“How Many Times?”
We, and our partners, often ask ourselves that very question after hearing case after case of employee fraud being committed at an enterprise. How many times will these companies endure suspicious activity by their employees before they get the right tool to send them alerts about it? How much money will they lose before they understand that there is a certain amount of usage data that cannot be monitored manually?
It’s enigmatic how organizations can invest so much money in high-priced security software, declaring how important fraud prevention is to them, when often they’re looking in the wrong places or they don’t investigate the very thing that should be investigated: user behavior. Sure, they may be checking such security issues like where people are logging into Windows from, or if timecards are stamped properly, but that’s not where the big money is that the thiefs are after, and they’re not seeing the forest through the trees. Instead, they keep getting trapped in the hamster wheel of fraud. Two words: “user behavior.”
Irregular behavior: a needle in the haystack
It all begins with an employee who’s acting irregularly. A warehouse employee is poking around in invoice values, someone from accounting is tapping into HR information, a sales manager is taking a quick look at his friend’s sales figures in order to compare their bonuses. Even if the organization has as little as 400 employees, no person can identify these deviations from normal activity because the amount of usage data to sort through is massive. A person can’t, but software can. Software can learn each employee’s regular behavior, compare it with “good” behavior and send an alert when irregular behavior is being performed. Thus, cases like the ones illustrated above can be quickly eliminated if, beforehand, the customer has implemented profiling-based software and set the proper alerts. Key point: setting alerts.
From our experience, there are different types of personalities that choose not to implement alerting mechanisms for detecting irregular activity of their employees:
- Those that don’t want to know. Why not take the responsibility of knowing? Because with this responsibility comes accountability. If an employee is committing fraud and nobody gets alerted about it, then nobody is held accountable for it, and the security team can’t be blamed for not acting upon it. Ignorance is bliss; what they don’t know won’t hurt them.
- Those that don’t know what to do. These types do find out about the underhanded activity but might not have the resources or desire to take on a new task in order to deal with it. It’s possible, they don’t want to hire an external consultant or simply take a course. They just don’t want to be bothered because they are comfortable.
- Those that don’t have the time or money. This type is swamped under a mile high stack of other projects. They know it’s an important issue that must be dealt with, but they can’t think about it for another two years. They’ll say, “Come back then because the management needs me to monitor timecard stamps right now.” It’s a vicious cycle, and truly ironic - they just need to identify who is stealing money and stop wasting time on other minutia. It’s a total catch 22.
- Those that simply don’t care enough. I know of a company that was hacked out of $40 million by an internal employee over the course of a few years. When they were approached afterwards with an alerting solution to prevent it from happening again, they said, “It’s not important enough. Lightning doesn’t strike the same place twice. If we were hacked once, we will not be hacked again.” So guess what happened?*
If you liked this this blog, read our other blogs that deal with SAP user behavior:
The Dreaded SAP_ALL Power Profile
The Adventures of a Bored Programmer
*Does lightning strike twice in the same spot? Brent McRoberts of Texas A&M University reports, “Lightning often strikes the same location multiple times. Just look at the Empire State Building, which gets hit by lightning at least 50 times every year, often several times in the same day. The Sears Tower and Cape Canaveral also get hit by lightning several hundred times each year. In general, tall structures, such as buildings or radio or TV transmission towers, are almost certainly going to be hit by lightning.”