Disclaimer: Opinions are of Victor Lessoff as an individual, not attributed to any particular organisation.
What risks are involved with returning to the office versus risks with home working?
This is actually a very interesting question as one might think that a return to the office would reduce the opportunity and ability for an inside actor to perpetrate corporate fraud. Such a premise would be based upon organizations ability to re-implement certain “on location” controls that were compromised when alternate workplace (work at home) protocols were enacted. The first fallacy of such a premise is that many of our organizations are not bringing employees back to the office in the same manner as the pre-COVID world. Some employees are likely to continue to work from home while returning to the office for others will be a hybrid system with the ability and approval to log in from off-site for part of the work week. Accordingly, many of the same weaknesses in a full time work from home may still exist in a part time work from home scenario. For example, a customer service representative who wants to take pictures of sensitive client data off of their monitor would likely do so on the days that they are working offsite, but not necessarily on the days they are on-site when they would have a higher chance of getting caught by traditional physical surveillance controls. At the same time, the same old opportunities for fraud and inappropriate activities will re-emerge as employees come back into the office. Travel and expense fraud is certainly an area of increased concern as employees begin to expense business trips once again. Sometimes even the benefits associated with in office environments can create re-emerging opportunities for fraud. Clearly one of the biggest benefits to organizations to have employees back in the office is so that they can more effectively collaborate with each other and external stakeholders through personal interaction. Unfortunately, the ability to develop trust and understanding through personal interaction can also create opportunities for collusion in perpetrating fraud to the detriment of an organization. For instance, purchasing agents will once again be meeting supplier representatives both on and off premise, developing trusting relationships and perhaps becoming comfortable enough with each other to propose bidding, kickback, inappropriate gratuity or invoicing schemes. Similarly, back office employees in payment or receipt processing may find it more comfortable to commit fraudulent schemes with others who they know through in-person interaction. It is not that it isn’t possible to collude to commit fraudulent schemes over the phone or by video, but it certainly is harder and more fraught with the peril if you don’t have the opportunity to develop a trusting relationships through in-person interaction.
What opportunities are there for fraudsters to identify loopholes with hybrid and remote working?
Traditional anti-fraud and data loss prevention controls that were literally built into to “on-premise” work environments cannot easily be relocated to individual work locations. For instance, entry systems, barriers, locked containers and cameras in work environments to monitor employee’s physical actions (i.e. using a cell phone camera to take “screenshots” of customer PII”) may not be replicable within home environments. IT equipment in employee’s personal possession may be at greater risk of compromise or theft. Supervisors can no longer “walk the floor” or “check in” with employees on a regular basis. In addition, inappropriate, fraudulent or concerning activity that may have been observable to other employees (or perhaps overheard) is now occurring within the confines of a person’s home, hidden from common view. All of these more physical surveillance and access controls not only served to detect inappropriate employee actions, including data misuse/theft, they also served to provide a perception that there was a high chance of getting caught if one were to engage in inappropriate or fraudulent activities. When working “offsite” one can now turn off the camera, mute the microphone or even feign connectivity problems if one wants to hide their actions/activities from others. Data misappropriation becomes one of the most significant risks employers face in the offsite work environment. Once an employee has the ability to login from an outside local, the ability of an organization to control the information accessed through the externally located device is severely limited. While some controls can limit potential data theft, such as restricting devices from printing or downloading onto storage devices, the offsite employee will still be able to access and display sensitive information outside of the “four walls” of the organization. In reality, it is entirely possible that the individual accessing the information is not the employee, but could be a third party to whom the employee provided (or sold) their computer and sign in credentials to. Thus organizations need to determine if some employees who have access to highly sensitive information should be allowed to work offsite or if some information should be restricted to only devices located at secure organizationally controlled offices.
