Immediate Vault Immediate Access

Crime Expert Reveals Biggest Gaps in Company Security

WINNIPEG, MANITOBA, Canada – After decades of working undercover for the Royal Canadian Mounted Police, the U.S. Drug Enforcement Administration and U.S. Customs Service, crime and risk expert Chris Mathers knows where companies are vulnerable and what it takes to protect them.

“In a world where popular culture tells us that the ends justify the means, crime is all about perception,” he said in a keynote address at the 2014 RIMS Canada Conference. “Young people are bombarded with it all the time, but we are in business, too. So the question is, how vulnerable is your business?”

Mathers, who joined the forensic division of KPMG and was later named president of corporate intelligence, shared his insight into how companies can best guard against “the business of crime, and crime in business.”

During his 20 years dealing with drug traffickers, money launderers and members of organized crime syndicates, Mathers developed what he calls a “10/80/10” theory – 10% of the population is truly bad, 10% is truly good and would never lie (but you will probably never meet), and the other 80% is everywhere in between. Identifying and managing the risks of that 80% requires far more work than employers are currently doing, he said.

Background checks may be the single biggest thing companies can do better, Mathers said. While most businesses perform background checks when an employee is hired, such investigations are seldom conducted during the course of employment. As an example, he cited a case where a company had a director who was serving jail time on the weekends. Due to Canadian privacy laws, however, the case was never reported, so no one knew he had been convicted and imprisoned while on staff. In addition to possible reputation implications, the company could have been exposed to liability if any incidents had occurred at work.

While searching for criminal records of new hires is an excellent start, periodic checks should be implemented for all employees. High levels of drug use in the workplace in industries like manufacturing can be further compounded by the lack of drug testing in Canada, Mathers said. Further, 90% of corporate theft cases he have involved perpetrators who were gamblers.

He suggested that investigations should examine whether employees: have extreme views, use or are addicted to drugs, exhibit signs of alcoholism, are addicted to gambling or participate in illegal gambling, frequent prostitutes, or have relatives or a spouse associated with a criminal organization.

Associating with criminals can be a significant risk factor, regardless of the nature of the relationship. “Prostitutes are criminals and associate with criminals,” Mathers said. “They are around that activity and more likely to engage in it, which may mean they steal a client’s wallet or steal the sensitive intellectual property he’s carrying.” Similarly, an administrative assistant who is married to a member of the Hell’s Angels can introduce far more than just reputation risk if the spouse gets involved in illegal activities like drug smuggling.

Employees within a company can also rationalize criminal behavior. In the case of a man found to have stolen thousands of dollars through expense account fraud, for example, Mathers said the company faced a wrongful dismissal suit from the thief. He was never told that he could not steal, the man said, claiming the practice was an “unofficial bonus program.” Further, he claimed his boss had been doing it for years. “People see that behavior and come to think it is OK because they become accustomed to seeing it,” Mathers said. Maintaining regular internal investigations and ensuring compliance does not just bust wrong-doers, but prevents others from developing, especially as new technology continually emerges to make theft easier to commit and harder to track.

“There are no new crimes – they’re the same crimes, they’re just using new techniques to get them to you,” he said. Companies need to keep updating their monitoring strategies to match.