Security and loss prevention are major concerns for any business. But what if it is one of your own employees that is stealing your stock, instigating a complex fraud or leaking confidential information on the internet?
The impact of an insider incident on your business can be significant, going beyond the obvious financial losses to undermine your image and reputation among your customers and damaging staff morale.
The scale of the insider threat is inherently hard to quantify as it can take so many forms. The BRC’s survey data suggests that incidents of employee theft can cost a retailer on average four times more than theft by a customer.
Evidence from elsewhere indicates that insider activity might be even more pervasive than initially thought. PWC’s latest Global Economic Crime Survey, which assessed a range of different industries, revealed that over half of the perpetrators defrauding businesses were internal.
Theft and fraud are only one piece of the picture: malicious insider activity could also take the form of cyber-attacks, sabotage of goods or the leaking of confidential information.
What drives an insider to act?
The vast majority of employees are honest, so what then drives a member of staff, a contractor or supplier to betray the trust placed in them? A complex mix of factors can be at play. A demotion, a desire for financial reward or revenge and certain personality characteristics provide the context for malicious activity.
But the individual concerned must also have the know-how and crucially, the opportunity to act. Limiting these opportunities therefore is key to protecting your business.
It is wrong to assume that recent recruits to your business are most likely to engage in damaging activity. Research indicates that most insider incidents are in fact carried out by permanent staff and in many cases involve people who have been in post for up to five years.
How should retail businesses protect themselves?
The BRC has recently published new Guidelines to help retail businesses minimise their vulnerability to insider threats. Whilst the nature and size of your business will inform the detailed policies and procedures that are right for you, the BRC’s Guidelines set out some simple steps to help any retail business put an effective strategy in place. The document poses important questions for retail business leaders, for example:
- Have you conducted a comprehensive risk assessment?
- What are the business’ most critical assets?
- Are existing security policies adequate? And,
- Do you have thorough pre-employment screening in place?
The need for effective cyber security controls
The ease with which sensitive business information can now be accessed and transferred electronically means that this is an area of particular vulnerability for any business, including retailers. Essential cyber controls include determining IT access rights according to each user’s role and ensuring that dual authorisation is required for high-risk activities.
Retailers should strictly limit remote access, the use of removable storage and shared admin accounts. Furthermore, IT monitoring systems should raise the alarm if a user accesses hundreds of files that aren’t reasonably required for their job.
A series of high profile data breaches, such as that suffered by US retailer Target, have heightened awareness of cyber security. Yet it is easy for businesses to focus their attention on external defences and overlook the threats a little closer to home. Retailers must start thinking about the insider threat as a corporate risk like any other.
Laura Davies is crime policy adviser at the British Retail Consortium
No comments yet