Am I Going To Lose My Business
By Danny Boice
Are You Going to Lose Your Business?
According to the Federal Trade Commission, the average business loses 10 percent of its revenue to fraud and deception each year.
While this stat should be shocking, many businesses blow right past it. Perhaps even your own response is to look away. You might think, It’s an unavoidable problem or It won’t happen to me.
You would not be wrong to feel your response is justified, but what if I told you that this loss is at the hands of employees 95 percent of the time? The problem is not so theoretical; it is very real and hits very close to home. Here are the facts: rarely is the customer or client doing the cheating; and despite all the press about Russian hackers and cyber attacks, fraudulent behavior rarely comes from outside actors.
This is an employee problem—a people problem. Fraud and deception can happen at any stage in the employee lifecycle: pre-employment, within the period of employment, or postemployment.
Of course, fraud doesn’t only affect businesses; the problem extends to every individual. In the United States, 70 percent of adults have been defrauded once in their lives, and 25 percent have been defrauded twice. The issue is ubiquitous.
As business owners acknowledge these risks, they often feel paralyzed. The fear can become overwhelming and keep them up at night. Perhaps these feelings of fear describe you. Here’s the good news: solutions do exist. This is a manageable problem, not out of your control. And by simply picking up this book, you have done more than most companies. You are well on your way to better protecting your business.
What Are the Options?
Because of our work in the trust and safety space, we’re used to people cornering us at cocktail parties to learn more about what we do. We often feel an urge to lie because we know what we’re about to hear: another sad story about how someone got ripped off by a business partner or ex-spouse. Everyone who has lived long enough has one of these unfortunate stories to tell.
Still—even though the problem of fraud and deception is broadly understood—businesses ignore it. In the US, businesses spend billions tweeting, slacking, and Skyping, but allocate effectively none of their budget and resources toward truth, trust, and safety—the very things costing their business the equivalent of 5 to 10 percent of revenue each year. That’s nearly the equivalent of paying your taxes twice each year.
In most cases, we’ve found that business owners and executives assume there are no resources to mitigate the risk. A business might be losing 5 percent of its revenue to fraud every year, but the problem is shrugged off with a simple statement like, “Well, that’s just what happens” or “The big guys can afford it, but we just can’t.” Historically, they’d be correct. Only Fortune 500 companies have been able to afford services to mitigate trust and safety issues in the past.
With this embedded mindset, businesses cannot accurately measure the value of resources that can take care of this problem. Only the top 1 percent of businesses can afford services from very specialized, expensive investigative consulting firms, Kroll being one example of such a firm. These firms are involved in corporate espionage, international government contracts, and even hunting down weapons of mass destruction. Their clients can easily spend upwards of $100,000 for a few days’ worth of work with them. No wonder businesses balk at the idea of spending money for dealing with the issue of fraud! Their budget would have to be effectively infinite.
On the other side of the equation, some businesses settle for low-cost options that have a perceived value but don’t actually take a deep dive into what they need. On the HR side of the house, solutions like Sterling are popular. In reality, most of these solutions are just traditional background-checks with better branding; they do very little to mitigate big risks. These firms have simply done a great job of marketing in the HR space and locking HR departments into spending thousands of dollars for services that cost under $20 online.
The problem here goes beyond cost. We’ll dive into the details in Chapter 3, when we discuss screenings. In short, even a $20 online check is still a waste of time and money. It takes a name, date of birth, and city or state and tries to do a match. Assuming that match occurs, the check is utilizing public records that are inherently flawed. The first problem is that the records may not be entered in time or accurately. Would you risk your life on the work of a lowest paid employee clerk in the local government bureaucracy, hoping he or she will enter in records accurately and quickly? Of course not. These clerks might be uneducated or simply lazy and fail to enter the record correctly. They might just happen to work in a county that doesn't make its records easily available electronically. Either way, the system is flawed from the beginning.
The second problem is that there is no such thing as a nationwide criminal records database. To even have a shot at finding information about a conviction, you would have to check the databases of the 3,007 US counties as well as the fifty states (fifty-two including DC and Puerto Rico). Still, you would be missing the majority of what you are wanting to find: charges of a crime or reports of an assault, sexual harassment, or drug use. You would miss anyone who had never pleaded out to a lesser charge to relieve the overburdened DA’s office staffing woes. You would miss those who had a good attorney and beat the charges. It’s easy to see why our systems for “trust” are so broken.
The entire trust and safety space is antiquated and fragmented. It’s a yellow-page industry dating back to Allen Pinkerton foiling the first assassination attempt on Abraham Lincoln and becoming his private investigator. Rumor has it that Pinkerton’s rates got so high that Lincoln had to cut him loose just days before that fateful night at Ford’s Theater. Since then, the space has undergone very few changes, and businesses have thrown their hands in the air and said, “Well, there’s nothing better out there.”
We were haunted by that thought. Are there really no other options?
Our Path to a Solution
We started Trustify to fill a real need in this space, but our route to arrive at a solution was quite circuitous.
I [Jen] come from the world of advocating for and protecting vulnerable populations. The day after graduating from Bucknell University, I started working for the Congressional Coalition on Adoption Institute. I worked with the most marginalized populations of children in the United States and abroad, ultimately helping ratify the Hague Convention that protects children from International abduction and trafficking. I was later recruited as the youngest executive director in the history of Joint Council on International Children’s Services. At age twenty-four, I was running this massive international organization, fighting for the rights of orphans, child trafficking targets, and other vulnerable populations worldwide.
When I became a mother, I decided to take up the mantle of entrepreneurship that my family had passed along to me. I started two different businesses, both involving empowering female entrepreneurs globally and domestically. Later, when I was called back to work as the interim executive director for Joint Council, Danny and I started dating and talking about the idea of solving the glaring trust and safety problems we had both witnessed on a regular basis.
I [Danny Boice] come from the tech world and have also spent much of my life on either side of the Trust and Safety coin. In the previous businesses I started, I focused on using technology, product design, and engineering to solve problems in antiquated industries. I also taught these same subjects at Georgetown University. A few years ago, I was appointed to be an entrepreneur in residence at Health and Human Services through a program established by the White House. About five to ten individuals are chosen to work there for three to six months on one specific problem in the government. The goal is to be disruptive and think outside the box.
The problem assigned to me in that role has informed a lot of our mindset around trust and safety. The US Department of Health and Human Services was facing the problem of elderly Americans finding reliable and trustworthy care when they were at their most vulnerable period. Sadly, they were being defrauded at record rates. As the boomer population retired and needed help in the form of in-home care, meal delivery, and nursing homes, they were being ripped off in record numbers. I spent months living and breathing that issue before starting Trustify with Jen.
Our life experiences also led us naturally to focus on trust and safety. I am a survivor of childhood violence and sexual abuse. From an early age, I understood what it meant to be part of a very vulnerable population. Later in life, after a difficult divorce, I needed a private investigator (and local law enforcement) to ensure the safety of my own children and to prove suspected custody violations. The whole experience was an awful, yucky mess, and Jen and I kept the thought in our back pocket that there must be a better way to access private investigators (PIs). We believed that trust and safety could become much more transparent all around so the customer would be able to easily gauge quality and never be ripped off.
Over the years, Jen and I had helped each other navigate through different businesses. Now that we were ready to start a business together, we knew exactly how to test our long list of ideas, all of which revolved around solving this escalation in demand for trust and safety services that we saw coming. We started scientifically testing our various product and service ideas using the Lean Startup Methodology. Using this methodology, we test a “minimum viable product” (MVP) without actually building the product. Experienced entrepreneurs understand that most products fail because there is not sufficient demand for them. As we tested, we were able to pinpoint ideas that would fail before investing significant time or money into them. All of our initial ideas flopped. Finally, we found where our expertise and backgrounds could meet a real need when we ran Facebook ads to measure consumer demand for private investigators. These experiments were a resounding success.
We bought every industry analysis and report out there, and we were hooked. The PI space was defined by all the terms entrepreneurs love, like “fragmented,” “antiquated,” and “no clear winner.” It had been around since Abraham’s Lincoln’s time, and the current professionals in the field were great at investigative work but unskilled at business development, customer acquisition, and actually running a business. We saw an opportunity to greatly increase demand by providing access to PIs for every single business and household, while allowing the existing pool of licensed PIs to focus on the work they love, leaving the parts they hate to us. Now, PIs could literally just click a button to take a case, do their work, and receive pay straight to their bank account. No marketing, sales, collections, or disputes for them to deal with.
We took advantage of Jen’s background and were quickly able to contact the attorney general and all other regulators in each state to let them know who we were and that we wanted to operate by their rules. We were off to the races!
Though this book focuses on the B2B side of our business, it’s important to share our heart behind our work. Long before Trustify, we cared deeply about anyone in a vulnerable situation, and we wanted to make sure that the company had a social mission component at its core. Instead of thinking social good would happen later down the road, we went in from day one aiming to address a great need: to help those who are vulnerable.
We have had the privilege of helping with birth parent reunifications and former foster youths looking for family members. We’ve had people come to us saying, “I don’t have the money for this, but I’m a survivor of domestic abuse and going through a really scary time.” We’ve heard, “My child is missing, and the police said to wait twenty-four hours because she’s sixteen and it could be a runaway. I know my child would not run away, and I don’t have twenty-four hours.” On a couple of occasions, women have come to us saying, “I think my husband is cheating on me and frequenting a prostitute.” Our PIs would end up discovering a human trafficking ring, and we would be able to get this information to the authorities to save the women who were trafficked.
We have loved being part of this pro bono work. We’ve formed partnerships with the A21 Campaign (an international anti-trafficking organization), the Midwest Innocence Project (which works for various individuals who have been wrongfully convicted and incarcerated), and Becky’s Fund (which is a national domestic violence organization).
When we work with businesses, we have this same focus on trust and safety. Ultimately, our goal is to help vulnerable populations who are at risk in some way. We recognized very early on that all businesses are at risk.
Trust and Safety for the 99 Percent
Understanding the problem is only part of the equation; our message is one of hope.
Our very name is derived from a Russian proverb, which was eventually adopted by President Ronald Reagan: “Trust, but verify.” As a business owner, you do not have to think the worst of people. This is not about spying on people “Big Brother” style. Everyone isn’t out to get you, and focusing on fear is never helpful. Instead, we encourage businesses to be clear-eyed and realistic when it comes to genuine threats that all businesses face.
It’s now easier, less expensive, and more acceptable than ever to verify things about people. If you can be in control of your time, your treasure, and your talent, why not be? If you have the access to be able to check if something is not quite right, why not take a step toward trust and safety?
We have sought to democratize access to investigative resources. We’re competing against detective agencies that have been operating since the nineteenth century. These companies take a $5,000 plus retainer and then charge like lawyers, which makes them an inaccessible service for 99 percent of businesses.
Now everyone can have access to the truth. Now you can download an app and quickly find high-quality PIs who are affordable and accessible.
Our Goal: To Empower You
As parents, Jen and I joke that our kids will never get away with anything, because we know all the tricks. We earn our stripes as parents when we can detect something is not quite right. We view our work with businesses in a similar light.
If you’re scared because you don’t know what tricks to look for or what’s out there that might bite you, this book will help you identify the risks. You will learn how to protect yourself from the most common types of fraud. You will learn the tactics people use to take money from your business. Even if you’ve already been the victim of fraud, we’ll help guide you toward the best solutions.
Our goal is also to help you separate fact from fiction—to show that the real threats to your business don’t come from cyber attacks but from employees. Being able to separate fact from fiction should lead to greater peace of mind because the employee issue is not out of your control.
Dealing with dishonest people is nothing new. However, businesses now face greater risk than ever because of technology and new avenues available for fraud and deception. In Part 1, we will examine our present reality and how we got here. In Part 2, we will delve into specific ways you can pursue truth in order to trust your employees during each phase of the employee lifecycle.
How We Got Here
What Happened to Trust?
