Hollywood glamorises and places the solo, external hacker on a pedestal: the man who single-handedly breaks through every defence and security measure, wreaking havoc in the IT systems of his hapless victim. But could it be that rumours of his existence have been greatly exaggerated?
The technology industry has more to lose than most when it comes to intellectual property and data. It is rightly afraid of individuals and organisations with malicious intent attempting to steal from them. However, since three quarters (72 percent) of frauds affecting companies involve an insider*, the most pressing security issue for the sector is not the Hollywood hacker, but rather the enemy within.
Consider the case of Mt. Gox, the formerly dominant Japanese bitcoin exchange which went bust last year after losing more than $400 millon worth of bitcoins. Not only was the company placed into bankruptcy, but it put the entire alternative currency sector into jeopardy: the value of bitcoin crashed in its wake. What was, at the time, widely considered to be an external hack, is now thought to have been an inside job.
This is not to say that hackers and external threats do not pose a danger to businesses. We need only look at last year’s Sony hack for evidence of the damaging effects of being hacked. Yet, the ever present danger for organisations lurks not outside their walls, but among their own ranks. And there are times when businesses leave themselves more open to the possibility of letting potentially damaging individuals slip in.
So when is the industry most vulnerable to internal threats? And what can be done to combat the rising incidence of internal fraud?
HireRight’s recent study, The Untouchables: protecting your organisation from leadership risk, found that in over half (53 percent) of IT and technology organisations, background screening has uncovered a leadership lie. It is no wonder, therefore, that it is the sector where reputational risk is most likely to be rising up the boardroom agenda.
In spite of increasing talk around protecting against internal risk, little seems to have actually been done. Of all the industries we investigated – including financial services, oil and gas, pharmaceutical, professional services and retail – IT and technology was the least likely to conduct detailed background screening on senior leaders during a merger. With 70 percent of firms not always conducting adequate screening at these times of change, the sector was well above the average of 49 per cent.
The industry also relies the most heavily on an ‘Old Boys Club’ approach to executive appointments. Three quarters (76 percent) of companies admit to being swayed by personal recommendations when hiring to the board, higher than any other industry.
It’s perhaps not surprising, then, that senior leaders of IT and technology companies are most likely to become “untouchable”, with over one in three (35 percent) companies agreeing that people are too in awe of senior leaders in the industry to consistently carry out adequate screening.
Need for Speed
Clearly technology is a rapidly evolving sector, yet with this high pace of evolution comes an equally high pace of job turnover. There is a great sense of urgency to get someone working and integrated into the company, once they have been employed.
This need for speed can make the hiring process rushed, and the fast and furious nature of proceedings can mean that holes appear. In almost half (44 percent) of companies in the IT and technology industry new starters can be working for up to a month without having had their references checked. This leaves plenty of time for a malicious or unqualified individual to cause enough damage to harm a company, when such candidates would have been gone in sixty seconds had their references been checked beforehand.
Behind Enemy Lines
Since the technology industry is at such risk from IP and data theft, as well as reputational scandal, it is a little surprising that a quarter of companies (24 percent) admit it would be relatively easy for a determined candidate to infiltrate their organisation. More worrying still, 41 per cent think that it would also be relatively easy for a determined and apparently qualified candidate to join their senior leadership.
What many companies in the industry lack is a clear and consistent method for keeping their defences consistent across the board, from senior leaders to new starters, and at all times, no matter the urgency or situation. Almost half (44 percent) of companies admit that they need a better way of identifying candidates with malicious intent and 53 percent know that they could suffer a reputational scandal from a lack of background screening.
Protecting your company from a Hollywood-style hacker may seem like the most pressing concern. But it should not come at the expense of mitigating against internal threats. Leaders need to start taking the enemy within seriously and invest in consistency when checking candidates.
Steve Girdler, managing director EMEA at HireRight