Small-business owners, strap on your security badges. Experts say startups are more vulnerable to fraud than their large counterparts.
“There’s certainly more risk than larger businesses who obviously have privacy officers and security officers and things of that nature,” said Michael Collins, vice-president, sales, for Shred-it Canada, a document-destruction company.
“Most small businesses don’t appreciate it as a part of their startup process because there’s no exposure to it at that stage,” Collins explained. “They’re … trying to get the business started up, trying to get things moving and concentrated more on sales or exposure than the risks they have in the back rooms of their businesses.”
According to the Association of Certified Fraud Examiners (ACFE), companies with fewer than 1,000 employees lose an average of $150,000 per fraud case while large companies can lose $71,000.
And just 68% of companies have official guidelines for document destruction, according to Shred-it.
Collins said small-business fraud comes in all shapes and sizes.
It can range from dumpster diving to stolen credit card numbers, exposed client information and even cheque forgery.
Technology has ushered in new risks such as remote access to sensitive computer information and photocopier fraud, which can occur if the previous owner of a photocopier fails to wipe images stored on the device’s hard drive.
Collins said even though technology is more prevalent than ever in offices, most electronic information starts with a hard document.
Once a document has outlived its usefulness, he has one simple piece of advice: “When in doubt – shred it.”
Professional shredding companies perform document destruction on-site, and Collins said it’s an activity best left to the experts.
He explained that businesses don’t often have the most advanced or secure shredders.
For example, websites exist that can re-assemble strip-shredded documents.
In addition to shredding, Collins suggests small businesses perform data security audits, which allow them to trace the flow of documents through their organization and identify security risks.
Paul McEwen has an even simpler suggestion. The leader of Ernst & Young’s fraud investigation and dispute services practice in Vancouver said small businesses should use a “fraud triangle” to identify risks.
The triangle, he said, was developed in the 1950s by a criminologist who identified three elements that can lead to fraud.
The elements include:
- the pressure or incentive that exists to commit a fraudulent act;
- the ability for a person to rationalize the act; and
- the opportunity to commit the act.
“One way of evaluating what changes what you see in the risk profile would be to say, ‘[Which] of our recent economic or social trends push on any one of those points and therefore create an environment that’s more vulnerable to fraud?’” explained McEwen.
For example, during the recession, many companies laid off workers to cut costs and stay afloat. But accounting needs didn’t disappear, so that left fewer workers to handle the work.
“So a decline in the resources available for internal and account control means there’s greater opportunity [for fraud],” said McEwen.
In addition to using the triangle, McEwen said there are sophisticated computer programs that can search for words or phrases in business documents that, statistically, have been found to cluster around the triangle’s different points.
McEwen also said simple tools such as mandatory employee vacations could reduce fraud risks as well.
“Having a mandatory vacation policy forces a segregation and rotation of duties in the company.”
He also suggests that small-business owners arrange to have bank statements and paid cheques sent directly to their home.
“It allows that owner-manager to physically take 10 minutes a month and go through every cheque that cleared,” McEwen said.
Kim Marsh, managing director of investigative consultant IPSA International Inc., said the most important thing for businesses to remember is not to get complacent about security.
Marsh is the past-president of the Vancouver chapter of the ACFE, which holds regular training sessions and monthly meetings for businesses.
“You have to have some checks, don’t be complacent,” said Marsh. “It’s your business, your money. You have to be satisfied it’s operating the way it should.”