Take Steps to Prevent Employee Theft and Improve Cyber Security
By Stefanie Kouremetis, City of Portland Crime Prevention Program
I have seen caring and dedicated staff members white-knuckle their way back to solvency after an employee embezzled over $100,000 from their non-profit agency. It’s hard to watch good people struggle to keep their organization’s doors open in the wake of that kind of betrayal.
Employee theft and data security breaches are two areas in small businesses that are often neglected yet can completely devastate, if not shutter, a company.
Because you must wear so many hats to run your business, it may be challenging to establish safeguards. Regardless of the size of your business, do what you can to keep employees honest and criminals at bay. Every step you take is one in the right direction.
Strategies to prevent employee theft
At the non-profit, the long-time accountant abruptly resigned after payroll checks bounced. Despite having full jurisdiction over all cash handling, accounting, and reporting functions, she was no longer able to cover her tracks after embezzling all of those funds. I imagine that she also wanted to avoid looking her boss and colleagues in the eyes when they finally discovered her deceit. A yearlong investigation took its toll on staff.
Fortunately, they made it to the other side, but unfortunately they are not alone.
Employee fraud is a global problem costing companies an estimated five percent of total revenue every year. In the United States, companies are estimated to incur a median loss of $120,000 per case, an amount that can shutter a small business. When you’ve created a close-knit environment in the workplace, it may feel uncomfortable to implement internal controls. However, you owe it to yourself, your partners, and your employees to protect your business.
It would be much more convenient if all that was needed to prevent employee theft was a criminal background check. Unfortunately, that’s not enough. Many perpetrators—such as the thieving accountant above—have not been previously charged with a crime. Fraud experts generally accept the 10-10-80 fraud rule that ten percent of employees will never steal while ten percent will do so when the opportunity arises. The remaining 80 percent may commit fraud and theft if they experience financial pressures, are able to rationalize illicit actions, and see the opportunity to do so. Focus on that 80 percent.
Employee theft prevention starts at the top. Adopt a code of conduct that is enforced, reinforced, and modeled by owners and managers. It’s your business and you want to have freedom in what you do. However, employees are more tempted to stray when their bosses break the rules. It normalizes the behavior.
Red flags often become glaringly apparent after fraud is uncovered, such as suspicions that the perpetrator had a gambling addiction, financial problems, or was suddenly acting strangely. Get to know your employees and pay attention when there are changes in their behavior or life circumstances that make them more susceptible to misconduct. This doesn’t mean not being compassionate when your employees are going through hard times. It’s about finding a balance between compassion and vigilance over work activities. Keep in mind that you’re not just protecting your business for yourself, but also for your other employees.
One especially effective internal control to counter these vulnerabilities is to segregate duties. The four-person office of that non-profit was stretched thin and the accountant was assigned most cash and asset handling and record keeping duties. Separating the roles of handling assets, such as cash and inventory, from those maintaining or reconciling those asset records reduces the temptation to commit a crime and makes doing so more difficult. The more separation, the better. The goal is keeping staff in check and providing a mechanism for the early detection of fraud. Otherwise one person can steal the assets and cover the financial trail. This kind of separation requires creativity where staffing is limited. One example of separation of duties is to have the owner directly receive, review, and reconcile the bank statements, while an employee handles cash and assets.
It may sound quaint, but it’s worth providing a suggestion box or other method for employees to anonymously report problems. Employee, customer, and vendor tip-offs lead to the detection of fraud in over 39 percent of cases.1 So, take all complaints seriously and investigate them immediately.
Small businesses are increasingly victimized by data breaches
Just as employee theft can deliver a devastating blow to an organization, a cyber attack can also leave a business reeling. Many small businesses are concerned about data security but mistakenly think that cyber criminals prey on larger corporations with abundant resources.
Hackers do target small businesses, precisely because they know that many don’t have the personnel or funds to shore up their defenses. Spear-phishing attacks on small businesses jumped significantly from 18 percent in 2011 to 43 percent in 2015. Ever-evolving ransomware attacks spiked three-fold across all company sizes from January to September 2016 alone, and this trend will likely continue.
One of these attacks can cost a small to medium business up to $99,000. Between the disruption of normal operations and the damage to a company’s reputation and its customers’ trust, that’s enough to destroy a business. One study conducted a few years ago showed that 60 percent of businesses close within six months of a cyber attack. It’s vital to have a prevention plan in place, both to reduce the likelihood of an attack, but also in order to efficiently respond to a breach and limit the losses.
Some cyber security basics to consider in your security plan:
- Keep software up-to-date and opt for automatic updates where you can. Hackers learn about the security flaws that are patched with an update and attempt to exploit those vulnerabilities in companies that haven’t updated. Continue to use and update firewalls, anti-virus, anti-malware and anti-spyware software. Your internet provider may provide free software, so take advantage of this when you can.
- Use encryption software to protect sensitive data related to customers, employees and business practices.
Set a firm policy requiring employees to select unique, long, and ideally random passwords that include a combination of letters, numbers, and punctuation and change them regularly. Despite all of the cautionary tales out there, people are still using “password” and “123456.” Third parties with whom you do business should be held to the same standards when they are granted access to your data.
- Don’t mix personal and professional business. When employees visit websites or download apps for personal use, it exposes your company to unnecessary risks, including malware.
- Reduce spam and phishing vulnerabilities. Adjust the protection level of your spam filter to reduce the number of spam emails that make their way to your and your employees’ inboxes. Employees can identify and forward spam messages to the spam filter. With increases in spear-phishing, train your employees to identify phishing emails and inform them of any new trends.
- Restrict employees’ and contractors’ access to only those areas on your network necessary for the job.
- Have a backup plan. You should constantly back up your company’s data. If you are a victim of ransomware, the continuity of your business may depend on being able to restore backup data.
- Establish two-factor authentication on your web logins and online accounts.
Protect your business and tend to these often neglected areas that make you vulnerable to employee theft and data breaches. As a small business owner, you have a lot on your plate, but the fallout from a cyber attack or internal theft can devastate your business. And it can take a lot to recover and restore your company to health.
For more basic security tips, check out our Data Security Checklist. The Crime Prevention Program also has more suggestions for strengthening your security practices in our brochure Employee Theft Prevention for Small Businesses.
If you’re in San Francisco, please join Townsquared and a panel of experts from the Christian Science Monitor’s cyber security vertical Passcode, for Cybersecurity for Small Businesses & Startups: Building a Trust Framework, March 30, from 6:30 PM to 9:00 PM at the Capital One Cafe. The workshop will explore what cyber security risks really exist for small businesses and start-ups. You’ll learn how to begin building a framework for evaluating the threats you face and choosing the right services to help protect your data.