Chapter 1
Monitoring data to understand employee behavior
While many see the need for such steps, employee expectations on privacy pose a hurdle.
Critical digital and physical assets are at greater risk of theft, damage and manipulation by insiders than ever before. Increased global connectivity means that anyone with access to company data, anywhere in the world, can exploit weaknesses in data security. Often, these are trusted employees who have been permitted access to, or have knowledge of, critical data sources.
Never before have governments cooperated so extensively in combating bribery and corruption and imposing legal sanctions against fraud. As a further complicating factor, anti-corruption and anti-trust regulations are becoming entwined, increasing the complexity and difficulty of compliance. Threats posed by insiders are difficult to detect without gathering and analyzing data from a variety of sources. By focusing on behavioral patterns such as anomalies in employee work hours, attempts to access restricted work areas and the use of unauthorized external storage devices, companies can identify individuals who may pose a higher risk to the business.
Once risk ratings have been established, organizations can then consider, based on the new information, whether to place high-risk groups under further review. Despite the need to collect such data, EY survey identified a source of tension:
- 75% of EY survey respondents say their companies should monitor data sources such as emails, telephone calls or messaging services.
- Yet 89% would consider monitoring these data sources as a violation of their privacy.
Insider threats
65%of respondents consider monitoring their emails a violation of their privacy.
Companies should bridge this gap by raising awareness of the importance of collecting such data and of the potential consequences if company data is leaked or stolen. The financial, reputational and regulatory impact of having an organization’s critical assets stolen or damaged can be catastrophic, as evidenced by significant news coverage on data leaks in recent years.
Employees need to understand that companies can only protect themselves from such exposure by embedding an integrated insider threat program into their business that is capable of protecting their most critical assets from insider risk.
Chapter 2
Whistleblowing — why confidence is an important factor
If employees choose to report concerns only to external parties, it may make the situation more complicated for companies to manage.
Whistleblowing regulation and legislation are becoming increasingly prevalent across the globe, driven in part by the demand for greater transparency. The trend toward encouraging individuals to blow the whistle is further fueled by the multimillion-dollar awards made to whistleblowers by the U.S. Securities and Exchange Commission.
EY survey has identified three important findings relating to whistleblowing:
- There are rising levels of concern about unethical behavior among employees.
- Awareness of whistleblowing hotlines is low, and the pressure on employees not to report concerns is substantial.
- A significant number of respondents indicate they would report concerns externally irrespective of the response to any internal report they had made.
Unethical conduct
52%of respondents have had information or concerns about misconduct in their company. And almost half of respondents have considered resigning over unethical conduct.
Suspicions of misconduct not only poses a threat to talent retention, but also indicates that the workforce may hold important information that companies could use to identify and detect misconduct.
Even when employees want to report, they may not know how. EY survey has found that only 21% of people are aware of a whistleblowing hotline within their company. And even when regulations require it — for instance, by the Financial Conduct Authority in the UK — whistleblowing appears to not be effectively embedded.
There is all too often a disgruntled former employee who is more than happy to talk to the SFO.
While awareness of internal reporting mechanisms is low, 73% of respondents would consider providing information about potential fraud, bribery and corruption in their business to an external third party.
The majority of EY survey respondents would only do so if no action was taken after reporting internally; however, 15% of respondents would report regardless of their company’s response. Further, a significant majority of those who would report information externally said they would go directly to a law enforcement agency or regulator.
In light of this, businesses need to consider how best to establish their whistleblowing helplines and other arrangements to ensure they capture any vital intelligence about misconduct known by their employees. This will enable organizations to react quickly, to address incidents and issues, and to prepare for any potential response from regulators or reports in the media.
Chapter 3
Cyber breach response management
Responses between top management and more junior employees reflect a chasm that can have serious consequences.
Companies continue to face the threat of cyber attacks by various actors, including sovereign states, organized crime and terrorist groups. In the key growth-target regions of India and Africa, 72% and 58% of respondents respectively, considered cyber attacks to pose a high risk to companies similar to their own. Overall, almost half of those interviewed shared this view.
Given the broad-based recognition of the problem, it is therefore unsurprising that 59% of our respondents believed that their company should have a Cyber Breach Response Program (CBRP) in place.
Respondents to EY survey indicated, however, that awareness of such programs differs starkly between senior executives and more junior employees. While over half of all board directors and senior managers feel that their company has a CBRP in place, only 1 in 3 of other employees believed that their company had such a program.
If employees do not know how to escalate their concerns, issues that appear minor or localized may be left unreported. This may prevent the company from taking appropriate action to assess, investigate and respond in the event of a potential incident, impacting a company’s ability to reduce the extent of the damage incurred.
Chapter 4
The way forward
Businesses are operating in an increasingly uncertain world driven by a period of rapid political, regulatory and economic change.
To respond to these challenges, companies need to go beyond minimum compliance requirements and develop programs that motivate all of their employees to do the right thing.
This includes establishing a training and awareness program that encourages those employees with concerns over unethical conduct to come forward. This should be reinforced by an effective risk management process that utilizes technology and machine logic to identify and mitigate external threats, such as those posed by potential business relationships or from cyber attacks.
Summary
Geopolitical, economic and social changes mean that traditional compliance frameworks may be based on assumptions that are no longer valid. Information is the key to mitigating the risks, and businesses should maximize the value they get from their data. This can be achieved by embracing the opportunities arising from an increasingly disrupted world.
