Do You Help the Thief?
We security peeps know from experience that crime increases when people find themselves in financial difficulties. Not in any linear way, but when someone caught embezzling is asked why they did it, the answer is almost always "I needed the money." There is a complex interrelationship between economy and crime overall, but in a simplistic view, desperate times create desperate people.
Who wouldn't steal food to feed their family if all other options were exhausted (turn to your church or family - that's why we have them).
"I needed the money" can be anything from gambling debts to a family member's cancer treatment costs to a spouse laid off and being unable to maintain a lifestyle. At some point, some people just consider crime a valid option.
Our job as security folks is to identify the possibility, assess the risks, and provide the organization with options. We're not police -- they show up after the fact -- but as the people guiding the business about risk and risk treatment, we should be aware that some activities are a sign of the times and factor that into our work.
Whether its government sponsored hackers or Mr M. from accounting feeding his chemical habit, people do bad things. Our rule of thumb, from 100+ years of combined experience, is that at any given moment .3% of the workforce is committing a crime that is detectable in the business. This figure has served us well over the years for use in determining budgets and spending for specific risks. Feel free to use it or find one that's better, but having any starting point for risk/value calculations is essential to conversations with management about what should and shouldn't be funded this cycle.
The activities the "3 people in 1000" doing bad things are doing may not be something that impacts the business, but it is visible in our audit records. So, in addition to the budget concerns of rising crime, the business should have a playbook that deals with business/not-business decisions and how they gets handled. Some things may not affect the business directly but require reporting to authorities and other things do not. That's an ethical decision and it should be thought out ahead of time and put into the business standards and practices. Maybe we ignore it. Maybe we report it to police. Maybe we schedule an intervention. Maybe we help them commit the crime.
Whatever the company's decision, make sure it agrees with the ethical principals and policies.