Announcement

Collapse
No announcement yet.

Internal Theft/Fraud Research Question

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • N. A. Corbier
    replied
    Oh, individualism is fine. So is code checking.

    Usually when I see something like that, its long after the fact and its not the person writing programs, its the IT manager in the mom-and-pop who's a friend of a friend. When its time to let him go because his friend's sister is no longer a friend and he's disliking the company... Backdoors suddenly appear.

    Leave a comment:


  • Bill Warnock
    replied
    Originally posted by N. A. Corbier
    Its always been a game to me with the disgruntled IT worker. You know that they can do interesting (but highly damaging) things to the servers, and you get to determine what they are and stop them. There is always a physical security aspect to terminating an IT worker, especially since he could have buddies or those he's blackmailing to physically start the "meltdown" process. There's also the network aspect, isolating the servers from the network and monitoring what traffic is going in and out (looking for that accomplice at the time), and later on (looking for that login from home, which will come)...
    Nathan, SecTrainer in my years as an security specialist/inspector, 1971 onward, I have preached as an article of faith the ability of programers or others to insert subroutines into their work for no apparent or logical reason that at a date certain will come together, create an unauthorized routine and wipe out or modify certain critical files or safeguards and then disappear as instructed. The answers I get from managers, then as now, gives me pause. So-an-so is creative and I don't want to dampen a creative spirit. Sure there is unnecessary things in the code he writes but that is his flair. What rubbish! That will be the free spirit who will do you in. Individualism has its place but at what price?
    Excellent comments gentlemen.
    What say the rest of you?
    Enjoy the day,
    Bill

    Leave a comment:


  • N. A. Corbier
    replied
    Its always been a game to me with the disgruntled IT worker. You know that they can do interesting (but highly damaging) things to the servers, and you get to determine what they are and stop them. There is always a physical security aspect to terminating an IT worker, especially since he could have buddies or those he's blackmailing to physically start the "meltdown" process. There's also the network aspect, isolating the servers from the network and monitoring what traffic is going in and out (looking for that accomplice at the time), and later on (looking for that login from home, which will come)...

    Leave a comment:


  • SecTrainer
    replied
    Originally posted by Bill Warnock
    LPCap, the disgruntled IT employee is the one who can really do your business great harm. To destroy and mangle IT is the greatest theft from an employer and others such malevolence can wrought.
    Enjoy the day,
    Bill
    Absolutely - which is why the best policy when terminating these people is to conduct the exit interview without prior notice, during which their system accounts are being disabled, and then you take their keys/cards and escort them immediately from the interview out of the building.

    You will then need to exercise extremely close monitoring of your systems for a period of time in the event that they have created "back doors" or left "time bombs". One such "bomb" that an IT employee left behind was one that checked the payroll detail list each payday and, if it did not find that employee on the list (which meant he had been fired, of course), it was programmed to begin deleting highly valuable information from the system. Another bomb had a somewhat similar "trigger" but was programmed to email highly confidential engineering files to company competitors (who were not complicit in this scheme).
    Last edited by SecTrainer; 05-03-2007, 02:21 AM.

    Leave a comment:


  • Bill Warnock
    replied
    Originally posted by LPCap
    Catching the ones that are vocal about their dislike for their boss, job, company are the easy ones to catch. The ones who are quietly sulking and pissed off at whatever in life are the hard ones.

    Theives are manipulators too, they can con many LP and Managers into believing that they are the company man, while they bilk thousands from right under their noses.

    I would say that each segment of retail, whether it be department store, big box, discounter, fast food, restaraunt or grocer has their own unique theft "hot spots". I would say that more night shift and front end, cash office associates steal more in the grocery enviroment, while it would be spread evenly through a department store.
    LPCap, the disgruntled IT employee is the one who can really do your business great harm. To destroy and mangle IT is the greatest theft from an employer and others such malevolence can wrought.
    Enjoy the day,
    Bill

    Leave a comment:


  • LPCap
    replied
    Catching the ones that are vocal about their dislike for their boss, job, company are the easy ones to catch. The ones who are quietly sulking and pissed off at whatever in life are the hard ones.