Four years ago, I [Danny Boice] was coming off my stint as entrepreneur in residence with the United States Health & Human Services through a program established by the White House, and Jen was running a large association for at-risk children. We were living life at the center of the trust and safety space for two of the most vulnerable groups in our population.
At the same time, we were noticing many fundamental shifts in society relating to trust and safety. It had become commonplace and acceptable for people to use technology to arrange real-life meetings. Tinder, Uber, and TaskRabbit had become ubiquitous and were the most used apps of our time. The Black Lives Matter movement had emerged out of necessity, as black males were being killed in record number, and it was all being captured on video. ISIS had become a greater concern as anyone could watch people being beheaded on YouTube.
According to our conversations with over half of the state Attorney Generals, there are now three grave and rapidly-growing crime epidemics in our nation: sex trafficking, opioid abuse, and cyber crimes. The trafficking of humans for sexual purposes has grown faster than the drug trade ever did. We recently heard one state’s Attorney General attempt to surmise this phenomena by saying, “Organized criminals and cartels quickly realized that with drugs, they can only sell their product one time to one customer. However, with sex trafficking, they get to reuse the ‘product’ over and over and over again. It’s a higher return on investment.”. To this day, that statement hits me in the pit of my stomach. Still, drug abuse is a major issue. The friendly neighbor and the librarian at the local elementary school have found themselves hooked on opioids. When they can no longer score vicodin or oxycontin, they resort to buying heroine on the street.
Cyber crimes are becoming a particular point of focus today.. Low tech sex offenders and child molesters continue to use the internet to prey on our children. Only now they are bolder and more sophisticated. Sexploitation is the latest trend among pedophiles. They pose as a peer online and contact our children via social media or through a chat app. They start off asking for a fairly innocuous, yet potentially embarrassing photo under some clever guise. Once they receive it, they use it to extort more revealing photos under the threat of sending the last photo to all of their friends.
Perhaps less grave but still telling of the human condition, “alternative facts” have become part of our nation’s collective vernacular as did playing “chicken” with nukes on Twitter. “Puffery” is now used as a term to describe the amount of dishonesty that corporate advertisers are legally allowed to do us. Unfortunately, puffery has now extended to our resumes, LinkedIn profiles, and Instagram feeds too.
As we began to observe all of these developments, the world suddenly felt like a much, much scarier place. Could we trust anyone anymore? Could we even go to school, a concert, or movie theater and feel safe? The world was spiraling out of control.
Our Collective Perception of Truth
Fast-forward a couple of years, and now these same feelings have gone up another notch for us collectively as a society. The daily news reports a story of the latest massive data breach or the president’s latest lie, alleged ties to Russia, or game of “chicken” with North Korea via Twitter and Nukes. All of this would have been unheard of while growing up in the eighties. From Wall Street CEOs and Investment bankers to politicians and non-profits, fraud is now a global issue, with trillions of dollars in the balance.
We’ve primed the pump to test what’s acceptable and how long people are willing to stand dishonesty. The widespread fear is that there’s no going back, that things will just keep getting worse.
Whether or not the world is really less trustworthy is impossible to measure, and perhaps beside the point. Still, the fact is that our collective perception of trust and safety has taken a serious hit. A recent Washington Post survey showed an exponential growth curve when it comes to people’s perception of dishonesty in the world over the past few years.
It’s difficult to trust anything or anyone when dishonesty is coming at us from every angle. Whether it’s politicians lying and providing “alternative facts,” endless stories of celebs schtupping the nanny, or high divorce rates all around, there’s a seeming decline in trust in all aspects of modern life and society.
Technology as a Problem and Solution
Three years ago, when we started putting plans together for Trustify, our starting thesis was that trust in the world had decreased, and that it would continue to decrease in the years to come. Technology allowed us to predict a lot of this back then.
The exponential mass distribution of information over websites and social media has come into play over the past ten years or so. Through the viral mechanics of the internet, a great story can spread quickly. On the other hand—now that we all walk around with cameras in our pockets—traumatic events like police shootings, mass shootings, and terrorist attacks also spread quickly. The very technology that allows exponential growth for businesses also can be used to rapidly spread deception and fraud. After a while, the good and bad of technology become part of how we do business and operate personally.
Over the past few years, for example, Uber, TaskRabbit, Lyft, Tinder, and many of what are now ubiquitous consumer apps gained popularity in rapid fashion. For the first time in history, these apps made it incredibly easy to facilitate a real-life encounter using technology, and negative personal encounters became more commonplace. Contrast that with the nineties, when someone would be ridiculed if something bad happened to them after meeting up with a stranger they had just met in an AOL chat room. Now, it’s expected that bad things will happen sometimes in these meetings. Only a murder will make the news.
The definition of normal has shifted because of technology. Now, it’s normal to get into a car with someone you’ve never met. Now, it’s normal to meet up with someone you found on Tinder or Bumble. Now, it’s normal to find a nanny or au pair on Care.com. The first place you might go to find someone to clean the house is an online neighborhood forum.
All of this tipped us off to the fact that the world was changing in a big way; we were experiencing a fundamental shift in trust and safety. So we decided to be part of the solution. We decided to use technology in a helpful way. With the new normal came a new need to mitigate the risks and make sure these people we’re trusting are actually trustworthy.
In short, technology amplifies problems that already existed, but it also introduces new possibilities. Now you can access resources that help you get to the truth if you believe there is dishonesty happening with an employer or employee, caretaker, or business partner. Now, no one is helpless.
The Human Problem
Employees can get away with anything that’s not on camera, and now they can use technology to deceive. So fraud, embezzlement, and theft somehow become more justifiable, and humans are great at justifying.
I remember a study referenced in a Wharton course that I took. In the study, employees were brought in for their annual review. Before the employees came into the room, their actual performance was charted. Most employees were marked at 50 percent on a bell-shaped curve. When the employees were asked how they thought they were performing, their answers averaged at 70 percent.
Again, this is a human problem, and so behavior psychology is important to consider. People tend to overestimate their performance, and people have an inherent desire to gain equity when they feel they’re not getting it. In the same way that a kid stealing money from a casino might feel he’s owed the money, a 50-percent performer might steal from a company because he feels underpaid. Similarly, a recent study showed that NBA players who are paid fairly make more shots, whereas those who are not paid fairly take more shots because they feel they need to do something to become equal. This inherent need to have equity drives a lot of bad behavior, at any level.
Of course, technology perpetuates things like keeping up with the Joneses as well. On Twitter, Instagram, and Facebook, we see people posting about their wonderful lives and the cool new toys they got. On LinkedIn, we see people puffing up their profile to look amazing. Everyone feels as if they have to keep up, which creates a kind of viral effect of dishonesty. When competition is involved—whether in getting a job or making more money—deception will follow.
Technology also multiplies the problem of theft. Now, you can steal from someone without having to look him or her in the eye or be anywhere near them. A wider net is cast for those willing to steal. It’s hard for an employee to lie to someone they see every day, but when most of their interaction is through email or chat, it’s a lot easier. Theft today can look like taking sensitive data and dumping it somewhere online for all to see. Just a few years ago, you would have had to actually steal the filing cabinet.
From Society to Business
With all of these factors combining in our modern world, businesses are left with a lot more opportunity and a lot more risk. We’re early enough into this revolution of sorts that many businesses are not yet scared. Even large Fortune 500 companies are only now starting to hire trust and safety executives. We’re just at the beginning of businesses recognizing and understanding the problem.
We’ve talked to a lot of small business owners who say they get fifty workers’ comp insurance claims a year and think they are likely all fraudulent. Other businesses deal with time-card fraud, overtime abuse, or non-compete, non-disclosure violations. We hear about these problems all day long, but up until now these same businesses have assumed that they have no accessible and affordable solution.
Our goal is to educate you so you can understand the risks and the solutions for your business in this new age of technology and easier dishonesty. If you believe an employee is breaking a non-compete agreement, you don’t have to pay $25,000 anymore to verify it. What was once considered impossible to prove, and thereby unenforceable, is not anymore.
Complete trust and safety is now attainable for the 99 percent in the business world.
What Happened to Business?
I [Danny Boice] was a freshman in college when Napster was at its peak. At that point, it wasn’t required to have a computer in your dorm room, but some of the richer kids had one. Then there was always someone hacking together a white box computer that could be assembled with rip off Chinese parts.
My roommate had a computer, and we would download from Napster all day long. That was the only way we would get music; we had stopped buying CDs altogether. At one point, so many people were using Napster on campus that we started to see notifications that we were crashing the campus network.
When I look back at that time, I recognize that what we were doing: point blank stealing. Music artists live off of the royalties they receive from their music, and many of them don’t make that much as it is. Most are just kind of scrapping by unless they're on the Led Zeppelin level of fame. The problem was that we weren’t looking at these artists on a stage. We weren’t even stealing their disc from Sam Goody’s. No, we were staring at a screen.
Our actions were so easy to rationalize. We were able to say to ourselves and to each other, “This must be okay,” and we weren’t the only ones. This was the way a large segment of the population got music for several years, until more boundaries were placed around illegal downloading.
The Slippery Slope
This is a perfect illustration of how technology makes us feel. More people are able to justify their deceptive behavior when technology is a buffer. When you can steal from someone without looking at them in the face, it’s all too easy to commit fraud. Technology is like a lubricant that greases the wheels down a slippery slope.
The pattern created is one of acceptance. I remember when Napster was popular and those of us who used it would make fun of anyone who thought what we were doing was stealing. The mindset was that this particular form of deception was “normal.” Today, the same phenomenon continues, just in different forms. Everyone now expects that the life you show on Facebook is mostly fake. Everyone expects that your LinkedIn profile includes a bunch of BS. They joke about it and say, “Oh, that’s just how it goes.”
Dishonest behaviors are normalized—whether that behavior is illegally downloading music or putting false qualifications on a LinkedIn page—because it is easy to lie behind a keyboard.
The combination of time and technology has created the opportunity for more thieves. People who would have never risked dishonest behavior in face-to-face interactions are now feeling more willing to commit fraud and take the risk because they feel anonymous. Adoption fraud, for example, was unheard of twenty-five years ago. Today, people are willing to create fake Facebook videos and profiles on adoption.com to get others to think they are pregnant and seeking an adoptive parent. Of course, they are doing all of this so they can receive money, which will supposedly be used to pay for any necessary expenses for the baby. Later, this modern day thief reveals that she wasn’t pregnant or that she is “choosing” to not place the child with the donor.
In the past, this kind of theft would have required a lot more work. Imagine if the thieves had to receive checks directly for all of these supposed needs? That would change everything. Whereas someone once had to be a great actor or con artist to fake their identity in person, almost anyone can now deceive others very easily online. If you happen to have recently fallen upon tough times and are willing to justify your actions, you can be on the same playing field as someone who is very skilled at deception.
Adding to these issues are psychological factors. As mentioned, most people feel their performance is much better than it actually is. They feel they should be paid a lot more and are not getting treated fairly. With this kind of thinking, a lot of people will seek out ways to level the playing field and get equal.
Some people might think, I’m not embezzling. They owe it to me. I’m a rock star, and they’re not paying me enough. Others might be more conniving and think, Screw them. I’m going to dump all their customer data on the web. Whatever the case might be, we’re living in a time when these kinds of thought patterns can much more easily be acted upon.
The issues of fraud and deception play out across the entire lifecycle of employees. Today, there is a lot of competition among a highly educated and skilled workforce. Everyone is fighting for their dream job, but they are struggling because of the economy. A lot of people say to themselves, “I’m not great at Excel and don’t have the particular marketing experience this company needs, so I’ll just say I have those skills anyway.”
Laws around what employers can and cannot disclose about a person’s previous employment compound this problem. If asked, a previous employer was once free to give a glowing recommendation or say directly, “That person was terrible, and we let him or her go.” Today, what you can say is much more limited. Essentially, you’re allowed to say that an employee worked for you during a given time and very little more—just enough to verify employment. Naturally, some employees will take advantage of these laws and puff up their experience. It happens all the time.
