The enemy within

EMPLOYEES are often said to be a company’s biggest resource. It is equally true that they are its biggest liability. Scarcely a week goes by without a company falling victim to employees-turned-enemies-or-embarrassments. On July 20th Ashley Madison, a website for married people looking to have an affair, announced that it had been hacked. Noel Biderman, the company’s chief executive, says that he thinks the attack was “an inside job”. On July 6th HSBC fired a group of employees when it emerged that they had filmed themselves engaged in an “ISIS-style mock beheading” of an Asian colleague dressed in an orange jumpsuit.

The most familiar type of enemy within is the fraudster. The Economist Intelligence Unit, a sister organisation of The Economist, conducts a regular poll of senior executives on the subject of fraud committed by insiders. In 2013 the poll discovered that about 70% of companies had suffered from at least one instance of fraud, up from 61% in the previous survey. Fraud is often petty: a survey of British employees for YouGov in 2010 found that a quarter of staff eligible for expenses admitted to inflating claims. But fraud can also be more audacious and more harmful: think of former employees setting up rivals using stolen technology and purloined client lists.

Even more dangerous than the fraudster is the vandal. Thieves at least have a rational motive. Vandals are driven by a desire for revenge that can know no limits. David Robertson of K2 Intelligence, a company that specialises in corporate investigation, recounts the story of a British manufacturing company that was undergoing restructuring. A member of the information-technology department discovered that his name was on the list of people whose services would no longer be required. He built a “backdoor” into the company’s IT system from his home computer and set about wreaking damage—deleting files, publishing the chief executive’s e-mails and distributing pornographic pictures.

Some enemies-within start out as star employees. A striking number of the worst corporate scandals in recent years have been the work of high-flyers who bend and then break the rules in order to please their bosses. Barings, a collapsed British investment bank, showered Nick Leeson with rewards before it discovered that he had produced his outsized results because he took outsized (and unauthorised) risks.

Other enemies-within are the very opposite of high-flyers. The HSBC execution squad are only the latest example of low-level employees who have either wittingly or unwittingly used the power of the internet to blacken their employer’s reputation. In April 2009 two employees of Domino’s, a fast-food chain, posted videos of themselves “abusing takeaway food”. And in July 2012 a Burger King employee posted photos of himself online which showed him standing in a tub of lettuce in filthy shoes along with the caption “This is the lettuce you eat at Burger King”.

One of the most effective ways for outsiders to damage a company is to strike up a relationship with an insider. This can sometimes be fairly crude: bribing a cleaner to replace a keyboard with a carefully-modified lookalike or swapping a USB stick for a virus-laden doppelganger. But it is often more sophisticated. Many of the biggest corporate disasters in recent years are likely to have involved collaborators. Security experts suspect that the hackers who stole the personal information of about 40m customers from Target, an American retail chain, in 2013 may have had help from insiders (the store refuses to comment).

What can companies do to reduce the threat from these wolves in sheep’s clothing? A lot depends on which particular sorts of wolves you are dealing with: traps that work for vandals may not work for fraudsters, for example. And even the best-managed companies are fighting an uphill battle. Information is getting harder to control. A single USB stick can contain more data than 500m typewritten pages. A mobile phone can be hijacked and turned into a listening device. People regularly log in with their electronic devices in crowded places where they can be watched, filmed or hacked.

Fifth column, three principles

Yet three precepts are always worth bearing in mind. The first is that firms need to focus on the people who have the greatest capacity to do harm—those who control the money and information. The more complicated companies become, the harder it is to identify where power really lies. But one thing is clear. The more dependent on information firms get, the more IT specialists can compromise the whole business. The least companies can do is to keep a careful watch on the IT department—and, if you’re going to sack somebody from that team, do so immediately.

The second is that the human touch is still invaluable. Companies can certainly strengthen their hand by installing software that can identify anomalous behaviour or monitor e-mail, or by employing forensic accountants to double-check the accounts. But rogue employees are usually a step ahead of their employers: they will simply shift to text messaging if they think that their e-mails are being watched. Companies can probably do more by listening to company gossip. Corporate-security firms get some of their best results by using “spies” to hang around in the smoking room or go out for drinks after work.

The best way to fight the enemy within is to treat your employees with respect. And this third principle is where many firms fail. They may embrace the rhetoric that nothing matters more than their people, but too many workers feel that nothing matters less. According to a recent survey by Accenture, a consultancy, 31% of employees don’t like their boss, 32% were actively looking for a new job, and 43% felt that they received no recognition for their work. The biggest problem with trying to do more with less is that you can end up turning your sheep into wolves—and your biggest resources into your biggest liabilities.