    Theives are manipulators too, they can con many LP and Managers into believing that they are the company man, while they bilk thousands from right under their noses.

    I would say that each segment of retail, whether it be department store, big box, discounter, fast food, restaraunt or grocer has their own unique theft "hot spots". I would say that more night shift and front end, cash office associates steal more in the grocery enviroment, while it would be spread evenly through a department store.

    Leave a comment:


  • Lynch Mob
    replied
    Originally posted by SecTrainer
    I don't think one (reaction versus proaction) is necessarily exclusive of the other. Security - including LP - is always both reactive and proactive, and an LP manager is missing some very important information if he isn't paying attention to the known history of past events. The past IS prologue to the future to some degree, at least.

    For instance, if the area where you've historically had the most theft is the loading dock, it isn't suddenly likely to shift to the cafeteria simply because you might have two disgruntled employees in the cafeteria and only one on the loading dock. Certainly, the disgruntled employees in the cafeteria should point your antenna in that direction, but the history on the loading dock is still highly relevant as well. That's what I mean when I say that I agree with your concept of "proaction", but reaction (in the sense of learning from past events) is still a very effective tool as well.

    Again, this is a complex subject and I think we're probably often just describing different aspects of the same overall objective, rather than disagreeing in any significant way.
    I never said we should not react to problems, or learn from past events. The problem is that, historically, LP has been almost exclusively reactive. The entire name of Loss Prevention really is a misnomer, as Loss Prevention has rarely prevented losses.

    In your example of the loading dock vs. the cafeteria, I would say that if you have historically had problems on the loading dock it is one of two issues going on. Either you have been overly focused on the loading dock, resulting in the self-fulfilling prophecy of catching more thieves there than other places, or we have not learned from our past and made the necessary changes to reduce loss. In either of these cases, you are probably spending an inordinate amount of time focusing on a certain area and missing losses in another.

    As you described the scenario, if I discovered I had two highly disgruntled employees in the cafeteria, I would find out why. What are they disgruntled about? What is the manager doing about it? What are the performance of these two individuals like? How many other employees feel the same but are not as verbal about their concerns? If I address these problems, I might be able to prevent any theft from happening at all, and could be preventing many people from stealing. If I just focus on catching people at the loading dock, because we have caught a lot of people there in the past and I have not fixed the problem, I catch one at a time, and probably lose a lot of merchandise I will never recover before I actually catch the person stealing.

    If we are to be working as Loss Prevention, of course we need to learn from the past, but learning means fixing. If you continue to have problems in the same areas, you are not doing a good job. If you keep going back to that same well to catch people, you are not fixing anything, nor preventing anything. If you are not fixing problems or preventing theft, you are not really helping your company at all.

    Leave a comment:


  • SecTrainer
    replied
    Originally posted by Lynch Mob
    By the time you are using dollars or number of incidents as a measurement, you are too late. That is reactionary Loss Prevention. You are only reacting to losses that have already happened. If you want to be proactive, you need to find the proper indicators of employees who are most likely to steal, and identify those indicators before the employees have already stolen. Focusing on employee morale does this. You can see which employees are starting on that downward spiral towards theft, and take steps to cut them off before they get their.

    Think about it this way. If there were some early warning signs that your kid may evenatually start using drugs before they use drugs, wouldn't you step in and start addressing those? What if you found that when a kid is in elementary school and junior high there was a correlation between skipping school and not doing homework, and drug use in high school years? If you knew this was true, wouldn't you jump on this trend right away if you saw your kid starting to skip school or not doing homework? Of course you would. If making some basic changes before the drug usage starts can steer your kids away from drugs, you would take advantage of it, if possible. You would never sit back and say, "Oh well, there are great rehab programs out there, so if my kid starts using drugs I will just get them in rehab." One is reactionary and one is proactive.