Besides fake credentials, we see a lot of problems in the workforce related to IT information. We are seeing more and more shadow startups springing up. Employees are gaining enough crucial internal information to start their own companies. An example is what we see happening right now with Uber and self-driving cars. When it comes to theft of information, we are also seeing more employees selling insider information, even government information.
Then there are data breaches. Most people assume the big breaches, like the ones at Target, Veteran’s Affairs, or a government office are caused by the ominous Russian or Chinese hacker. In most cases, the “hacks” are usually done by a pissed off employee transferring confidential information to a thumb drive and leaving. A lot of hacks are actually very low tech and done by someone on the inside. If you’re a small or mid-sized company, any employee could likely take your list of customers, your financials, or other sensitive information and dump it somewhere. You would have no idea until you saw it on the internet.
Data theft is sometimes worse than money theft. If someone steals money from your business, it won’t necessarily sink you. But if someone steals critical data, it could destroy your reputation and ruin you. There is little you can do about it.
Take, for example, phishing attacks, which are very common inside corporate America. The DNC lost all of their emails during the primaries because of phishing attacks. These are low-tech attacks, but they can be devastating. We see them all the time because they’re difficult to filter out with a spam filter. They require simple social engineering to work. Someone simply needs to look at a company’s org chart and figure out how to send an email from a high level person so that the information is believable. They figure out as much information as they can about this person and spoof the email address. These attacks are starting to be programmatically automated and thus executed at scale. Even we have been subject to attempted phishing attacks. I remember when my finance person received an email that looked like it was from me, asking for a quick wire transfer. Thankfully, he was smart enough to ask me about it before he sent anything to the offshore account.
Remember how the book began? We brought up the loss of revenue right away because this should be the most shocking factor for all of us with a business. If you don’t understand your risk, you will have no reason to pursue protection.
So let’s think about what it means for businesses to lose 10 percent of their revenue each year to fraud and deception. If we think about this on a global scale, billions of dollars are lost each year to theft, embezzlement, data breaches, and any other form of employee deception. The Association of Certified Fraud Examiners found that businesses lose 5 percent of their revenue to fraud alone. In a recent survey with e-commerce retailers who have reached a million dollars in sales, nearly 40 percent expressed their fraud losses were increasing. The problem is serious, and it is not going away.
When we start conversations with large businesses, we almost always start at the same place. We say, "You are likely spending millions of dollars on tweeting and slacking and using all kinds of fun, sexy apps. You are likely also spending zero dollars on the very thing that's costing you millions, or even billions, of dollars." Many companies will have their HR person talk with us initially. Almost every time, they will say, “Oh no, we’re fine.” It only takes a single honest conversation about the numbers to wake them up to a reality they are ignoring.
What’s the Solution?
Clients end up hiring us for all of the reasons we review in this book, so we see how each of the problems we discuss play out firsthand. In many cases, we come in to help after businesses have already lost a ton of money. Our goal here is to equip you to be more proactive. Acting early is always more effective than reacting.
We’ve examined why employees are inclined to dishonest behavior. Now we will transition to the solution. In Part two, we will focus on how you can better understand your risks so that you can better protect your business.
At every point of the employee lifecycle—before, during, and after employment—you will be equipped with knowledge and tools for your safety.
The Truth/Trust Lifecycle
Now we turn to the truth/trust lifecycle. In order to trust your employees, you must know how to first verify—how to find the truth. We begin with screening because this is the initial step in the employment lifecycle. If you can separate fact from fiction and know how to effectively screen prospective employees, you will save yourself from expensive issues later down the road.
Over the years, we have recognized that smart businesses plan for risk points and have an opportunity to prevent against risk. Remember that nine times out of ten, your risk is linked to a people problem. The risk starts and ends with employees. Smart businesses understand that the employee lifecycle starts before hire. At that point, you have a chance to avoid hiring the wrong person, and doing extensive vetting makes a lot of sense.
Once you have the wrong person working for you, the rest of the lifecycle can be a lot more difficult to manage. Hiring the wrong employee could mean insurance fraud, workman’s comp fraud, embezzlement, data theft, stealing of merchandise, or even other issues like sexual harassment. All of these can become black marks on your company.
Later down the road, the wrong hire could equal an employee who is more likely to act out. This employee can create problems for you at the end of the lifecycle—when they begin soliciting other employees, not honoring a non-compete clause, or sharing confidential data. Of course, you have to track the status of an employee during their employment as well. Their lives can change, or they could become upset with the company for a host of reasons. When employees leave on bad terms, they are even more likely to consider how to get back at the company.
Ignoring the truth/trust lifecycle will cause repeated problems because you eventually have to backfill the spot of the employee who has caused you all of these issues, and everything starts all over again. The lifecycle is constant for any business, and it is imperative that you understand it to avoid risk. The lifecycle is where all the money is lost.
The Problem with Background Checks
How could it be that an established business like Uber is having so many issues with their drivers? We hear of drivers attacking passengers. One even went on a shooting spree. Doesn’t Uber do background checks? Of course they do. Clearly, that “preventative measure” doesn’t do much.
Background checks have become a commoditized, inexpensive way to cover your ass. Nothing more. Running a background check allows you to check a box and say you tried, but no one actually expects to find anything. Businesses use them like an insurance policy. After Uber went through their major kerfuffle, they had to hire a Chief Safety Officer. One of the first blog posts he wrote explained why background checks don’t really matter, why they don’t work. That’s coming from a top executive at Uber. After many years of working with businesses at the screening stage, we have found that he is right.
A CareerBuilder poll from 2016 said that only 28 percent of hiring managers claimed they did background checks at all. From what we’ve seen, about 50 percent choose to do them. Either way, it doesn’t matter. Background checks have become more about perception than anything. Companies that don’t run them still want to act like they do. It’s similar to having security cameras that aren’t actually cameras. It’s a way to say you’re doing a check so people think you are, without wasting your money.
The logic behind background checks was flawed from the beginning. They revolved entirely around criminal records. The hypothesis went like this: you can know if someone is safe and trustworthy by seeing if they have ever been arrested or convicted of a crime. This sounds great in theory until you look one level deeper. There is no national database in the United States of criminal records. You can’t go to one place, search by name, and find a person’s criminal records. Even when a person is arrested, they are likely arrested at the county level, by county police, and go to county court. They might be handled by state police if the case is a bit more serious.
Imagine any rural county you’ve ever been to. Do you really think the clerk in that county is entering criminal records in real time? Do you think they are making them electronically available in a way that any other system can interact with them and retrieve the information when it’s needed? Of course, this information has to be manually entered; human error is also involved.
At the end of the day, accessibility of the data becomes next to impossible. Only the most advanced counties are sharing data in the correct way. Combine this reality with that fact that most background checks allow a person to have complete control over what information they share, and background checks essentially turn into IQ tests. Can you list three counties in which you haven't been arrested? Check. You pass.
Some businesses are functioning under a false assumption that a background check for $30 is some kind of silver bullet, and it never will be. This is an extremely dangerous assumption to have. We work with major law firms, accounting firms, and celebrities—people with the highest net worth you can imagine—and their jaws drop when we tell them the limitations of background checks.
In most cases, these clients will try to reach for any feeling of safety. They’ll say, “But we also do Social Security number checks.” That’s when we have to break it to them: there is no such thing. Once again, the check is almost meaningless. All you can do with a Social Security number is verify that the person’s name is attached to the number. At best, you’ll be able to verify their date of birth.
Not only are these kinds of checks limited in what they accomplish, but they can also cause issues. False positives are highly common. If you Google “background check false positives,” you will find a list of major lawsuits with some of the most well known companies. These companies were screening someone they were not interested in hiring. It happens all the time.
Beyond the Checks
Because we go beyond basic background checks, we have seen just how important it is to screen the right way.
One of our clients runs a large charitable fundraising website. They came to us because they suspected money laundering was going on through their website. The site serves a lot of people, but some of the people using it are lying about being a veteran or having cancer. Some users will partner with a buddy, who will be the face of the cancer patient, and they’ll split what they make.
In one case, someone on the site had raised money abnormally fast. The company asked us to step in with a deeper check. With a surface level check, the guy came up completely clean. Our check continues beyond the individual to their network, and we found out that he was sharing an address with four family members who were all felons with fraud convictions. He was just the front man, the clean front man for crew. Our client could have never known this by simply running a background check on him. He could have continued for years without ever being caught.
When we worked with a major website that connects nannies with families, they asked us to do a preliminary screening of some of their nannies to see how good we were. Of course, this company ran traditional background checks on all of their nannies. That was one of their selling points. When we ran our checks on just ten of their nannies, we found egregious problems with three.
One of the women had a perfect profile. In her image, you could see a woman sitting in a field of flowers (probably a stock photo), and her profile said she had a degree in early childhood development. She was the perfect nanny…until we found her Twitter handle: SemenDemon. Her Twitter account was replete with sexually explicit content and rapist rants—your worst nightmare. As we kept digging, we realized the problem. She had no criminal record, so she looked great according to a background check.
Another lady was sharing personally identifiable details about the kid she was watching on social media and all over the internet. She probably meant well, but her activity came as a rude awakening for the parents. Again, a background check was not going to get close to equaling a proper screening for the job.
When we told this company about what we had found, they said, “Please tell us you checked one hundred profiles to find these.” We had to break it to them: “Nope; we checked ten.”
Criminal Record vs. A Liar
Finding evidence of a criminal record is not the Holy Grail. Too many businesses think that if they find out someone has been arrested for something, that’s all they need to know. However, it is entirely possible to hire an outstanding employee who has a criminal record or a dangerous employee who does not. Many businesses we have worked with have told us, “We would rather take a one-time felon who has been convicted, done their time, gotten out, and is upfront about what they’ve done than somebody who is maniacal, shady, and secretive about their past.” Of course, this doesn’t mean that companies should choose ex-cons over people who have never been caught. However, ex-cons can make for great employees, and the person who is very veiled about their history might end up proving to be a terrible choice.
Consider the examples I gave previously. In none of those cases did the person have a criminal record. They were guilty of misusing the systems in place, but they had not been arrested, tried, convicted, or had their information submitted correctly for it to be accessible.
On the other hand, many people have been arrested for reasons that should at least be discussed. For example, if someone applying was arrested in their twenties for disorderly conduct at Mardi Gras, you could at least take time to ask: Does that really mean anything? Should that one offense keep that person from having a chance at a job they are highly qualified for if they are also honest about what they did? Yes, they did something stupid and got caught, but you have a choice to have a conversation rather than just write them off.
Keep in mind that people who are prone toward dishonesty but have yet to be caught are really good at what they do. We had a case that perfectly revealed this truth. A law firm had hired a seemingly amazing paralegal. She worked hard, and everyone loved her. She stayed late on weekdays and even came into the office on weekends. One day, she disappeared, along with $15,000. What that office never knew was that this woman was an incredibly talented and wanted con woman. She was one of the best. The FBI knew who she was, but the law firm had been fooled by one of her fake stories. She worked late and on weekends to have ample time to falsify invoices and slowly steal money. That was when she was doing all of her dirty work.
Unfortunately, most law firms do a poor job at safety and security. A good attorney lives and dies by how many hours in a day they can bill clients. They’re not necessarily incentivized to focus on anything else. Each partner has their own fiefdom. That’s why selling a law firm is like selling fifteen small businesses. However, in this case, not doing a thorough check hurt everyone. And that woman is still out there. She could still be stealing from other companies in the same exact way.
When you are screening employees, remember how much data is accessible nowadays, both formally through public records and out there on the deep, “dark web” (as some people call it).
A person’s public posts are archived, and you can search for information on anyone, going back forever. Before this time in history, you would have had no way to access news related to an individual, especially not a history of news. You would have had to try to navigate through newspapers or microfiche in the library. Now, even a simple comment on an article is archived under a person’s name. That information lives on forever and is easily accessible.
