It's not just VCRs they're after anymore

Fraud examiners and auditors at most organizations are cognizant of the risks of tangible assets mysteriously vaporizing. But it’s so much more difficult to keep track of proprietary digital information such as trade secrets, customer lists, product details, marketing strategies and PII.

In a previous job I had at a law enforcement organization, another auditor asked me which assets were most susceptible to fraud. Most likely, he was expecting the common answer of inventory, equipment and supplies. However, I immediately thought instead of the sensitive and confidential information stored in our police files.

Value of information

While not an “asset” per the accounting definition, information found in police files is invaluable to law enforcement organizations. Certainly, police officers can’t perform their jobs without names, addresses and criminal record information. Unfortunately, those outside of policing are also interested in this data. And fraudsters are willing to pay for it.

Consider a 2018 case out of the Netherlands where a former police officer was sentenced to five years in prison for selling confidential information to criminals. Criminals paid the former cop more than 80,000 euros (almost $100,000) in exchange for information on police investigations. (See Cop Gets 5 Years for Selling Police Info to Criminals, by Janene Pieters, NL Times, Feb. 19, 2018.) Such cases occur more frequently than you might think. And it’s not just those within organized crime rings who are willing to pay for confidential information.

In a 2017 case out of St. Louis, Missouri, three former police officers were accused of selling personal information of those who’d been involved in car accidents to a chiropractor and his wife. The couple used the information to contact the victims of the car accidents and offered them free chiropractic services. The chiropractor then told the patients to exaggerate their pain to try to get insurance settlements. Of course, the chiropractor would receive a portion of that settlement. (See Missouri chiropractor and cop plead guilty to accident kickback scheme, by Andy Marso, Kansas City Star, Dec. 8, 2017.)

Confidential information, to the right person, can be more valuable than any tangible asset.

At the click of a button

Years ago, a disgruntled employee selling stolen VCRs out of the trunk of his car might have caused significant concern for an electronics business. And, no doubt, businesses are still alert to asset misappropriation schemes. But many businesses and government bodies worry much more about information misappropriation.

We still have some file cabinets, but much more sensitive material and personally identifiable information (PII) is housed in electronic databases. Fraudsters can now glean lucrative data with simple keyword searches because of easy interfaces.

Consider, for example, motor vehicle databases. Numerous government agencies, including policing organizations, have access to these electronic files, which contain full names, physical addresses, email addresses, dates of birth, possibly citizenship status, driver’s license numbers and Social Security numbers. In the days of musty file rooms, dishonest employees would’ve had to extensively search just to find out which vehicles were registered to what drivers. Crooked department of motor vehicles’ workers can now gain access to this PII in less time than it takes for their supervisors to use the washroom. And then unsavory individuals are willing to pay the wayward employees for the material.

What can we do?

Within the private sector, information misappropriation schemes commonly include the theft of proprietary information such as trade secrets, customer lists, product details, marketing strategies and PII. The theft of these intangible assets can cause irreversible damage to organizations’ values and reputations.

Consequently, organizations spend thousands of dollars on physical security, including locks, barriers, cameras and surveillance devices. Some companies even use retina scanners and fingerprint identification to protect against unauthorized access. But often employees, who have lawful access to the information and assets, commit the fraudulent acts.

Certainly, employees need access to confidential information to perform their jobs. Let’s look at police communication technicians, for example, who receive calls for emergency police assistance and dispatch police officers. These technicians have access to police investigative files; motor vehicle databases; and personal details of criminals, witnesses, victims and complainants. They can access and quickly copy info for unlawful means. Therefore, organizations must protect information from illegitimate use the same way they protect valuable tangible assets.

A modern law enforcement department will have a sophisticated electronic database system that will capture users’ activity logs and show what files employees have accessed with dates and times. However, an organization must also focus on curbing fraudulent access before it occurs.

Audit programs

Sure, effective audit programs will help detect unauthorized access to information. Most internal auditors and fraud examiners can design appropriate audit procedures to detect fraudulent behavior. However, a well-designed audit program shouldn’t be reactionary; it has to proactively dissuade employees from committing fraud. Organizations should give all employees anti-fraud training and then administer annual assessments and mandatory tests.

Organizations that communicate their audit programs to all employees will reduce potential fraudsters’ perceived opportunities to commit fraud. However, simply advising employees that an auditing program is in place will do little to prevent would-be fraudsters if organizations don’t facilitate programs effectively. They must run regularly scheduled audits for all those who have access to databases that store confidential information.

Organizations should notify employees when it will review their audit logs and audit results but also — and this is important — run surprise audits when key players are at work and when they’re away from the office.