    Be proactive in LP. Disgruntled employees are your thieves who may not have even stolen yet. Concentrate your efforts on ensuring that employees are satisfied with their jobs and you will lower shrink.
    I don't think one (reaction versus proaction) is necessarily exclusive of the other. Security - including LP - is always both reactive and proactive, and an LP manager is missing some very important information if he isn't paying attention to the known history of past events. The past IS prologue to the future to some degree, at least.

    For instance, if the area where you've historically had the most theft is the loading dock, it isn't suddenly likely to shift to the cafeteria simply because you might have two disgruntled employees in the cafeteria and only one on the loading dock. Certainly, the disgruntled employees in the cafeteria should point your antenna in that direction, but the history on the loading dock is still highly relevant as well. That's what I mean when I say that I agree with your concept of "proaction", but reaction (in the sense of learning from past events) is still a very effective tool as well.

    Again, this is a complex subject and I think we're probably often just describing different aspects of the same overall objective, rather than disagreeing in any significant way.
    Last edited by SecTrainer; 05-02-2007, 12:19 PM.

    Leave a comment:


  • Lynch Mob
    replied
    Originally posted by SecTrainer
    It certainly would make sense to concentrate your resources on the areas where you have the most problem, assuming that you're reasonably sure where that is, and providing you don't find yourself totally focused there and wind up ignoring the other areas.

    In defining where "the most problem" is, I'd use dollar loss, rather than the number of incidents, as the yardstick.
    By the time you are using dollars or number of incidents as a measurement, you are too late. That is reactionary Loss Prevention. You are only reacting to losses that have already happened. If you want to be proactive, you need to find the proper indicators of employees who are most likely to steal, and identify those indicators before the employees have already stolen. Focusing on employee morale does this. You can see which employees are starting on that downward spiral towards theft, and take steps to cut them off before they get their.

    Think about it this way. If there were some early warning signs that your kid may evenatually start using drugs before they use drugs, wouldn't you step in and start addressing those? What if you found that when a kid is in elementary school and junior high there was a correlation between skipping school and not doing homework, and drug use in high school years? If you knew this was true, wouldn't you jump on this trend right away if you saw your kid starting to skip school or not doing homework? Of course you would. If making some basic changes before the drug usage starts can steer your kids away from drugs, you would take advantage of it, if possible. You would never sit back and say, "Oh well, there are great rehab programs out there, so if my kid starts using drugs I will just get them in rehab." One is reactionary and one is proactive.

    Be proactive in LP. Disgruntled employees are your thieves who may not have even stolen yet. Concentrate your efforts on ensuring that employees are satisfied with their jobs and you will lower shrink.

    Leave a comment:


  • Lynch Mob
    replied
    Originally posted by LPCap
    Is there a part of your 80% will steal more than the other? Would you say the younger workforce population in that percentage has a higher risk of theft than the older, or is it spread across all ages and genders equally?

    Do front line employees steal more than the back end workers? If we can figure out which group of the 80% steal more than the other, we can amend our strategies to fit the population within that 80% that will steal more than the other.

    I agree that we should be preventing all of our employees from stealing, but it the vast majority of your theft is coming in the form of 35% of your 80%, why not focus hard on that area? I know that every business is different, but if you know that your losses are occurring on the front line with the registers, aren't you going to amend some of your cash register programs and procedures?
    Each company may have a different area that tends to be higher risk. I doubt that we would find, for example, that cashiers steal more consistently in most companies.

    There is one area that is consistent across the board. Disgruntled employees. You will inevitiably find that, regardless of the company, it is your disgruntled employees that will steal most frequently and steal the highest amount. This is what I am talking about. LP needs to start focusing on disgruntled employees as a means of preventing theft. If you spend your time looking at areas of the store, specific products, or anything else, you will be missing the biggest group of thieves.

    Leave a comment:


  • SecTrainer
    replied
    Originally posted by LPCap
    Is there a part of your 80% will steal more than the other? Would you say the younger workforce population in that percentage has a higher risk of theft than the older, or is it spread across all ages and genders equally?

    Do front line employees steal more than the back end workers? If we can figure out which group of the 80% steal more than the other, we can amend our strategies to fit the population within that 80% that will steal more than the other.

