• brianmartin2

Do You Help the Thief?

We security peeps know from experience that crime increases when people find themselves in financial difficulties. Not in any linear way, but when someone caught embezzling is asked why they did it, the answer is almost always "I needed the money." There is a complex interrelationship between economy and crime overall, but in a simplistic view, desperate times create desperate people.

Who wouldn't steal food to feed their family if all other options were exhausted (turn to your church or family - that's why we have them).

"I needed the money" can be anything from gambling debts to a family member's cancer treatment costs to a spouse laid off and being unable to maintain a lifestyle. At some point, some people just consider crime a valid option.

Our job as security folks is to identify the possibility, assess the risks, and provide the organization with options. We're not police -- they show up after the fact -- but as the people guiding the business about risk and risk treatment, we should be aware that some activities are a sign of the times and factor that into our work.

Whether its government sponsored hackers or Mr M. from accounting feeding his chemical habit, people do bad things. Our rule of thumb, from 100+ years of combined experience, is that at any given moment .3% of the workforce is committing a crime that is detectable in the business. This figure has served us well over the years for use in determining budgets and spending for specific risks. Feel free to use it or find one that's better, but having any starting point for risk/value calculations is essential to conversations with management about what should and shouldn't be funded this cycle.

The activities the "3 people in 1000" doing bad things are doing may not be something that impacts the business, but it is visible in our audit records. So, in addition to the budget concerns of rising crime, the business should have a playbook that deals with business/not-business decisions and how they gets handled. Some things may not affect the business directly but require reporting to authorities and other things do not. That's an ethical decision and it should be thought out ahead of time and put into the business standards and practices. Maybe we ignore it. Maybe we report it to police. Maybe we schedule an intervention. Maybe we help them commit the crime.

Whatever the company's decision, make sure it agrees with the ethical principals and policies.

0 views0 comments

Recent Posts

See All

What is a complete systems inventory, and why is it such a big deal for security? Every security standard we have, from ISA to ISACA to ISO to NIST lists as one of the first security maturity requirem

We utilize a canary system to alert customers to gag orders. As of 20 April 2022 we have received no notifications preventing us from discussing any matter with customers. As long as this message rem