Don’t hide it

If your organization discovers unauthorized or fraudulent activity notify all employees. This sounds basic, but many organizations keep their internal investigations under wraps. While you shouldn’t share personal details of the fraudster and the crime, tell everybody you caught an employee.

Sharing the detection of fraud with employees has a two-pronged effect. Foremost, it proves that your auditing program is effective, which should deter similar employee behavior. Secondly, it sets a tone from the top that management doesn’t tolerate such behavior.

Identifying red flags

Circling back to the chiropractor case — how would a fraud examiner or auditor have detected this fraud? Or, in the case of motor vehicle databases, how is a single unauthorized search detected among thousands of legitimate searches? And is it possible to identify illegal searches in thousands of searches that communication technicians make each year?

We can use data analysis and data mining to answer these questions and identify possible red flags in specific searches, patterns within and relationships among data fields that, on the surface, shouldn’t have relationships.

In the chiropractor case, data analysts could’ve found the specific car accident records the crooked officers accessed, their illegal search times (whether the same each day during downtimes, when their supervisors took breaks or during standard work hours), and when they copied and printed more investigative files than normal.

More valuable than tangible assets

I don’t intend for this discussion to undermine the risk of asset misappropriation. Indeed, there’s a reason that the auditor at the policing organization I once worked at would’ve expected me to be concerned about inventory, equipment and supplies from a fraud risk perspective. However, some organizations — maybe yours — collect and store information that is arguably more valuable than any tangible asset.

Remember, it’s not just VCRs they’re after anymore.

Sean McGrath, CFE, CPA, is manager of medical services at Eastern Health. Contact him at mcgrath.j.sean@gmail.com.

Read more: Theft of data and intellectual property

Theft of data and intellectual property

Information is a valuable asset, and organizations, of course, must protect their intellectual property. The worth of a business is no longer based solely on tangible assets and revenue-making potential; the information it develops, stores and collects accounts for a large share of its value.

Businesses, government administrations and society have come to depend on the efficiency and security of information technology.

Information, which exists in many forms, has a distinct value that can’t be protected in the same way as tangible objects. Secure it by implementing a process of risk assessment and commensurate controls to encourage the preservation of:

• Confidentiality: ensuring that information is available only to those authorized to access it, and those parties can only use it for specified purposes.
• Integrity: safeguarding the accuracy and completeness of information and processing methods.
• Availability: ensuring that authorized users have access to information and associated assets when required.

Intellectual property is a catch-all phrase for knowledge-based assets and capital, but it might help to think of it as intangible proprietary information. Intellectual property can include a business’ ideas, designs and innovations — however expressed or recorded.

Physical infiltration

Physical infiltration is the process in which an individual enters a target organization to spy on its employees and personally identifiable information. Often, corporate spies use physical infiltration if they have a tight time schedule, a lack of available recruits or expense constraints. However, a spy might also use physical infiltration when they have specialized knowledge that makes them the best spy for the job. Generally, spies with advanced technical knowledge are the best at committing such campaigns.

One common infiltration technique is to secure a position — or pose — as an employee or contract laborer of a target organization. For example, a spy might obtain work as a security officer or janitor. Another common physical infiltration technique is to steal or fabricate employee badges.

Warning signs of physical infiltration

Detecting physical infiltration can be difficult, but here are some signs that organizations can look for that might indicate spies in their midst:

• They see vendors, janitorial personnel, security guards, trash collectors and other non-employees loitering unescorted around file rooms, offices, mailrooms, shipping docks, computer media storage areas or other sensitive areas.
• Service technicians show up without organization employees calling them.
• Employees report lost security badges, access cards and passwords.
• Data containing sensitive information is missing.
• Employee desks or offices have been tampered with.
• Individuals try to enter facilities without proper identification or authorization.
• Individuals attempt to gain access to a physical area by piggybacking (i.e., gaining access to a secured physical area by exploiting a false association with another person who has legitimate access).
• Employees report trespassing or other criminal activity near secure facilities.

Countermeasures to physical infiltration

Security officers can implement these countermeasures to thwart spies’ attempts at infiltrating their companies:

• Avoid storing proprietary data in areas visible to the public.
• Establish procedures for tracking and locking up sensitive data.
• Properly bond and identify cleaning personnel and control their access to facilities.
• Verify vendors’ credentials and direct escorts by company representatives during their visits.
• Encrypt proprietary lists.
• Educate employees to properly store sensitive data and to question credentials of anyone visiting the site.
• Instruct employees about the information they’re permitted to disclose over the phones.
• Require employees to sign nondisclosure agreements.

Excerpted and adapted from the online ACFE Fraud Examiners Manual.