Most people never think about the ways in which the information they post, even on social media, can be used against them. Whether young or old, people don’t take time to think about the information that is archived and related to them—all of which is easily accessible. Google archives everything, and a couple sites exist purely for the sake of archiving web pages, even if the web page has been deleted or changed. You can compare differences and go back years.
The dark web is a whole separate source of data. Some people also refer to it as the “deep web.” When you do a search on Google, you would typically be accessing the top 1 percent of websites that have already been vetted for you. The dark web is everything else. You have to use special browsers and search engines to get to this information. It’s the underbelly of the internet, and it’s there that people trade information. If you want to buy a bunch of credit card numbers to use illegally, for example, you would want to go to the dark web. It contains sites that are hard to find—whether intentionally or unintentionally. Of course, this makes for the perfect environment for con people, fraudsters, and data thieves to conduct illegal business with less chance of being caught. You may have heard of the “Silk Road.” There are entire message boards and forums where you can trade information, buy drugs, buy data, hire a hit man, you name it. Often, any of these can be bought with Bitcoin so the transaction remains anonymous.
If you’re wondering how you could ever learn how to access the dark web, you likely can’t. It’s technically difficult to do and, in some ways, dangerous. If you spend too much time on the dark web, you run the risk of having your network infiltrated. Unless you’re wanting to buy a hit man or drugs, you likely don’t want to go there. That’s why we exist.
Our Approach to Screening
Some clients wisely come to us at the beginning of the employee lifecycle and say, “I’m looking to hire this person. Can you tell me if they are safe and trustworthy?” We do the same thing every single time. We’ll take as much information as we can about that person and run a normal background check. Of course, we are not expecting much from that, but we will use whatever information we get from that to begin our real search. We search through years and years of public social media activity. We screen their activity on Twitter, Facebook, Instagram, you name it. We search the archives for anything else they have ever posted on the internet. We’ll look for keywords. We’ll check to see if they’ve posted anything racist or anything related to drug or alcohol paraphernalia. We also do a deep Google search on the name. This might seem trite or obvious, but most companies are simply not going to take time to do a multi-page deep search.
We’ll also check newspapers, blogs, TV, and radio for any mention of their name in the past ten years or more. Sometimes, we have found a prospective employee was involved in a scandal, and it was only written about in the papers. When we vet internally for PIs, we look for anything that comes up about them being fired for something like sexual harassment as a high-ranking officer on the police force. They may have never been charged with a crime, but we’ll discover the information because of our broader search.
With major data breaches happening every day, the dark web fills with more content all the time. It is not just the place to go for gay porn; it’s full of the identifying data of government employees after the office of personnel management was hacked. When the Democratic National Committee was hacked, a lot of the information was dumped on the dark web. Most people don’t realize that even iCloud accounts have been hacked. How do you think TMZ gets celebrity nude photos?
The credit card info that was stored at Target and Home Depot and then hacked. The millions of Yahoo emails that were hacked. WikiLeaks holding troves of information around who is giving money to what campaigns or shell corporations. The list goes on. There are billions of records that are somewhere on the dark web.
The second this information is dumped there, copyright law no longer applies. It’s public. We know this from experience. We were the first to get hold of the Ashley Madison data when the site was hacked. The second it was dumped onto the dark web, we got a hold of it. We made a website where people could put in an email address and get a positive or negative response. We made almost seven figures in three days as a three-month-old company. Of course, that data was not attainable through a simple background check, but for some people who may have been going through a divorce in a state that has fault divorces, it was very useful data to have.
In the case of Ashley Madison, the hackers got credit card transactions, IP addresses, and chat messages from the propriety chat system on the website. With that information, you could make a very compelling case against someone if they tried to claim they didn’t use the site. We could follow the trail individually, the way a detective would in the real world.
As a business, you need to be aware that screening should be done in a recurring fashion. Facts about a person can change over time, for better or worse. With our own PIs and employees, we perform safety checks before they start working for us, and we also do check-ins. We have found that people change and life situations change. Perhaps an employee started dating somebody new, began to have a drinking problem, or lost a bunch of money gambling. You will need to consider points at which an employee might be more prone toward doing something desperate. Of course, you can’t discriminate against someone just because they have lost money, but knowing that fact could lead you to more important information.
As an employer, you need to be able to piece some of this information together. For example, you might not want credit card information, but it could be useful to have information about any liens or collection activity. In most cases, people sign something that gives permission to companies like ours to pull credit and check them out. We can figure out most of a person’s assets if needed. With this information, you could deduce what a person might owe. This is why knowing where a person is with their mortgage can be very telling.
Our PIs are experts at piecing together this kind of information. For example, they might find that someone is $200,000 upside-down on their mortgage with liens showing up all over the place. They might find that the person was also using a gambling site or get data from an iCloud hack that shows they were texting their mistress. Of course, these cases would be much different than an employee who has a very sick child and is spending everything they have on the child’s medical bills. As an employer, you would need to consider each of these cases individually, but the information is helpful either way.
As this point, you might be wondering about the Fair Credit Reporting Act. You might be asking, “What about a person’s privacy.” It’s a fair question. FCRA compliance is a pivotal topic when it comes to employee screening. A short list of things is simply out of bounds if an employee is not aware you are vetting them. However, you can have prospective employees sign a one page document that allows a thorough check and essentially puts everything in-bounds. What remains off limits helps eliminate discrimination. For example, if a company finds out a person is homosexual or is part of a particular ethnicity, there could be too much potential for discrimination.
Keep in mind that you are only limited by FCRA when you are screening a prospective full-time employee. If you are screening a contractor, you can look up whatever you want.
Five to Ten Closest Contacts
Screening should involve checking the five to ten closest contacts a person has. We place a lot of effort—equal to the effort we place on gaining data from other sources—on finding a person’s five to ten closest family members or friends. The hypothesis behind our focus here is simple: we believe you are a sum of the people with whom you spend the most time. If you don’t have five to ten close relationships, that is telling in and of itself.
The way we get this information is through public records that show various phone numbers and addresses a person has had over the past years. That information is easier to pull than you might think. We then cross-reference the information. We check to see who is connected to the shared number or address. If a person has shared either of these with someone for an extended time, that someone is likely a close friend or family member.
We might also be able to discover a person’s five to ten closest contacts through social media alone. Getting information about immediate family members—parents and siblings—is extremely simple. If we see a person tweeting or exchanging Facebook messages with the same set of people, and especially if there is real life linkage like having gone to the same college, that tells us two people are more than just Facebook friends. In some cases, when we have to dig deeper into social media, we might have a PI make a Facebook profile that looks completely legitimate and send a friend request. Most people are too quick to accept people as friends, and the PI will have immediate access to a whole new set of information.
We run the same deep check, with all our data sources, on these five to ten people. We can quickly score these people to find out if they are a bunch of fraudsters or are likely felons. With this information, we get a good picture of who the person is that we are screening. People who are not criminals rarely spend a lot of time with people who are.
If you’re still skeptical that using information from social media can be legitimate for the job-seeking world, let me present some research. Research has shown that social media gives a better indicator of who a person is than trying to find a red herring of a criminal record in a specific county. For us, the story about the nanny with the SemenDemon Twitter handle was nothing new; that’s barely moving the needle in our work. People reveal more than you might imagine via social media.
Using information from social media can also give you a quick, honest view into a person’s life that you would never get otherwise. We can quickly spot, for example, when a person uses language that is related to racism, drugs, or misogyny using social media. Whether you are a small or large business, you know that culture is a big deal. When you are hiring, you have to look at a person’s abilities and skills, but you should equally consider their cultural fit. Information gleaned through social media can help you do that right from the start.
In our company, we value the fact that we have 40 percent minorities in our workforce and that 70 percent of our workforce is female. Instead of beer pong tables, we have a room for nursing mothers. Culture is huge for us. If a prospective employee posts something on social media that even comes close to anti-minority or anti-female, it’s a deal-breaker. It goes against everything we do.
You gain a lot of insight with a thorough check. You can get a sense of person’s life views and personality, which can keep you from a lot of heartache later down the road.
Again, screening is just the beginning of the lifecycle, but we’ve spent a lot of time on it here because it’s an essential checkpoint. If you skip over this, you will have more issues later. Embedded within the screening checkpoint is the task of checking references. We’ll consider that part of the process in the next chapter.
Just as with background checks, the whole process of referrals is flawed. You might equate the process to asking an arsonist to tell you who started the fire so you can start investigating the fire. With typical referrals, you’re asking the person you want to hire to name three people you should talk to. Again, it’s like an IQ Test. Do you know people who would say good things about you? Great! You pass. Of course, a business will typically not hear anything negative in these conversations.
These days, an old employer has to be so careful that they likely can’t say much anyway. When we perform reference checks on new employees, all we do is call HR at a candidate’s previous place of employment to confirm their title, the dates they were employed, and the salary they made. We don’t do anything beyond this because the cost versus benefit doesn’t work out. You take on too many liabilities by trying to get honest feedback about someone from a previous employer.
Real Reference Checks
Because we live in Washington DC, we often joke that the Pentagon probably knows what it’s doing when it comes to safety in the employee lifecycle. We would do well to learn from them.
Growing up in DC, we would never talk about what our dads did for a living, but we always knew when a dad was promoted to a high-level position in the government. Sooner or later, we would see the guys in black suits knocking on his neighbors’ doors. Whoever was hiring would check normal criminal records, but their main focus was talking with the neighbors. They wouldn’t even ask for permission to do this. They would simply knock on the door and start with their series of questions. They would look for any evidence that things had changed in the man’s lifestyle that would make him susceptible to desperate acts, like stealing data or spying. They would look for any changes in his financial situation. Was he verging on bankruptcy and potentially vulnerable to someone blackmailing him? Was there a big secret he might be hiding? Could someone else have leverage over him? The answers to these questions were the most telling information for the government.
Here’s what I learned from observing this time and time again. The government didn’t ask for a person’s three references; they just went and knocked on doors to get the information they actually needed. The reason they would do this unannounced was because they wanted real, honest feedback to get straight to the truth. Today, we perform real reference checks like this for our own clients.
Honest information matters when the stakes are high. When you’re taking money from an investor, for example, you wouldn’t ask him for three names of founders in whom he has invested. If you did, he would give you names of three people who would only have good things to say. What you should do instead is go back and look at news archives where most start-ups announce their fundraising. You should look for the company that didn’t make it and contact them to find out what happened. This approach would help you quickly find out if a partner had been an asshole when things weren’t going well. Similarly, real reference checks should reveal what a person is really like.
The Ted Cruz Effect
Whether you choose to check with people directly or investigate digitally, you always want to look for how a person is supported in real life. I call this the “Ted Cruz Effect” because in his bid for the Republican presidential nomination, Ted Cruz was not supported by a single college classmate or member of the Senate. No one would endorse him. His college roommate wouldn’t even vouch for him. That was the most telling information about his personal life.
When you’re actually looking to investigate someone effectively before hiring, you want to know if they are still friends with their former coworkers. Would they still talk to their former boss?
Recently, we hired a VP of Sales who had been working in sales in DC for over twenty years. DC is a small town in a lot of ways, so the fact that she was working in the same industry for so long said a lot right away. To add to this, we noticed the name of a couple bosses come up multiple times. In other words, when a founder would get bought out and start something new, he would bring her with him. Executives always bring their best people with them. We followed the trail and found that a crew of people also worked for her for multiple years. She had a crew of account managers, customer support folks, and sales folks that followed her around. Needless to say, we were sold, and we never had to call any references to know what she was like.
In contrast, I have met people who seemed great, talked a great game, and didn’t bring up any red flags, but they wouldn’t tell us the name of anyone they used to work for or with. They wouldn’t even tell us names of close friends. We knew that they were either trying to hide something or had never formed any long-term connections. Either option was revealing in its own way.
