The enemy within the economist

7/24/2015 The enemy within | The Economist

http://www.economist.com/node/21659776/print 1/3

Schumpeter

The enemy withinRogue employees can wreak more damage on a company than competitors

Jul 25th 2015 | From the print edition

EMPLOYEES are often said to be a company’s

biggest resource. It is equally true that they are its

biggest liability. Scarcely a week goes by without a

company falling victim to employeesturned

enemiesorembarrassments. On July 20th Ashley

Madison, a website for married people looking to

have an affair, announced that it had been

hacked. Noel Biderman, the company’s chief

executive, says that he thinks the attack was “an inside job”. On July 6th HSBC fired a group of

employees when it emerged that they had filmed themselves engaged in an “ISISstyle mock

beheading” of an Asian colleague dressed in an orange jumpsuit.

The most familiar type of enemy within is the fraudster. The Economist Intelligence Unit, a

sister organisation of The Economist, conducts a regular poll of senior executives on the subject

of fraud committed by insiders. In 2013 the poll discovered that about 70% of companies had

suffered from at least one instance of fraud, up from 61% in the previous survey. Fraud is often

petty: a survey of British employees for YouGov in 2010 found that a quarter of staff eligible for

expenses admitted to inflating claims. But fraud can also be more audacious and more harmful:

think of former employees setting up rivals using stolen technology and purloined client lists.

Even more dangerous than the fraudster is the vandal. Thieves at least have a rational motive.

Vandals are driven by a desire for revenge that can know no limits. David Robertson of K2

Intelligence, a company that specialises in corporate investigation, recounts the story of a British

manufacturing company that was undergoing restructuring. A member of the information

technology department discovered that his name was on the list of people whose services would

no longer be required. He built a “backdoor” into the company’s IT system from his home

computer and set about wreaking damage—deleting files, publishing the chief executive’s e

mails and distributing pornographic pictures.

https://googleads.g.doubleclick.net/aclk?sa=L&ai=BBhBIkc2xVbbnFdChbPSinNAKmeizpwYAAAAQASChhu0dOABY0bfI_6wBYMvUtAWyARF3d3cuZWNvbm9taXN0LmNvbboBCWdmcF9pbWFnZcgBA9oBLGh0dHA6Ly93d3cuZWNvbm9taXN0LmNvbS9ub2RlLzIxNjU5Nzc2L3ByaW50wAIC4AIA6gIXLzU2MDUvdGVnLmxhc24va2pkdS9hL3D4AvDRHpAD_AeYA-ADqAMByAOZBNAEkE7gBAGQBgGgBhTYBwE&num=0&cid=5GjoyOGSNMbbess4BW-L89OG&sig=AOD64_1vm1qriRnioVtolzdaxSSISb_Ktg&client=ca-pub-1035191876542576&adurl=https://subscriptions.economist.com/GLB/SLG

https://googleads.g.doubleclick.net/aclk?sa=L&ai=BOF9_kc2xVbfnFdChbPSinNAKoYW0pwYAAAAQASChhu0dOABYwarr3rQCYMvUtAWyARF3d3cuZWNvbm9taXN0LmNvbboBCWdmcF9pbWFnZcgBAtoBLGh0dHA6Ly93d3cuZWNvbm9taXN0LmNvbS9ub2RlLzIxNjU5Nzc2L3ByaW50wAIC4AIA6gIXLzU2MDUvdGVnLmxhc24va2pkdS9hL3D4AvDRHpAD_AeYA-ADqAMByAOZBNAEkE7gBAGQBgGgBhTYBwE&num=0&cid=5GjX6J5ZKd28ShV1FjYh5Shw&sig=AOD64_2pypWX5FmTJSypH-jE0DhTcPGdLg&client=ca-pub-1035191876542576&adurl=https://subscriptions.economist.com/GLB/SLG

