How CIOs Can Learn to Catch Insider Crime

Yuan Li knew what she wanted and how to get it. For 32 months, starting in October 2008, the 29-year-old research chemist at Sanofi-Aventis downloaded trade secrets from the pharmaceutical firm. Li had worked for Sanofi, which makes the allergy pill Allegra and sleeping pill Ambien, for more than two years when she started to steal data. Her target: five chemical compounds that the company had kept secret for possible use in future drugs.

She knew which database to query to download the information to her work laptop, and from there she emailed it to a personal account. Sometimes, she loaded a USB flash drive with material. Li, a Chinese national, then put the information up for sale through a pharmaceutical company that she partially owned, whose parent is based in China.

Sanofi helped investigators from the FBI and the U.S. attorney in New Jersey to prosecute Li. In January, she pleaded guilty to theft of trade secrets and is due to be sentenced this month. She faces up to 10 years in jail and a $250,000 fine.

Sanofi declines to be interviewed about the technology and policies it uses to detect and prevent corporate crime, including Li’s long-term theft. “The measures we had in place actually contributed to the successful outcome of this particular case, and we are continuously looking for ways to improve security,” a spokesman said in an emailed statement.

Experts say this is a textbook example of insider crime and, perhaps, of IT failure. Just as no one knows what goes on inside someone’s marriage, outsiders can’t say with certainty what goes into someone else’s IT strategy. Sanofi could have done everything right and still been victimized. That happens.

But too often in cases of insider crime, basic technology safeguards are ignored or missing. CIOs can’t be proud to learn that of 11 methods of detection identified in 1,843 recent fraud cases studied by the Association of Certified Fraud Examiners (ACFE), IT controls came in dead last. They are the least likely means of identifying wrongdoing, responsible for just 0.8 percent of cases, the ACFE says. It’s more common to find out by accident (8 percent), from the police (2 percent) or even by confession from the perpetrator (1 percent). Tip-offs are by far the most common way authorities discover corporate crime, at 40 percent. Those findings have been consistent for a decade.

There are many reasons that IT falls down on the job. For one thing, most corporate systems aren’t designed from the outset with fraud surveillance in mind. Plus, throwing a lot of money and people at fraud prevention doesn’t get senior executives excited. Conventional wisdom has it that the tighter the controls, the less efficient the company. Company leaders therefore decide to accept some financial loss through crime as a cost of doing business.

And to their detriment, companies often split the task of fraud-fighting among siloed groups. Internal audit does one thing; compliance does another. IT supports the silos, but there’s no coherent, companywide plan, says Paul McCormack, an investigator and executive vice president at Connectics, a fraud-prevention consultancy.

Choosing a combination of technologies and policies to thwart the darker parts of human nature requires a continuous risk-benefit calculation. CIOs can change the equation with new thinking and new technology, starting by promoting the notion that fraud prevention is everyone’s business, says Marshall Romney, a professor of information systems at Brigham Young University who has studied corporate fraud for three decades. For CIOs, that means spreading the word that detection and prevention don’t have to make a company less agile.

And anti-fraud efforts are far more effective if major IT systems are configured with surveillance and analysis capabilities from the start. Advances in big data analytics, meanwhile, let CIOs create systems to sift through billions of transactions, customer interactions and employee activities to spot the buds of corporate crime before it blooms. Specialized vendors such as FICO, Fiserv and NICE Actimize use neural networks and scenario matching to detect financial crimes, a $2.9 billion software market expected to grow 8 percent per year though 2015, according to research company IDC. IBM, SAS and other enterprise players also offer some fraud-management capabilities.

To make the best use of such tools, CIOs must elevate the discussion of fraud fighting, pouring much more detailed information into the risk-benefit analysis, Romney says. Involve all departments–especially operations, audit and legal–to consider factors such as economic conditions, business outlook and the cost of the programs in hard dollars, he advises. Make informed decisions about the loss of business agility that security technology can bring. Realize that what works in one industry won’t in another. And that each CIO must deal with his company’s proclivities.