Knocking on Doors
One of the best ways to protect your business and effectively screen at this stage is to find the potential employee’s former coworkers via LinkedIn. LinkedIn basically provides a work chart of a company. Yes, you could literally go out and knock on people’s doors, but why not channel that effort to research online and find those friends, neighbors, co-workers, and former peers. Whereas executives might be limited in what they can say, these individuals are not, so you can oftentimes follow the trail a lot more thoroughly online. By doing this, you can begin getting answers to important questions: Does this person engage with others? Do they have normal friends on Facebook? Are they Facebook friends with any former peers?
What makes us unique as a company is that we provide both physical surveillance and some of the best online investigation out there. Each investigator is different and has a different specialty. When we screen for clients, we might have one PI follow the person in the real world. However, the kinds of connections the second PI can make, without ever leaving his or her computer, might surprise you.
In one case, we were able to follow the trail online to build a case for one of our clients that is a large player in the legal marijuana space. When growing marijuana was becoming legalized and dispensaries were popping up all over the place, our client had to participate in a type of auction process for a license. Only a certain amount of licenses were given out, and things could get pretty convoluted as government agents could give licenses to their brother-in-law or someone they knew personally. Two small companies were chosen over our client, and our client thought something smelled fishy. They hired us to find out if there were any relationships between the government and these companies.
Our PIs followed the trail, and sure enough a government agent was dating a woman connected to one of the companies that got the license. He was a married man, but we found fairly explicit chat messages between the two of them that pointed clearly to an affair.
If you’re a traditional detective investigating a murder, you follow the clues. We do the same thing; we just have a lot more available to us online.
Getting to a Good Hire
I [Danny Boice] have participated in the screening process from every single angle. Now, I’m the one enforcing the screening. Before this, I was a tech entrepreneur—a maverick-type entrepreneur. At one point, I was recruited to an executive position at a very large company that was part of Traditional Corporate America. It was a terrible fit, and I stuck out like a sore thumb. The company moved slowly, like most big companies do, and I wanted to move fast and break things. We butted heads, and I’m not friends with any of the people who worked there. I have to own the fact that if I was to ever apply at another large, established company, I would likely fail the reference check test. And honestly, I should fail that test because I should not be working at a big company. I would hate it again, the company would think I was an asshole, and things would end badly. Failing the test would end up being a good thing for everyone involved. This is why good screening is important. One way or another, it should reveal the truth about whether a person is a good hire.
When it comes to reference checks, go ahead and do them if you want. You have to measure how much real information you can glean from these calls. At the least, they might provide you with some peace of mind. In some cases, you might want a record that you have checked references for compliance purposes. By simply doing the regular reference check, you can also sometimes weed people out. We once found out someone had given us a fake name. Another time, the person was pretending to be the reference. We have literally stood next to PIs while we do the phone call to know we’re talking to the right person.
So yes, do reference checks if you think they will be helpful in some way. However, if you want to find fully truthful information, calling a reference is likely not going to provide that for you. In the same way, you will not likely find fully truthful information in resumes. We will review the resume problem in the next chapter.
A LinkedIn profile is the resume of this day and age. When someone has to generate a paper resume, they likely just copy and paste from their LinkedIn profile. The two have basically become synonymous. Because LinkedIn is a form of social media, the same principles that we’ve explored throughout this book so far apply to resumes as well. We are seeing the same phenomenon of people lying more and more in order to get the job. Left and right, people are stretching reality and making themselves look better than they are.
For people in the market for jobs, the keeping up with the Joneses factor is multiplied because now you’re not just keeping up with the neighbors; you’re trying to keep up with hundreds or thousands of quasi-connections. If people like you are getting the job because they have puffed up profiles, eventually you’re going to consider going down the same path. You’re going to see someone post an online certificate as his or her college experience and think, I should do that too.
Of course, LinkedIn can be a great way to point to websites or projects that actually show your work or experience. More commonly, however, people say they have experience without any proof. This is the most common form of puffery because it’s the easiest. Sometimes, it is even difficult to know the degree to which someone was involved in a project. If you look at five LinkedIn profiles of people who participated in the same project, they will likely each say they were the rock star. They were the one that got the project across the finish line. They were the hero. People cite that kind of involvement all the time, and how would you ever know if they were or were not the hero unless you can verify the information?
White Noise and White Lies
Today, even the education section on a resume is not straightforward. How to cite this information has become a controversial subject because there are now more channels of education than there have ever been. MIT has open sourced many of their classes, and the Department of Education is starting to grant college credit for these courses. Even Harvard has continuing ed programs for working professionals. You don’t necessarily have to move to Cambridge to take classes.
I [Danny Boice] took classes at Harvard through Blackboard online, and I went somewhere local to have my exams proctored. I have sometimes wondered if saying I got a degree from Harvard is crossing the line or puffing things up too much. Even though I wrote checks to Harvard and received a transcript, some people would still say it is misleading to state that I got a degree from Harvard. I chose to explicitly state on my resume and LinkedIn profile that part of my education was through the Harvard Division of Community Education (DCE). In this way, I have done what I can to mitigate any potential of someone saying I have been misleading. I received a lot of slack in the past when I did not spell it out this clearly. Really, how you write your work or education experience is a judgment call, but too many people err on the side of puffing things up instead of being really clear.
In general, there’s a lot more white noise around resumes now. There’s a lot more controversy. They are not as cut and dry as they once were. Back in the day, it was extremely easy to validate if someone went to Princeton. Now, there are fifty different ways a person could have “gone to Princeton.” Oftentimes, it requires investigation just to figure out the full truth. Of course, you can always question a prospective employee further if needed. Once you have a bit of information, you can follow up in an interview about exact experience.
When you begin investigating information on resumes, keep in mind that people are not always intentionally lying. When I started Trustify, I wanted to make sure my LinkedIn profile was as accurate as possible. Because I had a difficult time remembering specific dates I worked at different position, I just put the years instead of months to be safe.
As an employer, you don’t want to be nit-picky about these kinds of white lies. You want to look, instead, for the egregious information. If the years are way off, it’s very easy to spot the inconsistency.
Bad Dating Is a Start
I often equate the typical approach to the front-end of the employee lifecycle—screening, references, resumes—as bad dating. It’s as if you only have two dates to figure out if you’re going to get married or not. Of course, this is a flawed way to approach a potential marriage partner or a potential candidate for a position. How are you going to know if someone is a good fit in two dates? You cannot spend thirty minutes on a phone and an hour in person and make your decision. Sure, it will be difficult to know exactly what it will be like to work in the trenches with someone until you bring them on board, but we believe you should try to get as close as possible to that level of insight before bringing them onboard.
Resumes, especially, feel like bad dating. Many small business leaders think they just don’t have time to go through hundreds of resumes. Remember, though, that the screening process can make or break the entire working relationship, and resumes are an important initial step, even if just as an entry point.
Technology has made applying for jobs much easier. A candidate once had to print out their resume and personally hand it in. Now, employers are inundated with hundreds, if not thousands, of applications for a single position. Being able to filter these by looking for spam can be helpful, but you have to be careful to not filter too extensively. You might end up filtering out a great candidate just because of a keyword he or she used. We have a human at least scan each application because we understand that subjectivity is part of the hiring process.
Good recruiters can help you get more efficient. They will be able to quickly scan and identify good fits based on the data they understand about the role. Our recruiters understand what to look for in a PI, for example. Most PIs are incredibly experienced and have done levels of work far beyond what we often require. Many of them were former contractors for the FBI, and some have dealt with cyber child pedophile cases. A recruiter can quickly scan to see when someone is presenting as a professional. They will pass them through the initial scan, after which we move into deeper investigation.
Working with millennials and with clients who run dating apps, I have realized that a good analogy for screening resumes is the way people screen on Tinder. A really experienced Tinder user immediately recognizes when somebody is puffing up his or her profile. There are certain indicators they look for—such as only pictures from the shoulders up. Once you know how to spot deception at a high level once, you can do it again.
To go a bit deeper than an initial scan, you might want to do something as simple as verify alumni status. Many colleges now have alumni directories. Just be sure you have permission to do this as an employer. Simple scans are just a start. You still need to verify. To do this effectively, review the Chapter 3 on deeper screening methods we use.
Investing in verification during the screening process is crucial. If you get this step wrong, in many ways you have already lost. That said, every business makes a bad hire at some point. And even good hires can turn out to be a threat to your business. Therefore, we will now turn to issues that might occur throughout the rest of the employee lifecycle.
Broadly speaking, theft includes any time a person takes something that is not his or hers. In this chapter, we will look specifically at loss and loss prevention. In most industries, loss has come to mean physical goods being taken by a person. It might look like someone walking in and shoplifting. It might mean that an employee is taking a bag of bread for himself or herself every time bread delivery comes in. In either case, the person is tangibly taking a physical good.
When you look at big box retails stats, loss is a top concern when it comes to profit and loss. Stores have budgets for loss; it’s that significant. Loss accounts for percentage points off of a store’s overall revenue each year.
Mindset of Theft
When someone steals, an Icarus effect is present. A person starts small and then flies too close to the sun and gets burned. It is analogous to how substance abuse works. You start stealing something small and become numb to it. It almost becomes a habit. Then, seemingly out of nowhere, you multiply what you’re willing to take. Just look at Bernie Madoff or other famous burglars of the past, and it’s easy to spot this pattern. They started small and eventually got out of control until they got caught.
The human need for equality really shines when we begin talking about theft. Humans will justify theft very easily when they feel they deserve more. The problem grows even worse when a person doesn’t have to see another human in order to steal. It’s one thing to rob someone at gunpoint; it’s a whole other thing to steal something physical from some board member that you’ve never seen. An employee might be prone to say, “Who cares? She’s a billionaire anyway.”
Some clients are open to our advice as business owners. When they are, we talk a lot about how to proactively prevent stealing from happening in the first place by keeping employees happy. Through our own macro-level observations, we’ve noticed certain patterns emerge that have been obvious. For example, when a person is disgruntled or on their way to becoming disgruntled, he or she is much more likely to steal something at some point.
Of course, you cannot prevent all theft; you will always have someone on staff that feels he or she is being treated unfairly. However, we have seen over and over again that when the boss is just an asshole or the leaders are doing nothing to ensure employees are heard, the company is very vulnerable to theft.
About 30 percent of the time, employees work together to steal. The other 70 percent of the time, employees work as lone wolves. Lone wolves benefit from having less people who can tell on them.
Often, employees work individually but are actually stealing the same thing. That was the case when we worked with a bakery that had two employees stealing bread whenever there was a new delivery. We had a young PI go undercover and integrate himself into the staff. No one except the owner knew he was there undercover. He had to apply, get the job, get trained, and show up to work every day. It took time, but eventually he got to know his fellow employees enough that they would share what was going on, or he was simply be able to see what was happening.
The owner was, of course, depending on his bakeries for his livelihood. Someone stealing from him was putting that at risk. If you’re a bakery selling bread, and you’re having bread stolen from you, it’s basically like you’re losing cash on a regular basis. The loss was substantial enough that he was starting to recognize it in his financials. By tracking what came in to the store and what went out at the register, he recognized a delta. That’s when he wondered how he could prove what was actually going on. It’s the same situation when you have a bartender who gives all his buddy’s free drinks. The guy will try to cover it up by tracking it on a spill sheet, but eventually the delta will be too large.
If you look at theft from a bigger picture perspective, you quickly notice how creative employees are when they are effective in stealing. If they could just put that energy and creativity into positive efforts for the company, they could likely make more money in a legal way. It’s interesting to watch that dynamic play out—to see someone get caught after they have spent so much energy scheming, when they would have been better off just doing their job. The result doesn’t typically net out as a positive for thieves.
No Magic Remedy
The problem with theft is that there is no magic remedy even if you do catch the culprit. Anyone who has been through a lawsuit understands that. Sure, you can gain peace of mind through prosecuting the person. You can stop the problem from continuing (for now). However, you’re not going to get your money back. You might be able to get a lien on the person you will likely send to jail, but good luck actually collecting the money. Your best hope is to simply stop the problem from continuing. In the case of the bakery owner, he knew that would be the best solution.
