Thieving employees can destroy a business that took years of blood-sweat-tears to build. Not only do the owners suffer but all the honest-hard working staff who could lose their jobs.
There are 100’s of articles on businesses nearly losing all due to employee theft – below are just a small collection.
Staff theft almost closed supermarket
‘Trusted employee’ sentenced for theft
What becomes apparent while reading the articles is the amount of trust owners and managers grant employees – sometimes ignoring the obvious signs of theft because they cannot believe the “trusted” employee could “do that to them”.
Showing that you trust an employee can provide a loyal and long lasting relationship but can also breed opportunity.
In order to reduce theft within the work place I have provided some security processes you should implement.
Separation of Duties
All critical tasks such as banking, payroll and billing should be managed by more than one employee. For example all payments to suppliers/contractors/customers must have two signatories for sign-off. A summary of the accounts should be automatically emailed to a senior manager including audit events (audit events should record all additions, modifications and deletions done by the system and users. The audit logs cannot be altered by anyone including administrators. So if an employee covers up their theft by changing or deleting records within the accounts system the audit logs will show all events).
Separation of duties provides a business with the ability to remove the chance of having one person within the business in complete control of a critical process(s). There should be no employee that has the “is the only one that knows how to do this” role.
Job rotation is the process of rotating employees among numerous jobs within the business. It maybe hard within a small business where there are limited staff and/or jobs but even having the marketing person hangout with the payroll person for a day can offer some benefits.
Job rotation provides two core benefits:
1) Provides a type of knowledge redundancy whereby if the payroll’s person gets run over by a bus another person who worked within that role for a period can take over while a suitable replacement is located.
2) Moving an employee around reduces the risk of fraud, theft, sabotage etc.. The longer an employee works within the same role, the more likely they will identify holes in the process to hide illegal activity.
Have you ever had an employee that refuses to go on holiday or allow anyone to take over their role for even a small period? That should raise alarm bells. Many cases of theft within a business identify that the staff member was in complete control of their tasks and hardly took any holidays sometimes for years on end.
By forcing all employees to take a holiday every year a business can not only audit all work done by the employee but allow another employee to learn the tasks as well – fulfilling the “Job Rotation” requirement.
Document the Tasks for a Process
By documenting in detail the steps for every process within a role the following benefits are provided:
1) A training manual for any new employees taking on the role.
2) A great resource for auditors reviewing the employee.
Principle of least privilege
The Principle of least privilege is applied within security to make sure that a person is not assigned rights and privileges they do not need to fulfil their role. For example having the employees use an admin level account on their desktop computer is a big no-no because it allows them to add, delete and modified software installed on their machines – which increases the damage malware can do on the computer and network.
An employee should only be allocated the rights and privileges they need to fufill their role – no more.
On top of that long term employees may also accumulate all kinds of rights and privileges as they change roles throughout their employment. This is called “privilege drifting” meaning the employees rights and privileges drift to each new role. This is why every employee must be audited (while they are on holiday!) so all access, rights and privileges not removed from previous roles and not needed anymore are removed.
If you reflect on an employee who uses an account on a networked business computer with full admin rights and also has accumulated over the years all kinds of rights and privileges from every role they did and none where removed – then goes “rogue” you can see where theft can be quite easy.
So in summary employee theft can be dramatically decreased by just implementing a few basic security practices.