    I agree that we should be preventing all of our employees from stealing, but it the vast majority of your theft is coming in the form of 35% of your 80%, why not focus hard on that area? I know that every business is different, but if you know that your losses are occurring on the front line with the registers, aren't you going to amend some of your cash register programs and procedures?
    It certainly would make sense to concentrate your resources on the areas where you have the most problem, assuming that you're reasonably sure where that is, and providing you don't find yourself totally focused there and wind up ignoring the other areas.

    In defining where "the most problem" is, I'd use dollar loss, rather than the number of incidents, as the yardstick.

    Leave a comment:


  • LPCap
    replied
    Is there a part of your 80% will steal more than the other? Would you say the younger workforce population in that percentage has a higher risk of theft than the older, or is it spread across all ages and genders equally?

    Do front line employees steal more than the back end workers? If we can figure out which group of the 80% steal more than the other, we can amend our strategies to fit the population within that 80% that will steal more than the other.

    I agree that we should be preventing all of our employees from stealing, but it the vast majority of your theft is coming in the form of 35% of your 80%, why not focus hard on that area? I know that every business is different, but if you know that your losses are occurring on the front line with the registers, aren't you going to amend some of your cash register programs and procedures?

    Leave a comment:


  • SecTrainer
    replied
    Originally posted by Lynch Mob
    There is a concept called the 10/80/10 rule. It means that 10% of your employees will never steal, no matter what. 10% will attempt to steal regardless of any safeguards you put in place. They are the "hard core" thieves you are describing. 80% are on the fence. They may or may not decide to steal depending of various circumstances.

    I think that these numbers are actually fairly accurate. It is the 80% we must focus our efforts on. The more of them we influence to not steal, the better off we are. It has also been shown that the primary motivating factor for employees to steal is how they feel about the company/manager. Take a look at this link.

    http://www.reuters.com/article/domes...lso_on_reuters

    There is an interesting quote in the article. "Interestingly, the survey showed that reinforcement of criminal penalties and ethics training may do little to deter unethical behavior at work."

    I have long held the belief that attempting to influence behavior by them seeing others face penalties does not deter behavior. Think about it, how do people react when they see someone getting a speeding ticket? They slow down while the cop car is in sight, and the moment it is out of sight they speed up again. That proves that seeing someone facing a penalty does not change behavior. The feeling of potentially getting caught themselves (by the presence of a cop) is what changes behavior. You get the same results to slow speeding by placing a radar speed sign, where the driver can see what speed the radar catches them going. However, the same results apply. Drivers slow when going by the sign, and speed up right after the sign is behind them.

    Humans do not learn from other people's mistakes. If we did, we would have a crime free society, where there were no drug addicts, where there were no smokers, and the civil courts would be empty. Vices would not exist. We would have world peace. Since we know that all of these problems continue to exist, and will always exist, we can be absolutely certain that we will never learn from other's mistakes. This applies to retail internal theft. Employees are not going to learn from the mistakes of others. We might as well stop trying to hold up others as examples.

    Now, if we go back to the speeding analogy, we have to examine what it is that changed behavior. It was a clear and obvious sign the the POTENTIAL to get caught existed. A cop on the side of the road, or a sign displaying your speed, has that effect. But, it is not a lasting effect. What would make it a lasting effect? The only way to slow people down, on their own accord, is to make them believe it is in their best interest to slow down. I don't have the answer on how to do that for speeders. I could probably make a lot of money if I figured that out. But, I do have the answers for internal theft. It is about how employees feel about their company. If they are happy with their job, and happy with their boss, they don't want to screw that up. They also don't feel like they are owed something beyond what they are already getting. This is where it starts.

    In a sense, catching more people has the potential to actually create ill-will with employees. If they feel that the company does not trust them, and is always looking to catch them doing something wrong, they are actually more likely to do something wrong. LP must always be conscious of the impact they may be having on employee morale. If employees feel they are not treated fairly by LP, the results will wind up being the exact opposite of what you want, which will result in even more investigations creating more ill-will, and the cycle will just continue. I am not saying that internal investigations will always have this effect, but we must be aware that it could have that effect if we do not do a good job at building relations and communicating with employees.