The positive side of things being stolen physically is that they can actually be tracked. You’re not dealing with services in this case; you’re not dealing with a handyman lying about the hours in which he was doing work on the house. Bigger problems exist when tracking is more difficult, as is the case with employee expense reports or time cards and overtime. A lot of people know Photoshop these days and can edit fake receipt templates they get online. We saw a construction company almost go out of business all because employees were committing overtime abuse on a massive scale.
In cases that are not physical, we have to dive deeper into investigative work. We have to compare logs and time clocked or get more data. When the issue is physical, we can set up security cameras in key places or set a PI within the organization.
Even when tracking is more difficult, there are still methods for prevention. If you put a camera near the time card system, for example, it’s likely that employees will not try to cheat the system again. This works in a similar way as having a dummy cop on the highway so people stop speeding. However, if you want to catch someone red handed, you’ll need PI surveillance. It all depends on your goals.
Here, we have briefly considered cases in which employees steal from a company under the radar. In other cases, employees falsely accuse an employer in the open in order to sue. We will review those scenarios in the next two chapters.
In this chapter, we’ll focus on false claims for injuries incurred on the job, though insurance fraud can encompass more than that. It is one of the most prevalent types of theft, and trillions of dollars are lost each year in the United States because of it. The stats are staggering.
In companies where manual labor is being performed, Workman’s comp becomes a huge issue. You start seeing employees “slip and fall” quite often. They fall in the factory or hurt their neck somewhere. Even in offices in which people are sitting, carpal tunnel syndrome is a big issue. More employees are making claims, and they have to get paid for them. One of the reasons you see big yellow signs that say “Wet Floor” after the floors are mopped is because companies know that some employees would want to take advantage of the situation if those signs were not present.
The result of insurance fraud can range quite a bit—from an employee needing to be paid for time off for a supposed injury to being sued for some kind of liability because an employee hurt their neck on the job, in a situation that could have been preventable.
Some employees don’t see their deception as screwing the company over. They think, “Oh, my company has insurance, so they won’t be affected.” It’s very easy to think in that way. The problem is that most companies will end up paying a lot out of pocket.
We are regularly observing businesses that think it is easier to settle rather that deal with the hassle of trying to fight back. Oftentimes, insurance companies are the ones advocating for settling. It takes a lot more money, time, and effort to actually stand your ground and go through the whole legal process.
Even if you have Workman’s comp insurance and general liability insurance, there is still usually a big retainer. It’s not like auto insurance, in which case you only have to pay a couple hundred dollars out of your pocket to get something fixed. In some cases, you have to pay $30,000 as a business before insurance even kicks in. It can be very costly to fight.
Employees also expect a company to settle. This goes back to the perception of trust and security we reviewed at the beginning of the book. Even if a company believes they are right and wants to go through the whole court system, they will have a hard time proving anything. A lot of companies end up settling over and over and get known for settling. That, in turn, sets them up for more claims from employees.
Our philosophy is that you should not settle. You might save money in the short-term if you do, but not in the long-term. Furthermore, there are ways that you can win now if you know you are right. When you have a way to verify, everything can change.
We worked on a case in which a guy had faked a neck injury and was almost expecting a settlement. We were hired by the defense and watched him. Funny enough, he was going out to dance clubs three or four nights a week and dancing. We were able to show that he was doing all kinds of physical activity a person could never do if they actually had the neck injury they claimed. He was probably counting the money before it came in and having tons of fun, until he got caught. And that was not a one-off case. We have that kind of situation happen all the time.
Insurance Policies Explained
When even one of these fraudulent situations arises, it can be very costly to your business. Your insurance rates will go up, and there’s a compounding effect. Anywhere there is insurance being provided through your business—whether medical or corporate automotive plans or homeowner’s insurance—you open yourself up to being defrauded. Again, billions are being lost to insurance fraud every year. Insurance becomes a betting game; you’re basically hedging your bets. Because insurance is not a physical good, it lends itself to being taken advantage of.
The problem with this type of insurance is the co-pay. It is almost always way more than a company expects it will be. Oftentimes, you will not even get the benefit of the insurance, but you still have to have it for employees. In the end, it’s really just protecting you from some catastrophic event in which you are sued for millions of dollars. It’s understandable why many businesses want to pay the $30,000 co-pay versus $50,000 or more for just two to three months of lawyer fees and fighting in court.
Once you get into court, it then takes a lot of time for things to play out. It’s similar to how divorce cases often take years to play out, especially if you have kids. With a lawsuit, the process before even getting to court is where you spend most of your money. It involves the discovery process, deposition, and preparation.
Insurance companies are also at risk when it comes to business insurance. We have worked with insurance companies who have had to figure out when businesses are the ones trying to defraud them. For example, small stores cannot get insurance for a lack of sales or for not being able to pay their debt, but they can get it for a fire. So we have seen cases in which there is a “random fire” in a store so the owner can try to protect himself against a bad investment. It’s the equivalent of having full gap insurance on a car and lighting it on fire or leaving it in a bad part of DC with the keys visible. Insurance is used by businesses to get money for things that have very little value.
By no means do we recommend that you become jaded and assume every employee is out to steal from you via insurance fraud. That mentality is doing a disservice to everyone, including yourself. However, we do recommend trusting and also verifying. You want to trust people, but you also want to protect your backside. If you suspect something is off, we’ve made the process for verifying very inexpensive. It starts with your gut feeling. If you feel something is amiss, it’s worth it to at least verify that you’re wrong. There’s no reason not to.
Do not make the mistake of assuming that you can win a lawsuit because you have done a lot of safety training with your employees. These days, a person can sue for almost anything. However, if you can verify information about a person, you can save a lot of money and win the case.
Again, start by knowing your staff. If you feel something or someone is amiss, you are probably right. That doesn’t mean you assume everyone is out to rip you off. Trust your gut, and verify based on that. This is the same proactive approach you will need when it comes to sexual harassment claims, which we will discuss in the next chapter.
Harassment claims can come in many forms. We are most familiar with sexual harassment, but we have seen fraud when it comes to unemployment or wrongful termination claims as well. It can really be anything under the sun when somebody is let go from a job. Rules can differ by state, but in general we’ve seen an increase in employees getting pissed off when they get fired and slapping a lawsuit on their former employers. Oftentimes, these include a claim to some form of harassment.
In some ways, harassment claims are even stickier than insurance fraud because you never want to assume someone is lying about harassment. If someone has been harassed, they have gone through a really difficult situation. When you say that you think they haven’t, you might end up looking very insensitive.
We have seen cases in which an employee was indeed sexually harassed in the workplace and had a valid complaint. The problem was that the business owner assumed their HR department would take care of it. Just as businesses assume Workman’s Comp claims will be handled by insurance, they place the responsibility here on HR. They think they don’t need to train staff about sexual harassment, that it’s part of the on-boarding process—“just an HR thing.” But at the end of the day, you’re the one paying. Rarely is someone going to sue on a personal level. They will much more likely sue their employer.
All about Culture
A lot of news has recently come out about a sexual harassment situation at Uber. A female engineer from the company wrote a blog post explaining how she was subject to a kind of systematic sexual harassment within the company. Likely, the company was growing very quickly and wasn’t thinking enough about culture. The leaders of the business weren’t thinking about sensitivity training and likely hired a bunch of white males, which in turn created a certain culture.
Until this event happened, Uber probably didn’t see getting sued on their horizon. They probably thought, “We have an HR department for a reason.” Sure enough, they ended up in the news, and now there are probably lawsuits going on. At the least, it made their brand look terrible.
Any company will experience a major fall out from a situation like that, and a lot of times the problem is due to a lack of focus on culture. The company isn’t valuing the threat and therefore isn’t valuing the importance of creating a sensitive, kind workplace. Things can escalate very quickly.
In the political climate right now, we are also seeing political differences between staff. People just can’t keep their mouths shut in the workplace. We’re actually seeing this problem play out firsthand with our kids’ school, the National Cathedral Elementary School in DC, a kind of landmark that is supposed to be associated with equality. If you walk through the cathedral, it says “the house of prayer for all people.” It’s non-denomination. They have Muslim, Jewish, and Christian services, and it’s always been known for this.
The head of the school took the school down a more progressive route, and we have a lead pastor who is gay. Everyone has loved them both. A lot of the families are coming from different walks of life. A lot of gay parents choose to have their kids here because it’s progressive. The scholarship fund has also grown, and now we have more kids coming who are not from privileged backgrounds. We’re very proud of that. This progressive group has always been the kind of silent majority of the school.
However, there have been a couple old, Waspy board members who are no longer the majority and don’t like the way things are going. They want to “go back.” It’s almost like a mini form of our recent election nationally. They want to go back to white conservatism, and they fired the head of the school without any notice.
An announcement went out the week the kids were going to graduate. She wasn’t fired for a good cause; she did nothing wrong. We suspect the reverend (who is gay) will be next. It’s like a coup took place, and it’s clearly politically motivated. Some of the board members come from a previous time when the school was known to be more conservative. So the head of the school would have really good reason to file a claim. She had clearly worn her political view on her sleeve. There was a whole kerfuffle not long ago about her Facebook profile being open to the public. She and the reverend are friends with all the parents, which any school should think is great. But she had to make her profile private because some people were complaining whenever she would post anything that alluded to her political leaning.
Needless to say, there is a lot of tension around political views, even in the workplace. This is why company culture is so important to consider upfront. Whether you like it or not, your staff members will attract others like them. That’s why we spend so much time and energy on making sure we have a diverse staff. If you start with two white males, anyone who comes to interview is going to see two white males. Generally, people want to work with people like them, whether it’s a conscious or unconscious desire. In most companies, there is a clear divide that has already taken place and makes a few that are different the outsiders.
While transparency has gone way up in our culture at large, transparency is slower in the workplace. That said, whether the divide is due to race, politics, or religion, the divide has obviously always been there. Now we’re just able to see it before our eyes and can’t deny how widespread it is. I believe police shootings have probably always happened. I doubt the number has gone up. Only now people walk around with a camera in their pocket. Little by little, we are also seeing some of the cultural issues in businesses come to the surface.
So have you been deliberate about the type of workplace that you’re creating? Have you worked to make it friendly and accessible to people that don’t all look the same. It’s very difficult to do this in hindsight rather than start this way. It’s hard to go back and retro fit once you’re company culture is likely already set, but better late than never.
There’s a saying that I really like: “A players want to hire other A players, but B players want to hire C players so they will be able to look good around people who are worse than them.” Like attracts like, but in some cases a poor culture can attract an even worse culture. If you have a very friendly, diverse staff representing many ethnicities and beliefs, you will attract others who understand the importance of doing right by others. There’s a magnetism that will exponentially grow one way or another.
Further Protecting Your Business
Beyond this foundational starting place of creating the right culture, there are tactical steps you need to take to prevent harassment claims from happening in the first place. It’s time that companies got serious about revisiting their workplace rules and regulations around sexual harassment or any kind of harassment. Hopefully, your company has these regulations in place.
We put everyone we hire through a sexual harassment training as part of their onboarding. In our case, we consider this extremely important since our employees are talking to customers who are possibly being abused, in some type of domestic violence situation, or even in human trafficking situations. We also deal with adoption and birth parent reunification cases. In each case, our employees must be aware of a massive amount of sensitivities. For example, they need to know that they should never say the phrase “given up for adoption” to someone who is adopted. That would be extremely offensive, for good reason. Instead, they should learn to say, “placed for adoption.” Of course, most people would not think about something like this because “given up for adoption” is part of our vernacular. In the same way, your company has to consider the particular sensitivities with which you are dealing.