“This is a high-level conversation that has to go all the way to the board and CEO,” Romney says. CIOs who balance these variables can stop, prevent and maybe even predict insider crime, saving serious money and avoiding immeasurable damage to the company. But first they must reform some outmoded approaches.

Billions Lost, Poof, Gone

Humans think up all sorts of crime, from stashing office supplies in a briefcase to hiding money under layers of complex computerized investment transactions. “If you operate as a company, you will have fraud,” says McCormack, who has worked on cases at Delta Air Lines, Ernst and Young, PricewaterhouseCoopers and SunTrust Banks. “I’ve yet to meet any C-level person who says, ‘I’m so proud that we have 500 people preventing fraud.’ It’s not what people want to put out there as a badge of honor. It’s a necessary evil.”

The Sarbanes-Oxely Act, enacted in 2002, was supposed to stop a lot of big crime by giving internal and external auditors new and more detailed safeguards, procedures and processes to check. The regulations encode good base-covering practices and serve as a proxy for good behavior. Lawmakers had an appetite for reform after colossal crimes at Enron, HealthSouth and other companies outraged the public, especially employees of those companies whose salaries and pensions were swindled away.

But 10 years on, we have a new crop of corporate miscreants at whom to rage. Investor Bernie Madoff now serving 150 years in jail, confessed in 2009 to a Ponzi scheme that defrauded customers of perhaps $50 billion or more. Last September, investment bank UBS blamed a $2 billion loss on a rogue trader who was charged with fraud and false accounting. The trader pleaded not guilty and is scheduled for trial this September.

Maxim Healthcare Services recently admitted to $61 million in Medicaid fraud and agreed pay a fine of $150 million to the federal government and 42 states. Afterward, the company replaced all its senior executives, including the CIO.

Sarbanes-Oxley may have curbed some would-be criminals, but companies over-rely on auditors to detect crime, McCormack says. But CIOs can make a dent by aiming technology and policy tools at common kinds of insider threats, he says.

Of all the types of internal fraud, theft of assets–office supplies, computer equipment and so on–is the least costly but still significant, according to ACFE research. Losses in the average case amount to $135,000, the ACFE says. Corruption schemes, such as bid rigging and kickbacks, cost $250,000 on average. Financial statement fraud does the most damage, with each case responsible for $4 million in losses on average.

Technology can help, but CIOs should not hand off the job to project managers doing piecemeal work, says Frank Wander, a former CIO at Guardian Life Insurance, The Harry Fox Agency and the Prudential Institutional Division. Instead, make fraud detection and prevention an organizational mandate exemplified by the ethical, upright behavior of top executives, Wander says. “People do what you do. That’s how the world really works.”

‘Tone at the Top’

If people get the idea that senior leaders don’t pay attention to wrongdoing–or worse, take liberties themselves–they will go along, says Jim Anderson, a management consultant at Blue Elephant Consulting. Ethics, Anderson says, is nothing more than daily decision-making in big and small situations. Rarely does anyone face a “burning building” quandary where there’s no doubt as to the right answer.

“If you’re sitting in your cube and some strange guys with sunglasses show up with metal suitcases full of $20 bills, you’d say no,” he says. “But what happens instead is that ethical decisions sneak in around the corners of our average day.”

Maybe an employee is late with a project and downloads data to bring home to work over the weekend, Anderson says. The employee knows he shouldn’t because the information is confidential, but he figures he’s breaking the rules for the right reasons. Months later, maybe the job is going sour, so he takes data to be able to defend himself in a poor performance review. Each time, no one says anything about his actions. Maybe they’re not looking at network logs; maybe they don’t care.

Then things get hostile between the employee and the company, and he takes the work he’s done, intending to quit and find work at a competitor. “It’s a snowball,” Anderson says. “It’s the first ethical lapse that will cause all the problems down the road.”

