% of organisations experiencing economic crime had more than 1,000 employees.
The percentage of companies in the 201 – 1,000 employee range experienced almost half the number of fraud of their larger cousins. But this may be because they have fewer governance programmes in place, or what they do have are less effective.
By the way, I think the PwC have it wrong. Smaller companies may have fewer governance programs in place, and because they have less money, these programs are probably more effective, not less effective.
Denial of data loss and economic crime also derives from incomplete understanding of the economic costs. The 2009 PwC economic crime survey points out that :
27% of those reporting fraud in the last 12 months put its costs at more than $500,000.
One quarter of respondents reporting accounting fraud estimated that it had cost them more than US$1m.
Only 17% of those who suffered asset misappropriation reported losses of more than US$1m.
The impact of economic crime is not just financial: 32% of respondents said employee morale was most affected by such incidents.
Data loss and fraud events are unpredictable, high impact events without precedent that cannot be forecasted with virus/epidemiology or market risk models. The assumption in these models is that the unexpected can be predicted by extrapolating trends from past observations, especially when these statistics are assumed to represent samples from a normal distribution. Although other distributions might provide better fits to historical data, such as the fractal (for earthquakes) or LÉvy distributions (for securities returns) or EVT (for operational risk events) – in all economic crime cases, organizational culture was at the center of losses, and more specifically, a complex interaction of culture, people and rapidly-changing technology.
It’s impossible to stave off fraud and data theft with technology or procedures alone due the complexity, but with a management that puts a priority on a business objective of protecting company assets and customers, an organization will be able to go beyond governance and security checklists and reduce their value at risk.
Economic crime and data theft warrants a zero-tolerance culture starting in the boardroom and with the executive management leading by example with open doors and ethical behavior.