The Fraud Diamond and the Principle of Least Privilege

Every day, hundreds of people commit fraud.  Despite this fact, most people will never commit fraud in their lifetimes.  One of the most important aspects of preventing fraud is separating the few who would commit fraud from the many who wouldn’t. 

One way to do this is the fraud triangle, which was discussed in a previous blog.  The triangle considers a person’s need (typically, a need for money), their opportunity to commit the illegal act, and a way to “rationalize” their crime, or convince themselves it is morally acceptable.  If a person has all three, he or she is highly likely to commit fraud.  The fraud triangle is a classic model, but there are others as well.

A more recent one, the fraud diamond, adds to this model.  First, it argues a person doesn’t necessarily have to face pressure to commit fraud – they might do it just because they want the money or power that’s associated with the fraud.  Secondly, they need more than an opportunity to commit fraud – they need to know about that opportunity and have the capabilities to exploit the opportunity.

The Principle of Least Privilege

One of the most obvious opportunities people have to exploit fraud is when they have access to data or data storage systems far beyond what they need to complete their jobs.  For instance, HR file access is typically limited to HR and high-level administrators.  If this wasn’t the case, someone would almost certainly discover they had access to that data, either intentionally or by accident, and it would quickly lead to a bad situation for everyone involved.

Unfortunately, this level of scrutiny isn’t applied to all agency systems.  In some cases, employees have access to systems or data if they might need them during the course of their duties.  Because it’s plausible that some employees might need access to dozens of different files, databases and software during the course of their jobs, they are provided access to a huge range of data.  Auditing access to all of these systems would be a huge undertaking, so it’s rarely done.

In the IT world, the principle of least privilege is the standard.  Under this standard, people are provided access to data or systems only when they’re essential to completing their jobs.  This leads to employees having far less access to systems, including those that would allow them to commit fraud or cover it up.  At agencies using the principle of least privilege, employees are less likely to commit fraud even if they have the desire and could rationalize their actions – they simply don’t see an easy way to do it.  And auditing is a possibility, because there’s less to audit than there is at agencies where every user has access to nearly everything.

Of course, the principle of least privilege extends beyond technology.  Unsurprisingly, fraud is less likely at agencies where there are fewer obvious opportunities to commit fraud.  In general, employees shouldn’t be provided any sensitive information that doesn’t contribute to their ability to do their jobs.  They shouldn’t have physical access to areas that aren’t relevant to their duties.  While employees shouldn’t feel ‘locked down’ every time they attempt to complete their job responsibilities, asking for access to information shouldn’t be an uncommon occurrence.  An agency’s best employees will feel better knowing that the agency is protecting sensitive information, and anyone who is considering committing fraud will face constant reminders that the agency is watching over its most valuable assets.

To learn how CMTS can help your agency close more cases, call us at 855-667-8877 or email us at Team_CMTS@securecasemanagement.com.