Wander, who recently founded the consultancy IT Excellence Institute, agrees. “Companies that have trouble don’t have the right tone at the top,” he says, adding that CIOs can influence culture many ways.

For example, at the quarterly town hall meetings Wander held with Guardian’s IT staff, he regularly focused on security issues and safeguarding company data. “Every individual knew it was a divisional priority,” he says. A CISO worked alongside Wander, not reporting to him, to spread understanding of the issues across departments. Companies that separate the roles this way also balance responsibility for the protection of corporate assets, he says. If too much falls to the IT group, other departments may get lax or get the idea that ethics isn’t part of their job. “Address [anti-fraud efforts] in people’s reviews so they understand they are responsible.”

A Neighborhood Watch mentality at work helps cut criminal activity, says Carl Tidwell, CIO of the American Type Culture Collection (ATCC), a nonprofit research center that supplies microorganisms and other materials to life sciences researchers. Tidwell says he tries to educate employees about warning signs, such as people struggling with finances or living beyond their means. That’s evidence that humans can see but computers can’t, such as the former controller of a Pittsburgh car dealership who enjoyed a mink coat, 10 cars, four homes, gold bullion and a $32,500 lunch catered by Food Network star Ina Garten. Over six years, the controller falsified accounting records, transferring $10.2 million from the dealership to her personal bank accounts in 800 transactions. She pleaded guilty in January to wire fraud and is due to be sentenced in May. The dealership did not respond to requests for comment.

Even when companies insert IT controls into their business processes, they too frequently fail to monitor them, says Matt Lynch, a fraud investigator who has worked at Altria Group, a $21.4 billion cigarette company, and Palmetto GBA, which administers benefits for Medicaid and Medicare. Real live human beings from IT, audit, legal or other groups should be assigned to look at transactions randomly, he says. Often a business that’s making money doesn’t bother with too much introspection, he says. Or executives don’t want to think crime happens at their place. “They think, ‘These are people I work with and I trust,'” he says. “I’m sorry, but a lot of people trusted Bernie Madoff. Fraud is just a fact.”

Instilling outright fear, however, works against you because employees become secretive and suspicious of each other, inhibiting collaboration and stalling productivity, says investigator McCormack. A little trepidation, however, can be helpful. Show employees how serious you are, he advises. Write policies that explain what people can and can’t do with company data and other material. Create anti-fraud training and give programs at least twice per year. Have employees sign confidentiality agreements, he suggests. “Establish a tone and set of expectations as soon as people walk in the door so they know what the company does to stop fraud and that they will be caught,” he says.

The most damaging thing leaders do is keep quiet when something goes wrong, he says. Routinely monitor the movement of large or sensitive data sets around the network and spot-check where they’re going. “All it takes is examining a couple of those transactions and then talking to people about it. Word gets around.”

Technology to Close Holes

Word also travels when an organization leaves itself vulnerable by skimping on basic IT controls. Some people will take advantage of what you didn’t do, Tidwell says. He remembers well what happened at a former company. He suggested to the CEO that IT block computer ports, so employees couldn’t use portable drives, and monitor email for large data transfers. “I was told, ‘No, we trust our employees,'” Tidwell recalls. Soon after, a researcher quit, walking away with $300,000 to $400,000 worth of intellectual property that he had sent to a personal email account–a delivery method similar to the one the researcher at Sanofi used. This researcher, however, got a job at a competitor and started work using the stolen information.

The rival notified Tidwell’s company. “They packed up everything, including his computer, and sent it to us,” he says. “The CEO was apologetic [to me] afterwards. He dodged a bullet because the competitor was an ethical company.”

CIOs can use IT to reinforce and extend policies and behavior that promote an ethical culture. Wander’s philosophy is one of minimum access. “You want people to have the least privilege to get done what they have to get done,” he says.

