Fighting fraud in government, January 2012 - Transcript

Nick C Jones: Economic crime is a threat that's faced by all organisations at all times. But, particularly at the moment with many public sector organisations facing spending cuts, now more than ever, economic crime might be an issue. So what's the overall trend? Who's committing economic crime? And what are the consequences?
What would you say is the headline finding from the survey this time round?

Ian Hillier: Ok, I think the headline finding Nick, from two years ago, is that almost half of all respondents to the survey said they've experienced at least some type of fraud over the last twelve months.

Nick C Jones: Really?

Ian Hillier: Absolutely, and I think what was more revealing underneath that was that of those responses who had experienced fraud, about a quarter had experienced more than ten instances of fraud over the last twelve months. So once they've actually experienced it, it was quite a high level there.

Nick C Jones: So what's driving that?

Ian Hillier: What's driving the fraud? I think there are obviously a wide variety of pressures that are driving that fraud. The private sector recession that hit sort of 24 months ago has forced a response from public sector organisations essentially and that's led to a public sector recession.  We've seen within the UK, the Coalition Government's response to, essentially the austerity measures, are having a significant impact on the pressure on individuals and also suppliers to the public sector.

Nick C Jones: And those individuals, as employees, but also as suppliers. So who is committing fraud?

Ian Hillier: In terms of who's committing the fraud, we've seen quite a significant shift there actually from the survey. So first level to look at that is, between internal fraudsters and external fraudsters and what we've found is that the level of fraud committed by internal, essentially staff members of the public sector organisations, has risen from about a third of all fraud - up to two thirds of the fraud reported. So quite a significant shift there, I think the pressures on individuals will explain some of that and also other explanations will revolve around actually the focus of public sector organisations at present.

Nick C Jones: And so, in terms of, there's the 'who', and we often think about individuals don't we - but increasingly this is becoming a virtual crime. Andrew, I was interested to see in the survey the increase in cybercrime.  Do you want to say a bit more about that?

Andrew Miller: Yes certainly, within the survey we've seen that 28% of all respondents actually expect to be hit by some sort of cybercrime over the next two years and 40% of all the respondents, you know, thoroughly thought the cybercrime risk was increasing. It was interesting actually what you said around third parties, you know third parties where the business processes are becoming more devolved and more outsourced, the boundaries, the business boundaries and the traditional gateways are being broken down.

Ian Hillier: Absolutely that is a key driver for government at the moment.  They are trying to open up the government, and the supply chain into government, and one of the consequences of that is that the potential in, whilst it's got great benefits, there is obviously the risk of increased fraud.

Andrew Miller: Absolutely, I mean the suppliers are quite often taken at their word in terms of what controls and security aspects they've got in place and with some larger government departments having several thousand suppliers, you know they can't get round them all to check what controls they've got in place and the rest of it. So there is quite a significant potential from the threats to come from this kind of third party, slightly external but really internal user.

Nick C Jones: And of course cybercrime can happen in an instant, but it can have long term consequences. What are the impacts that are coming across from public sector organisations?

Andrew Miller: Yeah you are absolutely right, a cybercrime can happen in seconds. Whilst monitoring, we are seeing prevalence of monitoring amongst the respondents, ultimately there needs to be some decision made and the command and control structures within organisations, including their third parties, need to be ready to move. You know the government departments and public sector do look after a lot of personal information and that's the priority for them in terms of protecting the public. So how and what commitment are they going to make to the potential victims i.e. the public around, what they're going to do in order to stop it and support those individuals.

Nick C Jones: And it has big reputational consequences for both private and public sector.

Andrew Miller: Indeed.

Ian Hillier: Absolutely and I think both organisations suffer from reputational impact of fraud.

Nick C Jones: So if this issue of economic crime is rising, particularly as public sector faces recession, what can public sector organisations do to protect themselves?

Ian Hillier: Well, I think for me Nick, the primary question that public sector organisations need to ask themselves is what does their fraud strategy actually look like? First question being - have they actually got a strategy and when was the last time anyone actually looked at that strategy and then once you've established the strategy, it has to answer really two key questions. One is, does it really address what, do you understand what the risk to your organisation are from fraud, so have you actually, when was the last time you undertook a fraud risk assessment for example? Once you then actually understand the risk that your organisation will face, you are then in a far better position to actually respond to those risks and actually then to think about how you take those forward. That's particularly relevant for some of the new emerging risks like cybercrime that we are experiencing a present.

Andrew Miller: From a cyber perspective, monitoring is great; knowing what you're looking for is ultimately the most important thing. So having some intelligence and insight into what's out in the world at the moment. Having then actually identified that there is actually an issue occurring or has occurred, you really need to then actually swing in your command and control, your senior business leaders, work out what commitments your organisation is going to be able to make to the potential victims or the user base and get out there and make some firm commitments and statements about what you are going to do or are doing about it.

Nick C Jones: Excellent - so Ian, Andrew, thank you very much. A very quick cast through the findings of our survey, which is obviously becoming very much a board level issue. If you are interested in more details take a look at our report, which you can download from our public sector research centre website. Thank you.