    So, with those "opportunists", as you described them, I do not believe that catching more people will create that tipping point. We need to find the tipping point associated with morale.
    Good points, to be sure. I wonder about the speeding analogy, though, because I don't think the universal reaction is to slow down and then speed up. Some do, of course.

    Others like me, however, will be reminded to check our speedometer, and if we find that we might have inadvertently been going a bit over the speed limit, we're reminded to keep a closer eye on our speed and will do so for quite some time after the police car is long gone from view, no? I know that this is true for me.

    And, even for those who slow down and then speed up, do they not really speed up because they think "The cop is busy with that guy" and thus they are calculating that their risk of being caught is actually reduced when they see the cop is tied up with another speeder?

    Neither of these comments is in any way intended to detract from the enormous value and validity of your observation regarding the impact of employee morale and loyalty, which I think deserves to be Point Number 1 in Loss Prevention. Hire well, pay them well, and treat them well...if only companies could understand that this will return $$ to the bottom line (because happy employees make your customers happy!) while reducing the costs of poor performance...AND THEFT. Sadly, many cannot grasp this.

    But in practice, I've also encountered employees who, for instance, had very good jobs and were, as far as anyone knew, happy in those jobs, but they came under some sudden financial pressure to steal - sometimes by circumstances beyond their control - and this pressure completely wiped out the "morale effect". Their "vision" narrowed down to the immediate trouble they were having and they basically forgot about everything else.

    Something else I'd like your views on is the impact of "management example". Not long ago, I was asked to review the merchandise returns practices of the employees at the Customer Service desk of a retailer. They were to obtain the customer's ID, check the receipt, make an entry in a log, and issue a cash credit slip (if it was a cash sale), or a credit card reversal slip (using the same card used for the sale, of course). Sale items could not be returned for cash or credit card reversal; only a store credit could be issued.

    While I was watching, a line developed and a manager came over to help out, and handled three customers. With EVERY ONE of the three customers, he violated some aspect of the returns procedure. He failed to enter one return in the log properly, he "recognized" one of the customers (but not by name, as he had to ask that) and did not insist on seeing her ID, and he issued a cash credit on sale merchandise. I didn't comment on it at the time, of course, but when I mentioned it to him later, he just blew it off, saying "That's why I'm the manager". To my way of thinking, it is precisely because he IS the manager that he should be the MOST scrupulous about following procedures.

    Perhaps we're a bit like the six blind men describing the elephant here...each of us describing different aspects of theft control that are all interrelated (and important) pieces of the same animal.
    Last edited by SecTrainer; 05-01-2007, 02:42 AM.

    Leave a comment:


  • Lynch Mob
    replied
    Originally posted by SecTrainer
    I agree, at least to some extent. You have the "hard-core" thieves, who are indifferent to the possibility of being caught, or maybe too cocky about their "thieving skills", or just plain too stupid to think about it. What I wonder about this group is whether the "tipping point" for them is within our scope in security/loss prevention at all, because basically we're talking about a character defect that they brought into the company with them. Where our company is concerned, the only realistic "tipping point" would have been for HR to identify this defect (and solid, properly-conducted background checks will reveal these people more times than not) so we don't hire them in the first place.

    However, there is another group - I'll call them "opportunists" - who might be said more to be "yielding to temptation or pressure" when they steal, and I think it's pretty generally agreed that those people do consider the potential risk when they're making that decision to steal. I guess these would be the ones impacted by the "tipping point" that I'm referring to.

    You're right - this is an interesting discussion. Thanks very much for your input!
    There is a concept called the 10/80/10 rule. It means that 10% of your employees will never steal, no matter what. 10% will attempt to steal regardless of any safeguards you put in place. They are the "hard core" thieves you are describing. 80% are on the fence. They may or may not decide to steal depending of various circumstances.