A CIO’s hands are tied if a CEO thinks IT controls are intrusive. But new technologies can obviate the need to outlaw some practices, Tidwell says. At ATCC, he is exploring virtualization, which means flash drives won’t be an issue, as central servers provide data to authorized users on thin clients. There will be no USB ports on the client hardware, and employees will be able to share secured data. Productivity won’t be hampered, he says, and senior leaders won’t look heavy-handed.

As employees themselves bring new technology to work, especially smartphones and tablets, detailed and constant education can help mitigate the risks that come with these new devices, says Stephen Laster, CIO of Harvard Business School.

For example, his IT group creates artistic informational posters to hang in common areas where personnel gather. Recent posters focused on three ways to secure a smartphone: use a password, enable location detection so you can find a lost device, and enable remote wiping of its data. Those measures help protect a company’s information should the device be lost or stolen. “Training is episodic. You need a continuous, engaging marketing campaign,” Laster says.

At Graham Group, a $1.8 billion construction company, CIO Kim Johnson has tried to set up systems so that emailing large chunks of data to each other isn’t the normal way to work. The company recently began developing a collaboration and workflow system from SAP, in part to eliminate the need for executives to sign off on major contracts via paper or email. The system also helps employees work together on sensitive projects without having to send files to each other. “Fraud prevention is built in during the design of IT systems,” Johnson says.

Graham Group is also installing SAP financial applications this year. As soon as the idea germinated to buy and customize the software, Johnson requested that a key person from the internal controls committee participate in the design and configuration. He and the CEO wanted to weave anti-fraud measures into the software beyond what comes stock from SAP, he says. Top leaders considering these measures before setting up new technology and business processes reflects a more enlightened approach to fighting corporate crime, Johnson says. “We don’t want to be one of those bad crime stories in the media.”

Next: Predictive Monitoring

For Romney, the IT professor, there are no small corporate crimes, just big ones discovered early. “Once I perpetrate a fraud and get away with it, do I do it just once and stop? No. Human greed is such that if I can take a little, why not take more?” he says. Criminals start by stealing small amounts over periods of time. Then they take larger amounts more frequently. Many times, they get caught.

The next question for CIOs, he says, is, How can we figure out what the really smart criminals are doing?

Beyond detection and prevention lies the possibility of prediction. Credit-card holders know that fraud monitoring systems at banks alert customer service agents to unusual transactions. A rush of purchases of high-end electronics or airline tickets can trigger a call to the credit-card holder to make sure these items are legitimate. Sometimes, a card will be suspended pending confirmation from the customer.

Healthcare organizations are also beginning to use big data techniques to uncover suspicious activity, with good results. HMS Holdings, which coordinates benefits and looks for ethical problems for government agencies and commercial healthcare plans, helped recover $2 billion in costs related to fraud, waste and abuse in 2011, says CIO Cynthia Nustad.

HMS analysts and investigators comb petabytes of data in queries of billions of rows, she says. They use advanced queries and analysis, and will soon be leveraging data visualization–using pictures and maps of query results–to identify potential fraud faster. “If we can make it interesting and artful, then the number of questions you can answer more quickly is very significant.”

Of course, people tend to think that ruinous fraud won’t happen to them. That’s probably what executives at Barings Bank, a 233-year-old institution, thought before it collapsed in 1995 after a rogue trader lost $1.3 billion and tried to cover it up. And MF Global, a now-bankrupt brokerage, is under investigation by the Department of Justice and the Securities and Exchange Commission for alleged bookkeeping problems. Trustees estimate that up to $1.2 billion is missing.

Watching giant companies go down at the hands of insider criminals has provided an education to CIOs willing to learn, says Johnson, Graham Group CIO. “Ten years ago, I’d have said, ‘This is not my area.’ But now it’s very important for me to be involved,” he says. “It’s another way we’re measured: Not just how efficient IT makes a process, but how controlled the process is.”

Contact Senior Editor Kim S. Nash at knash@cio.com. Follow her on Twitter: twitter.com/knash99.