http://www.economist.com/printedition/2015-07-25

http://www.economist.com/

http://googleads.g.doubleclick.net/aclk?sa=L&ai=BbRgwk82xVf7BAseobMegmcgPieCu9wYAAAAQASChhu0dOABYsZ7J8LYCYMvUtAWyAR9vcHRpbWl6ZWQtYnkucnViaWNvbnByb2plY3QuY29tugEJZ2ZwX2ltYWdlyAEC2gG6AWh0dHA6Ly9vcHRpbWl6ZWQtYnkucnViaWNvbnByb2plY3QuY29tL2EvMTE5MTQvNDE5NzIvMTc3NzI4LTIuaHRtbD8mY2I9MC41ODAwMjQ3NjM0NzYxMDM1JnRrX3N0PTEmcmY9aHR0cCUzQS8vd3d3LmVjb25vbWlzdC5jb20vbm9kZS8yMTY1OTc3Ni9wcmludCZycF9zPWMmcF9wb3M9YXRmJnBfc2NyZWVuX3Jlcz0xMzY2eDc2OMACAuACAOoCIDU2MDUvUHVibWF0aWMvRWNvbm9taXN0LVB1Ym1hdGlj-ALw0R6QA_wHmAPgA6gDAcgDmQTQBJBO4AQBkAYBoAYU2AcB&num=0&cid=5GjIYTmnaaXHJPqXLH1u1rSx&sig=AOD64_1ip_BDF87ioha40tf8ccCR2zfzow&client=ca-pub-1035191876542576&adurl=http://store.economist.com



Some enemieswithin start out as star employees. A striking number of the worst corporate

scandals in recent years have been the work of highflyers who bend and then break the rules in

order to please their bosses. Barings, a collapsed British investment bank, showered Nick Leeson

with rewards before it discovered that he had produced his outsized results because he took

outsized (and unauthorised) risks.

Other enemieswithin are the very opposite of highflyers. The HSBC execution squad are only

the latest example of lowlevel employees who have either wittingly or unwittingly used the

power of the internet to blacken their employer’s reputation. In April 2009 two employees of

Domino’s, a fastfood chain, posted videos of themselves “abusing takeaway food”. And in July

2012 a Burger King employee posted photos of himself online which showed him standing in a

tub of lettuce in filthy shoes along with the caption “This is the lettuce you eat at Burger King”.

One of the most effective ways for outsiders to damage a company is to strike up a relationship

with an insider. This can sometimes be fairly crude: bribing a cleaner to replace a keyboard with

a carefullymodified lookalike or swapping a USB stick for a virusladen doppelganger. But it is

often more sophisticated. Many of the biggest corporate disasters in recent years are likely to

have involved collaborators. Security experts suspect that the hackers who stole the personal

information of about 40m customers from Target, an American retail chain, in 2013 may have

had help from insiders (the store refuses to comment).

What can companies do to reduce the threat from these wolves in sheep’s clothing? A lot

depends on which particular sorts of wolves you are dealing with: traps that work for vandals

may not work for fraudsters, for example. And even the bestmanaged companies are fighting

an uphill battle. Information is getting harder to control. A single USB stick can contain more

data than 500m typewritten pages. A mobile phone can be hijacked and turned into a listening

device. People regularly log in with their electronic devices in crowded places where they can be

watched, filmed or hacked.

Fifth column, three principles

Yet three precepts are always worth bearing in mind. The first is that firms need to focus on the

people who have the greatest capacity to do harm—those who control the money and

information. The more complicated companies become, the harder it is to identify where power

really lies. But one thing is clear. The more dependent on information firms get, the more IT

specialists can compromise the whole business. The least companies can do is to keep a careful

watch on the IT department—and, if you’re going to sack somebody from that team, do so

immediately.

The second is that the human touch is still invaluable. Companies can certainly strengthen their



hand by installing software that can identify anomalous behaviour or monitor email, or by

employing forensic accountants to doublecheck the accounts. But rogue employees are usually

a step ahead of their employers: they will simply shift to text messaging if they think that their e

mails are being watched. Companies can probably do more by listening to company gossip.

Corporatesecurity firms get some of their best results by using “spies” to hang around in the

smoking room or go out for drinks after work.

The best way to fight the enemy within is to treat your employees with respect. And this third

principle is where many firms fail. They may embrace the rhetoric that nothing matters more

than their people, but too many workers feel that nothing matters less. According to a recent

survey by Accenture, a consultancy, 31% of employees don’t like their boss, 32% were actively

looking for a new job, and 43% felt that they received no recognition for their work. The biggest

problem with trying to do more with less is that you can end up turning your sheep into wolves

—and your biggest resources into your biggest liabilities.

From the print edition: Business

http://www.economist.com/printedition/2015-07-25