Part of our training for employees explains “people first” language. A lot of young news people have to learn this too. In this language, you do not say “disabled” or “handicapped,” but you say “there is a person with a disability.” I don’t like calling anyone a “former convict” or “former inmate.” It’s really a social justice issue for me. I believe we need to think about the person first and then their situation. For us, this translates as training employees not to say, “You’re an adoptee.” Yes, they were adopted at some point, but that should not be how they are identified as a person.
If you do a simple search for “people first training,” you’ll have immediate access to guidelines. This will also help you and your employees talk about culture. For us, being sure to prevent claims later down the road means building awareness upfront, even by inviting experts to give training. We have the head of the largest non-profit for domestic violence in DC come in and talk about how to know when someone is experiencing domestic abuse over the phone. We have an adoption expert come in and train on the proper use of language to describe adoption related matters. Some companies might see this as going above and beyond; we see it as a necessity for prevention.
We want all of our employees to be fully prepared and know what is expected of them. They need tools to do their job respectfully and in a way that aligns with our mission, values, and culture. After we give this training, then we go back to the understanding that every employee is an adult. We help them make their bed, but then they have to sleep in it. You have to figure out what this balance looks like for your company. What do you need to provide to employees, and where should you communicate their own level of ownership?
Despite all of our efforts to train and set the right culture from day one, we have had two employees make fraudulent claims against us in the past two years. One claimed a human rights violation against us and tried to keep taking us to court, but we have fought it every time because the claim is egregious. He claims he is mentally disabled and that we discriminated against him. Another was fired for cause. We caught her red handed, trying to steal customer files and case details. We literally took her computer mid Dropbox transfer. Even though we let her go politely, her mom is a lawyer and we got a complaint filed against us that says we fired her for protected union activity. Her mom claimed she was trying to organize the workforce, and that’s why we fired her. Thankfully, the National Labor Board took our side and thought the claim was ridiculous.
The point is that people, no matter what, will be angry. No matter how much you do upfront, some people are still going to be vindictive. And everyone’s got an uncle or a mother who’s a lawyer. These days, it’s too easy to file frivolous suits or complaints. You have to be ready to protect yourself.
One simple way to do that is to back up all of your emails, IMs, and other documents to maintain the record. These days, this is easier and cheaper to do than ever before. You could use something like Google apps, which is completely cloud based. You don’t have to actually go install your own servers anywhere or hire people to manage them. Pay ten bucks a month per employee, and get each of your employees set up with Google apps for business. If you want to be old school for some reason and run your own physical servers, you’ll need to create a robust backup plan. You’ll need to have backups off-site, and everything will need to be syndicated. You’d need to be a really big company and have a really compelling reason to go that far.
PI vs. HR
One thing you will want to consider is what an outside investigator can bring to the table that an HR person does not in the case of a harassment claim. For one, a PI is not going to have a bias. If you’re an HR person at a company, you’re inherently going to be at least a little biased. There will be at least a little persuasion present, even if everyone is trying to refrain from it. On the other hand, PIs have often been police detectives or had experience investigating fresh cases. They have to get ramped up quickly while remaining independent and objective.
A PI’s focus is on where he or she will look. They’ll have a sense for it because they are able to be objective and because they’ve done the work before. Perhaps they were a gumshoe detective on a police force, or perhaps they were a cyber contractor for the FBI busting child porn rings online. These are the best of the best—people who have been doing the work for a very long time. You just can’t beat that experience.
When you’re dealing with a sexual harassment case, it’s critical to have someone who can come in, look someone in the eye, and know if they’re lying. It’s critical to have someone who knows what rocks to flip over and knows the process to find the truth by getting answers out of people and following the trail. Unlike the HR person, the PI doesn’t have to work at your company after they’re done their work. They have no ulterior motives; they just want the truth. If you want to go about finding that truth in a way that’s believable, trustworthy, and admissible in court, there’s no better option than a PI.
HR people are not only going to be biased but are likely out of their depth in these cases. It’s highly unlikely an HR person has been a police detective before. Perhaps they got a degree in Communications, Organization Management, or Organizational Psychology. Their talents are going to have a very important place in the company, but not when it comes to investigative work. An HR person is focused on making employees happy, structuring the organization, benefits, and compliance. But their role should have some limitations. They should play to their strengths.
Take Quick Action
Keep in mind that when it comes to harassment claims, you need to get to the truth of the matter as soon as possible. Don’t let things drag on. From our own experiences and experiences with our clients, we know that when you go through a legal process it usually starts off with lawyers talking. Of course, lawyers are people, and they don’t want to take on losers. They only get paid if they win.
If you get your documentation together and are buttoned up early in the process with evidence, you won’t need to go to a full trial. The lawyer will take a look and realize things are pretty cut and dry. Lawyers have a lot of power in how they manage their clients, and most people don’t think about that. Most people just think of the movies like A Few Good Men with a big crescendo at the end. But if you’re getting to that moment of the lawsuit, it’s probably too late; you’ve already lost even if you won because you had to go through the whole process.
The best way to prevent needing to go through the long process is to be able to slap down a bunch of PI generated evidence or protected documentation you’ve done along the way to show the opposing counsel that they’ve taken on a loser. Make it very clear. You’ll end up saving yourself by doing this.
Know Your People First
Uber is notorious for relying on very cheap, traditional background checks. They do these $5 checks that don’t really work, just to cover their ass. They don’t ever expect to actually find anything. It appears they do the same thing with their employees. It turns out that their VP of engineering had been previously fired from Google for sexual harassment. They never knew anything about it. The problem was that he was the head of an entire department. Naturally, he would set a certain kind of culture within the company if that was his modus operandi.
Of course, Uber would have done a background check on this guy before hiring him, but that information wouldn’t have been in the check. He wasn’t charged with a crime, much less convicted. However, if you had had a PI check him out, that information would have surfaced very quickly.
The point is that even a company like Uber, worth $100 billion now, doesn’t properly vet and onboard their employees. This goes back to the truth, trust, and safety lifecycle for a business. The best way to avoid harassment is to bring on the right people, but you have to actually know who the people are.
Of course, most HR departments aren’t educated in these areas. The root problem is that HR departments think the initial background check is doing a lot more than it actually is. They think that checking criminal records is an effective way of vetting someone, and we don’t agree with that. We think there's a much better way to test someone to understand who they really are.
Build the Culture You Want
A lot of business owners have fuzzy answers around how to build culture, but this is so critical in order to prevent against harassment claims or anything negative at this point in the lifecycle. So how do you build it correctly from the start? Let me tell you how it worked for us.
We started with a company that had zero employees two years ago, and now we have fifty and are still hiring. I’m proud to say we have built a great culture, and it’s ten times more diverse than any other company in the investigative space and more diverse than companies in other fields too. When I reflect on how we built the culture, two things come to mind.
The first is that we accepted the reality that details matter. That’s why we just did a million dollar office build out for our new office space here in DC We had a lot of decisions to make. We could have done some really cool things, but instead of adding a game room with Foosball tables and beer pong, we made two nursing mothers' rooms because we have a bunch of women of childbearing age. That seemed like a very practical consideration for our employees. We also added a library for two reasons. One is that we like to read, and we encourage our employees to read. We also think it attracts the right kind of people. If you think that a library is cool when you walk in to tour the office for your interview, you might be a good fit for us. So that was very deliberate. When you walk in, our office looks more like a house than an office. We had it deliberately decorated with soft furniture and fuzzy carpet. We failed our first inspection for move in before our furniture was added because they thought it looked too much like a residence. Of course, that was very deliberate. Details matter.
The second thing I noticed about building culture is that like attracts like. If you’re a white male, you may not empathize as much with this concept because you don’t think about your gender or the color of your skin very often. When you walk into the interview room, you’ll likely feel comfortable and not even think about it. If you’re a woman or a minority and walk into an interview, you’ll notice right away if it's only a bunch of white males interviewing you.
From day one, as we started putting our team together, diversity was a really big focus. We wanted to make sure we were not only choosing white male candidates for jobs. It would have been really easy to get caught up in that because I’m a white male and know a bunch of people who look like me. To some extent, my network looks like me. I happen to have some diversity in my network, but not enough for the kind of diversity I want in the company. Especially in the early days, it’s easy to hire from your network.
Thankfully, we both founded the company, so we were 50/50 in terms of male/female. Then we made it a point to not only hire from our network. We tried to include others that were diverse even if they didn't work for us. We pulled in advisors to be involved in the interviews. We were super aware if we had only considered five white guys for an engineering job. We kept talking to people, at least to make sure we weren’t missing an opportunity.
We get the most press about the fact that we’re co-founded by a woman and are 70 percent female and 40 percent minority. As a big tech startup in the private investigator space, this is unheard of. It has made people take notice.
Of course, building a great culture means extra work for you. But remember that culture multiplies exponentially. If your first two employees are white males, then I bet your third and fourth employee are going to be white males. And it grows from there, very quickly. It’s the same with A players versus B players. Don’t hire B players, who will multiply in a negative way.
Most detective agency owners are white males because the industry has historically been very white male dominated. Clients too—law firm partners or insurance executives—tend to be white males. But we have found that the PIs actually doing the work are quite diverse. In Arlington, the police force is 30 to 50 percent women now. It’s also very ethnically diverse. Since we’re in DC, a lot of our PIs come from federal three letter agencies. Thankfully, our government employees are very diverse.
So for us, our staff and PIs are diverse. Some our best cyber investigators are women, and our best surveillance, feet on the street detectives tend to be male. Even in an industry like ours, it's not impossible to have diversity, and it's of great benefit to seek it.
Age discrimination is also something that can come up. Recently, we made a couple hires. One was in his late 50s. I didn’t think about it because he was by far the best candidate. But when we were sitting in meetings and I looked around, I wondered how he felt. I had been the oldest kid around for a while, and I'm thirty-seven. A lot of our customer support and sales people tend to be younger because of the nature of the pay and the job, but our last two or three executive hires were probably around the age of 50, and they're some of the best hires we've made. I was attracted to them because they walked into their first interview and said, "Oh, this looks different." I'm sure in their minds, they were probably thinking about being discriminated against when they found out how old I was. But when they saw us, they understood that we clearly don't discriminate against anyone.
I lived and breathed the reality of age discrimination in my work through the White House. I was working with Health and Human Services on fraud among elderly Americans. A lot of people view this group as easy targets, and they are getting defrauded in record numbers. Age discrimination and related claims can be major problems you avoid by building the right culture.
Trust to Verify
Trust to verify is a theme that runs throughout the book for a reason. If you trust your workforce, you start from a much better place. Then you can of course verify as needed, but the possibility of something like a harassment claim will be much lower.
If you hear a rumor or get a report, assume the best, but don't ignore it. Don't put your head in the sand. Document and be diligent. If you even sense there might be a problem, you’ll be prepared to verify. The worst-case scenario is that you document and investigate and come out the other side being proven wrong.
The problem is not to do too much but too little, to be haphazard about it. You need to take things seriously before things blow up. You don’t want to be playing catch up at the point that it's too late. That said, there are risks to consider even after an employee has left a company. We’ll consider these in the next two chapters.
Data breaches happen to everyone, and they happen to companies too. The type of data that is stolen all depends on the motive. If the motivation is to make money, then identifying information about lots of people is worth a lot of money on the black market or the dark web market.
Here’s how the dark web market works. A simple credit card transaction online, with information stored in an insecure way, can lead to a breach of your personal information. The website that stored the information may not even know anything happened, but the hacker has downloaded all of their customers’ credit card numbers. Now, somewhere on the dark web, they've posted all this information for sale. A lot of people all over the world buy the information and use the credit card until they can’t use it anymore. Once they can’t use one, they’ll go buy a new one. It’s all about quantity over quality. Some people will buy a list of them and churn through them all.
Knowing You’ve Been Breached
Some small businesses have a hard time knowing when they’ve been breached. That said, even a sophisticated enterprise like Target.com can fall prey to data breaches. They, too, have been hacked. The only difference is that in their case, they knew about the issue quickly because it is the job of hundreds of people to monitor their website for issues.
