Přinášíme vám informace, které potřebujete pro lepší rozhodování a růst vašeho podnikání.

Spojte se s námi ještě dnes a objevte, jak může Scaut posílit důvěryhodnost a bezpečnost vašich pracovníků.

Naplánovat schůzku
Všechny příspěvky

Všechno začíná a končí zaměstnanci

Ochrana majetku je důležitá pro každou organizaci. Jak hmotný majetek, tak zcela nehmotný, zejména interní informace, musí být chráněny. Banka, pojišťovna, výrobní společnost, e-shop, obec, kraj, distributor energie nebo řetězec obchodů s potravinami, tyto společnosti všechny poskytují důležité služby, musí plnit smlouvy nebo agendy uložené zákonem, chránit své know-how, obchodní tajemství a údaje o klientech.

Publikováno dne:

September 21, 2022

The number of attacks on property and sensitive information is steadily increasing, both in the private sector as well as the public. The importance of protecting them should therefore also rise against insider threats and employee fraud. Not because everyone steals and everyone is a fraudster, but because several objective factors will continue to increase the risk of internal attack in the years ahead.

What are they?

  • The looming recession will worsen living conditions for many people, bringing some to the brink of existential problems
  • Financial difficulties, restructuring, and resource constraints in many businesses will lead to higher labor market turnover
  • The sudden loss of a job may lead to a desire to get a new job at any cost, even at the cost of 'improving' one's CV, education, or experience
  • Existential problems can drive even a previously trouble-free employee to try to solve these problems at the expense of the employer
  • Despite the economic recession, there is a continuing shortage of certain specialisms in the labor market, even those that can easily be performed remotely
  • Remote working, including purely online recruitment, is still on the rise, but the risk of hiring someone online who has never actually been seen in the company is not always fully appreciated
Internal risks, the threats associated with our employees, will become increasingly tangible. We may not like it, and we may say for the hundredth time that there is no such threat in our company, but that is the reality.

František Nonnemann

Compliance and Operational Risk Consultant

Protecting money or information? Both!

When an employee steals money, the damage is clear. We're not just talking about a small addition to the household in the form of "moving" work tools or office supplies. That too can hurt an employer, especially when it becomes a sport among employees. But even more serious can be fraudulent cost accounting, false invoicing, or even misrepresenting a bank account to customers. And the classic "reaching into the treasure chest" remains a threat when a previously exemplary employee "resolves" a complicated personal situation in a truly unfortunate way.

In the event of a loss or leak of internal information, the financial loss may not be so visible at first glance. But the damage can be even greater as a result.

Misuse of internal information against the employer's interests, disclosure of production processes, leaking the source code of a customer application, selling a client list, premature disclosure of information important for stock markets... We can imagine many such black scenarios. And often there's no need to strain the imagination too much, just scan the news from home and the world. Financial losses can run into hundreds of millions, not to mention problems with reputations, watchdogs, and the courts.

When thinking about fraud protection, we should strive to prevent direct attacks on property as well as to consistently protect sensitive and confidential information. One without the other does not make sense. Setting up measures to ensure the physical security of branches and not addressing, for example, the protection of trade secrets or client tribes, is necessarily incomplete. Such a half-hearted solution can ultimately be detrimental, as it gives a false sense of security to the organization's management.

You can't do it without personnel security. But what is it?

Whether we are dealing with the protection of plant know-how, cybersecurity, personal data, or ISO standards, personnel security is an integral part of the measures implemented. Or at least it should be.

But what is it? Personnel security, human resources security, internal risks, "people risk"?

In practice, the issue of personnel security is often seen as a training issue for employees. Employees have to be trained on how to work, how to protect internal information, and what regulations to follow. Within a few dozen minutes, they should process a lot of information, read dozens of internal directives and sign a confirmation that they know everything, understand everything, and will follow it.

From a technical point of view, HR security is sometimes limited to defining the correct roles and user rights for employees and setting access and password policies. When there are sufficient resources, data leakage prevention (DLP), CCTV, or other security devices are put in place.

Take action before the new employee starts!

For HR security measures to be truly functional, they must begin before a potential attacker ever enters the organization.

Why?

The most advanced and expensive technical measures will not stop a truly determined attacker. It's always just a question of money, capacity, and will. If someone enters your company or office with the intent and plan to misuse confidential information, technical measures alone will usually not stop them.

Modern, interactive, and well-designed training will not reveal who lied at the interview and who is hiding something from their past. And it certainly won't prevent an employee in a problematic personal situation from reaching into your coffers.

It is therefore always better to start one step earlier and try to keep attackers, fraudsters, and other people who can cause very real and tangible problems for the employer out of the organization altogether. Better in the sense of being more efficient, conceptual, and ultimately cheaper.

What does it mean to start early? Establish a process for a background check. This means checking the credibility and reliability of new employees or job applicants. After all, their past is your future. Checking to see if they are lying on their resume, improving their education, experience, or skills, or hiding other skeletons in their closet will save any employer a lot of future problems.

Five conditions for a smart and effective background check

Therefore, for a background check to work, and not just become another annoying paper exercise, it is advisable to choose a solution that will be:

  • Quick and easy for employers and candidates
  • Clear and transparent, with clear outputs for management
  • Reliable and comprehensive, including all relevant resources
  • Customizable, tailored to the employer's conditions and the sensitivity of the position being filled
  • Fair and lawful, in line with data processing and privacy regulations for employees and job applicants

More flies with one shot

Setting up a reasonable, efficient, and smart process for vetting job applicants will help prevent internal fraud and misuse of information. However, quality tools for verifying the reliability of job applicants are also important in other areas. For example, they can greatly assist an organization in the:

  • Compliance with legislation that requires us to verify the trustworthiness of employees and protect sensitive information. From GDPR, a cybersecurity law that will soon affect thousands of companies, to financial market regulation, to state and local government. Everywhere we find requirements to secure information, and assets, ensure the functionality of the services provided and the trustworthiness of key employees or officials.
  • Meeting the requirements of the parent company, the founder, shareholders or voluntarily accepted ethical commitments
  • Protecting members of the statutory body from material liability for failing to take reasonable care of assets under management
  • Increasing the value of the company, whether on the stock exchange or in negotiations for a potential merger or sale
  • Obtaining certification when, for example, ISO standards in the area of information protection, as well as others, require a demonstrable and documentable process for verifying the trustworthiness of employees

In other words, a well-constructed process for vetting job applicants can help an employer respond to multiple challenges and requirements. And it pays off!

Personnel security is the topic of the future

Attacks on private and public organizations, their property, assets, and information will increase. Attacks will be amateur, partly organized, and fully professional.

Unauthorized access to and compromise of data can be relatively easy, and an attack can often be carried out quickly and cheaply. And effectively. Efficient in a negative sense for employers, of course. Indeed, the consequences of a successful attack on sensitive information can lead to the interruption or shutdown of its operations, leakage of confidential production processes, and loss of client trust. As well as fines and damages.

Everything begins and ends with people. If an organization is not concerned with personnel security, it is simply not protecting its interests.

František Nonnemann

Compliance and Operational Risk Consultant

František Nonnemann

autor článku

A professional in the field of privacy protection, financial regulation, compliance, risk management, and information security with experience in both the private and public sectors.