    I think that these numbers are actually fairly accurate. It is the 80% we must focus our efforts on. The more of them we influence to not steal, the better off we are. It has also been shown that the primary motivating factor for employees to steal is how they feel about the company/manager. Take a look at this link.

    http://www.reuters.com/article/domes...lso_on_reuters

    There is an interesting quote in the article. "Interestingly, the survey showed that reinforcement of criminal penalties and ethics training may do little to deter unethical behavior at work."

    I have long held the belief that attempting to influence behavior by them seeing others face penalties does not deter behavior. Think about it, how do people react when they see someone getting a speeding ticket? They slow down while the cop car is in sight, and the moment it is out of sight they speed up again. That proves that seeing someone facing a penalty does not change behavior. The feeling of potentially getting caught themselves (by the presence of a cop) is what changes behavior. You get the same results to slow speeding by placing a radar speed sign, where the driver can see what speed the radar catches them going. However, the same results apply. Drivers slow when going by the sign, and speed up right after the sign is behind them.

    Humans do not learn from other people's mistakes. If we did, we would have a crime free society, where there were no drug addicts, where there were no smokers, and the civil courts would be empty. Vices would not exist. We would have world peace. Since we know that all of these problems continue to exist, and will always exist, we can be absolutely certain that we will never learn from other's mistakes. This applies to retail internal theft. Employees are not going to learn from the mistakes of others. We might as well stop trying to hold up others as examples.

    Now, if we go back to the speeding analogy, we have to examine what it is that changed behavior. It was a clear and obvious sign the the POTENTIAL to get caught existed. A cop on the side of the road, or a sign displaying your speed, has that effect. But, it is not a lasting effect. What would make it a lasting effect? The only way to slow people down, on their own accord, is to make them believe it is in their best interest to slow down. I don't have the answer on how to do that for speeders. I could probably make a lot of money if I figured that out. But, I do have the answers for internal theft. It is about how employees feel about their company. If they are happy with their job, and happy with their boss, they don't want to screw that up. They also don't feel like they are owed something beyond what they are already getting. This is where it starts.

    In a sense, catching more people has the potential to actually create ill-will with employees. If they feel that the company does not trust them, and is always looking to catch them doing something wrong, they are actually more likely to do something wrong. LP must always be conscious of the impact they may be having on employee morale. If employees feel they are not treated fairly by LP, the results will wind up being the exact opposite of what you want, which will result in even more investigations creating more ill-will, and the cycle will just continue. I am not saying that internal investigations will always have this effect, but we must be aware that it could have that effect if we do not do a good job at building relations and communicating with employees.

    So, with those "opportunists", as you described them, I do not believe that catching more people will create that tipping point. We need to find the tipping point associated with morale.

    Leave a comment:


  • Bill Warnock
    replied
    Originally posted by SecTrainer
    Bill, I'm pleasantly astonished that this subject was discussed at all in your Business Law class. One of the big criticisms about business management courses in college is that they usually don't mention anything about security concerns and people graduate with degrees in business without knowing the first thing about these subjects. Kudos to your instructor!
    SecTrainer, our instructor was Mr. Suttlemeier, Suttlemeier's Business Law. He taught that course years before I attended and years after I left Ohio. The year was 1967. In addition to his teaching, he was a practicing attorney and he brought many of those adjudicated classes to class. He taught a course of instruction at the Hamilton County Sheriff's Academy in 1970. He tried to get us to understand these shoplifters and internal thieves fit a profile, long before profiling became a hot topic. His block of instruction was entitled, "Unlocking Human Behavior in Police Work." This was long before that came into vogue. In my security guide, I try to use many of his notions in the prevention side of this business. Most of the cadets and well as the college students remarked favorably of Mr. Suttlemeier as a practical man who explained law needed by police and deputies in understandable language and terminology. Later in my federal career some of his ideas really helped me be a better general investigator much to the discomfort of some federal building managers. Damn, he was a marvel!
    Enjoy the day,
    Bill
    Last edited by Bill Warnock; 04-30-2007, 11:57 PM. Reason: Missing word

    Leave a comment:

Leaderboard

Collapse
Working...
X