Internal Threats — The Untold Story10, September 2018
In her award-winning documentary, All the Queen’s Horses (ATQH), director and forensic accounting expert Kelly Richmond Pope chronicles the compelling story of how one woman, Rita Crundwell, embezzled over $53M from the city of Dixon undetected for over 20 years. As the country’s largest municipal fraud, the Dixon story is disturbing in and of itself, but when you consider it in the wake of the recent studies that indicate 75 percent of all cyberattacks emanate from insiders, you begin to realize there is a larger story: the untold, real-life story of internal threats and insider fraud. In a recent interactive discussion, “Royal Fraudsters and How to Spot Them,” Pope shined the spotlight on the root cause of how employees commit fraud, why they do it, and most importantly, what can be done to stop them.
How they do it?
“I was in Chicago in 2012 when Rita’s story unfolded. She was so brazen about it that she built the nation’s leading quarter horse breeding empire using the money she stole from the city. But to me, it was never a story about Rita,” said Pope, on why she decided to make ATQH. “I wanted to focus on the environment that allowed this to happen. If it can happen in the small city of Dixon with less than 16,000 residents, then it can happen anywhere.”
The environment Pope is referring to is dictated by two crucial factors: psychological bias and the refusal to acknowledge. According to Pope, humans are predisposed to trust each other especially when they have a connection.
“We implicitly trust the person we sit next to for 40 hours every week,” said Pope. “In Rita’s case, she was trusted by her co-workers, the mayor, and pretty much the entire city of 16,000 residents.”
There is also the cultural aspect when it comes to trust. In eastern cultures, there is this understanding that the higher up one is in the organization, the more they can be trusted and the more access they should have.
Britta Simms, IBM Security’s Global Competency Lead, who also participated in the discussion, attributed the how to the obstinate refusal to acknowledge it.“It’s the baseless confidence that it can’t happen here – the notion of wanting to stay in that blissful ignorance – is what assures insiders they can do it and get away with it,” said Simms.
Why do they do it?
Pope believes that people do it because they can, and a lot of times they don’t necessarily think they are doing anything wrong. “It always starts small like in the case of Rita. The first time she took $25,000 from a sister account in Germany,” said Pope, “and during the final years before she got caught, she had progressed to $5M a year.”
Pope theorized that when Rita began, she may have rationalized taking a small amount with an intention of returning it. But when she noticed that no one was watching, she began to get bold.
Apart from need and greed, there is also the aspect of entitlement which insiders often use to rationalize their behavior. When it comes to sensitive data or stealing of business-critical information, there is the notion of “entitled independents” touched upon in our previous post. This is when employees feel entitled to the information they created. But how can companies control or manage an employee’s sense of entitlement?
“Companies must limit people’s privileges and roles,” according to Simms. “Rita had unbridled access and that is why she did it, because she could.”
What can be done to stop them?
“To begin with,” says Simms, “we must get over the head-in-the-sand syndrome and begin to see the gravity of organizational threats.”
According to Gartner’s Guide for Segregation of duties (SOD) Monitoring Tools, effective access controls can reduce the risk of internal fraud by up to 60 percent. While most companies use internal controls like SOD for audit compliance, it is often overlooked as an important tool to prevent internal fraud. “The first order of business,” Simms says, “is to educate everyone from top-down about internal cybersecurity.”
A primary reason why Rita got away with what she did was due to relaxed controls. Rita was given access to everything. Most importantly she was given access to perform two conflicting functions, which is the cardinal basis for internal fraud. She was allowed to create a vendor and pay a vendor.
“SOD is not a problem of Dixon alone,” warns Pope. “I have interviewed many white- collar criminals who have embezzled from large organizations, and it is by far the most prevalent internal control issue in both small and large companies.”
With the rate of change in technology and the landscape continuing to increase in complexity, managing internal controls can be tough. According to Simms, “Tooling is what companies need to keep up with the rapidly changing landscape. Automated tools for SOD can provide immediate visibility into conflicts and can also be leveraged to reduce fraud by limiting access.”
Pope added, “Last but not the least, we must not be afraid to ask questions. If the tax preparer had probed Rita about her inexplicable income, if the auditors had questioned Rita, the Ritas of the world would be caught much sooner.”
If you would like to learn more about internal threats or listen to what Kelly Pope and Britta Simms had to say, listen to the interactive discussion here.