Target hardening is the subject of a two-part article by David Kearns, Managing Director of the Midlands-based firm Expert Investigations.
Target hardening is generally created by assessing the situational crime prevention methods that are in place in a location: your business or home. In simple terms: your belts, bolts, braces and whistles. This is generally door and window locks, alarms,CCTV, access control, smoke security devices, tagging, shutters and barriers. Target hardening is designed to make the target, that being the item subject of the theft or fraud to be substantially more difficult to steal.
Introducing aspect of security by design also increases the opportunity of target hardening, whether this by a cyber intervention, a design intervention or a process to prevent counterfeit of products.
A documented example of target hardening: Mayhew et al’s (1976) research into the fitting of steering locks, a tactic that led to a decline in car thefts. Further research by Mayhew et al (1993) showed burglaries were less likely in households with three or more security devices than a household with none. Research by Bennett and Wright (1984) found that some burglars would be deterred by special security locks.
Research by Ekblom (1987) into Post Office robberies shows that the introduction of protective screens reduces incidences, just as Austin (1988) found for retail banking and finance outlets. Jacques (1994) has highlighted the benefits of shutters in preventing ram raids, while Butler (1994) has shown that certain security devices such as electronic article surveillance systems deter shoplifters from offending.
Reviewing how design security has assisted business shows that Luminar Leisure reduced insurance claims by introducing a plastic based replacement for glasses. Locking mechanism for bicycles, banks using two-tier authentications, access routes on housing estates have all contributed to reducing crime in the continual battle of the offender against the victim.
Crimes change: we live in a cyber fraud world where we are attacked as an organisation, business or individual on a daily basis and target hardening and security design are part of the ongoing process of prevention, disruption and detection.
A brief internet search shows police services disseminate information on target hardening, mostly based on securing the dwelling and the individuals, with some highlighting the commercial building environment and personal data.
No mention of target hardening against the dishonest employee. There is very limited research and information on the topic of how we target harden against employees.
It is somewhat ironic that we go to extraordinary lengths to protect our commercial building, products and data from external threats and then have an open door for the dishonest employee. Notwithstanding the fact that generally large and significant businesses in the Government sector, security sector, banking and financial sector will have made significant efforts to address this issue, it still leaves the fundamental question of “How do we secure against dishonest employees?”
The majority of businesses and in particular within the SME sector will have not given any significant consideration, resources or budget to this question. In the largest organisations they have done so, I will raise the second question: “How effective are your measures?”.
It is a reasonable assumption than an employee within a business is generally seen as a trusted employee. There is an employee hierarchy that may make a general assumption that the more senior the role, the higher the employee salary and the more responsibility the employee has then, it is that the employee is generally a more trusted individual. (I include board members as employees).
Businesses and organisations are hugely diverse according to their size (in footprint and revenue), their geographical locations, their industry sector and number of employees. They are vulnerable from all elements of employee dishonesty which may include, although this list is not exhaustive:
Theft of product, part finished or finished
Theft of materials, including raw material, part processed, scrap of a material used in a process, such as lubricant or tooling.
Fraud: procurement, bribery and corruption, statement misappropriation, ghost workers, expenses.
Theft of data: for personal use, to sell to unauthorised groups / individuals, to take in breach of contract on leaving employment.
Theft of time, including false absenteeism, running a business in company time, misuse of time, manipulation of overtime.
Controlled substances or illegal drugs in the workplace: selling, manufacture or cultivation of drugs on work premises or during work time.
How effective is situational crime prevention and target hardening in these cases. The SCP and target hardening is primarily in effect to protect the business and the employees from the external typical perception of a criminal: a car thief, burglary, robbery or walk in thief.
I believe that Donald Cressey’s Fraud Triangle can be used for all of the aspects of dishonesty in the work place. An employee by definition of their role will probably have access, opportunity, authorisation to locations, systems and individuals that will afford the opportunity to be dishonest should they choose to.
An employee who does become dishonest will almost always submit to the temptation due to the financial reward, and this financial reward will fuel their motivation. Having taken the step into dishonesty and benefitting from the financial reward, the willingness to cease in such dishonest activity may be dissipated.
At what point did the employee decide to become dishonest. A decent law abiding citizen has taken a different path. Even the employee with a current or past criminal lifestyle may not have entered employment with the intention of being dishonest. What inspired the rational choice to be dishonest? How did the employee rationalise their dishonesty in their mind?
Perhaps internal or external factors:
Being overlooked for promotion
No / low pay rise when a business is trading with good profit
Resentment of employer /business / management or other employees
Instability in the business or business sector
Encouraged by colleagues/suppliers / contractors
Debt.
Desire for a more materialistic lifestyle
Relationship changes and stresses.
An employee has the opportunity, will rationalise their actions and will seek financial reward for motivation and significant investment in SCP will not prevent this. If an employee has an opportunity it will be because they have access, legitimately or not to the mechanism to effect the opportunity and they know how the systems work and know how to override them, including data accesses.
So this highlights the absolute dilemma that I see in businesses on a daily basis and have done so over the last 20 years. To install suitable situational crime prevention processes and the ability to make a target so sufficiently hardened so as not to be able to be stolen will in virtually every case cease an organisation or business from being efficient and cost-effective. Where a business is making substantial investment to be as efficient as possible it would then be counter-productive to putting barriers that prevent this efficiency from taking place. These barriers may be physical or they may well be barriers that involve several processes involving several other individuals which again may well increase the footfall of employees and the cost effectiveness of the business.
For part two visit https://professionalsecurity.co.uk/blogs/david-kearns/part-two-of-two-target-hardening/.