If you are a smaller e-commerce website, still hosting everything yourself, you have to be aware of these issues since you probably don’t have a team of people dedicated to data breaches. First of all, hosting should become a primary concern. It is not a good idea to use a $10 per month hosting account. You also need to understand how to safely secure information and monitor for abnormal activity.
There are a few x-factors when it comes to personally identifying information (PII). This refers to anything that could be useful in identity theft, like credit card information. PII is a treasure chest for hackers who are doing what they do for profit.
When a disgruntled employee steals data, it can be difficult to recover. They may have taken customer data, financial data, or other important data you didn’t want getting out. Rarely are data breaches at the hands of some ominous Russian or Chinese hacker. More often, employees steal the information in a very low-tech sort of way, saving it to their Dropbox or thumb drive. They may then dump it somewhere on the web, and all the sudden it starts showing up in Google searches. If your company is visible enough, the leaked information may get to the news, as was the case with Ashley Madison. If you’re a celebrity or someone who is well known in any way, it’s a guarantee that the information will be shared.
The reason you will have difficulty recovering is because a data breach goes beyond your customer information being stolen; it hurts your brand. There’s no insurance for that. There’s nothing you can do to simply bounce back. It’s not as if your customers can just go get new credit cards and all is forgiven—no harm, no foul. If you break your customers’ trust, especially if the information getting out there is very personal, you might go out of business. In the best-case scenario, you can slowly build back trust, but it will take a lot of time.
In some cases, employees do not simply want to take revenge; they actually know the information is valuable and want to sell it. Either way, it’s the same result for the company and the customers. It’s widely believed that the information dumped on the web from Ashley Madison was due to a disgruntled employee. We had thousand of cases come out of that single event. People’s messages were hacked. Their credit card information was hacked. Their transaction information was hacked. Their IP addresses were hacked. Every detail you can imagine was dumped on the web.
In that case, the information was mostly of married people having an affair. However, this data breach was also damaging to people who never even used the website. Because Ashley Madison never validated email addresses for accounts, people would sign up with other people’s email addresses. We saw emails for President Obama over a dozen times. We saw emails for Tony Blair. In some cases, the person using the site was pranking people they knew.
It’s easy to see how data breaches quickly become very messy business. It becomes hard to determine whose information is whose. You can usually go through all the transactions and IP addresses and messages and piece things together for a case, but sometimes this is difficult to do. In the case of Ashley Madison, this had major ramifications for people. Yes, it revealed plenty of people who were actually cheating and claiming they weren’t. Celebrities or quasi-celebrities were found out. The most notable example was Josh Duggar, an ultra- conservative Christian. He was married and super old school in his ideas of roles in the home. Meanwhile, he was having an affair on Ashley Madison. But some marriages almost fell apart when a spouse wasn’t actually using the site.
We were able to come in and help verify this in several cases. In one case, a man’s email address was used. When his wife checked to see if there was a match on him, there was. She didn’t know that it was very easy to get a false positive, so she kicked him out of the house and told him he couldn’t see their kids. He came to us when he was literally homeless, living out of his car in a bad part of town. We did a bunch of work pro bono for him because it was a really sad story. We could tell there was something going on. Sure enough, we found out he hadn’t used the site. The IP addresses that used his information were in Ukraine. His identity had clearly been stolen. We were able to go one step further for him and find other places on the dark web where his information had been posted for sale. We were able to create a whole case for him that saved his marriage. The last we heard, he was back in the house reconciling with his wife.
Protecting Your Data
You might be feeling that no matter what you do or how much money you spend on protecting your network, a ticked off employee could simply circumvent the system by being on the inside. However, you actually have more power than you might realize in protecting your data.
Most people have a false sense of security when they’re using the internet. Personally, I actually assume that anything I write—whether by text message, email, chat, or otherwise—is being backup up and replicated in multiple places throughout the internet. Of course, it’s great to know your information is being backed up if you’re fearful of losing it, but it’s not great if that means a hacker can access it. I just assume the worst, that everything could potentially be seen, and I act accordingly.
As an employer, you can use this false sense of security if you need to check on an employee. It’s funny how employees don’t really consider the information that can be shared online. I remember when one employee was saying too much on Slack. She was messaging coworkers about how she was abusing Ritalin or Adderall at work. She was writing, “I’m not doing any work today. I hope Danny and Jen don’t notice.” She didn’t ever stop to think that we might be backing that stuff up. Once we saw there were issues, we looked into it.
Another disgruntled employee had been taking screenshots of our internal messaging platforms. This employee was about to get her review, and we suspect she thought she might get fired. We caught her red-handed, downloading screenshots of customer information and investigatory cases to her personal Dropbox account. She was doing this on our work computer, and we seized it when her download was literally mid-transfer. It doesn't get more red-handed than that.
Valuing face-to-face communication can also help protect your data. We’re relying too much on chat and email for every single thing. Of course, there are many reasons to interact in person from a psychological and relational perspective, but it’s also important for security. Face-to-face communication is likely the safest way to communicate. Yes, you’ll need to do a little extra work of taking notes or bringing someone along to have a third party present if you’re worried about needing documentation, but the extra work is worth it.
Whenever new technology emerges, everybody wants to use it for everything. It becomes a tool that is used even when it’s the wrong tool. So today, everybody is using long form emails or text to communicate something that would be much better communicated over the phone or face-to-face. As we reflect on what we’re doing and the pendulum starts to swing back, we’ll admit that some things should not be done purely electronically. Sensitive communications, for example, should always be handled in person. In the worst-case scenario, they should be done over the phone.
Face-to-face conversation also allows you to spot particular identifiers that might reveal an employee is disgruntled. You can learn to be more aware or teach supervisors to be more aware of what employees are talking about. You can have “ears on the ground,” so to speak, so that you can quickly know when someone is unhappy. A good supervisor should be able to recognize when an employee is not performing as well as they have in the past or when the employee is having unnatural swings. Of course, you don’t want your supervisors to be paranoid, but it never hurts to be more aware of the status of each employee.
Some changes in employees are less obvious. Sometimes, you have to be more observant to be able to see when an employee is becoming unhappy about something outside of work or disgruntled about something inside of work. Interestingly, one of the most telling qualifiers for people who may be prone to dishonest activity is when their blind carbon copy (BCC) usage goes up in their emails. When somebody starts BCCing themselves or others, that’s an indicator that they are becoming unhappy and are going to leave or do something against the business.
If someone’s use of paid time off and vacation suddenly changes, that can also be a huge red flag. Oftentimes, that means they may be pursuing another job. Employee engagement studies have shown that when employees don’t feel they are getting what they deserve, they are less likely to do good work.
You might be surprised to know how few companies take time to monitor conversations and statuses of employees. For example, many companies today use Slack for internal messages, but they don’t know they need to turn on compliance reports to be able to have a record of what everybody has said. Things get more complicated with Google apps. You have to really know what you’re doing to be able to go in and pull people’s emails. It’s not as straightforward as you might think. In theory, you are legally allowed to do this, at least in most states. However, most companies aren’t pulling information in a way that is actually relevant. For example, if you don’t know that BCCing is an indicator, you would never know to pull that information.
It’s impossible to keep all of your employees happy all the time, but you can at least be prepared to protect yourself from losing data if one does become upset. A final simple way to do this is to put in place best practices for IT security. Understanding who has what access and to what level is a good starting point. Who has admin rights on what account? It's too easy for small companies, who outsource a lot of this stuff to the Cloud, to never check this. Every company, no matter the size, needs to go back through and audit who has admin rights and access to internal information of any kind. By doing this, you might suddenly realize that there are thirty admins for every account. They all have access to everything.
Changes Over Time
At some point, you end up just hearing rumors. Especially in a small company, people hear things. The business is like an echo chamber. In a larger company, the HR team and supervisors will need to be a bit more proactive in being aware of what is said and how employees are feeling. In either case, you have to sometimes simply trust your gut. If someone is taking really long lunches, why not ask what is going on? We have a joke that if someone shows up in a suit, something is off. Even though it is a joke, this simple change can be an indicator that something is going on. Sure, the employee may just happen to want to dress up or have come from their daughter’s dress rehearsal, but more likely they just had an interview somewhere else.
Sometimes, indicators are much more hidden. Has there been a divorce? Has the employee been struggling with alcohol? Do they suddenly have a large amount of debt? As mentioned before, when the government hires for jobs, these are the kinds of questions they ask. They might even look for things you are hiding about your sexuality—not because of your sexuality itself but because the hiding is an indicator of someone who is able to lie. They’re also looking at this information because they’re thinking about anything a foreign government could use against you as blackmail. It’s not about a moral opinion; it’s very pragmatic. If there’s something you’re hiding, even if it’s your love of green jellybeans, they’ll take notice.
In that stream of thought, you have to consider as a business how your employees are changing over time, after hire and into their time with you. Employees don’t just become disgruntled for no reason. Sometimes, it stems from a life change, like picking up a gambling habit. Sometimes, it stems from their feeling that they are being treated unfairly or not being paid enough. In either case, this employee is much more likely to steal data.
When a current employee does something dishonest, almost always something has changed in his or her life. In a lot of cases, you can work with employees. You can talk through what is bothering them. The key is to be in ongoing conversation with employees so you’re not caught off guard when they just lose it. In many cases we have, the issue started long before the employee actually stole information. The problem is systematic and related to a lack of communication within the culture that has been set.
Large Scale Investigations
We sometimes investigate on behalf of companies to help them know where data leaks came from or why. Our work is obviously different than that of a cyber firm. Cyber firms will go in as engineers. They’ll go through all the server logs and do a lot of work that is highly technical on your network. In terms of technical work, we go a couple levels deep, but we are not hardcore hackers. In some cases, you will need the cyber firm to come in and assist. However, in most cases, we can get to the root of the problem and identify specific issues with employees without that deep dive.
We have effectively helped many large companies when they have spotted stolen data showing up on the web. We have former police detectives who are great at conducting interviews, following the trail, and putting a case together. That's what they've done for their whole careers. Our work gives companies peace of mind to know the investigation is being performed fairly. This accomplishes many things, including reducing their liability.
In some cases, former employees are not just out to enact revenge. Instead, they want to use what they have gained at a company for their own benefit. We’ll consider that situation in the next chapter.
Recently, we’ve seen an uptick in employees using former employer's information and resources to compete with them or launch their own ventures. When I first got into the business world, lawyers repeatedly told me that there is no way to enforce non-solicit or non-compete agreements. To some degree, they were right, but now we are seeing more employers using RPIs to get evidence against former employees.
Recently, we worked with a large client that was dealing with an employee who had encouraged other employees to join him in order to compete with our client. We ended up doing surveillance on the employees when they showed up and all went into the same office together. We had PIs there taking pictures, which is pretty damning evidence. No longer does a company just have to throw their hands up and say there is nothing that can be done.
Because of how people now think of work, non-compete and non-solicit violations have increased. Most employees no longer think they will be with one company for a lifetime. Employees are almost always wondering what’s next, even if the thought is in the back of their minds.
So while it’s great to hire go-getters because they will naturally have a lot of great ideas and build great connections within the company, the downside is that they will also be the most likely to later compete with you or solicit other employees for their own ventures.
It’s also true that the world has flattened in terms of information. Even within the same company, information is being dispersed to possibly multiple offices in multiple countries. This opens up a wider possibility for abuse of information. It also creates a greater possibility that some employees will be snatched up by other competing ventures.
Think You’re Protected?
We work with many companies that thought they were protected because their employees signed the normal paperwork. That's kind of every story. The company feels they have covered all their bases. They have the forms. They have the handbook.
The problem is that this is faulty logic, and you will know that once you have been through a lawsuit situation. You might not think you are liable and that you would win in a lawsuit, but it’s not as easy as having an employee sign a piece of paper. Once an employee breaks a non-compete or non-solicit agreement, you have to pay for the whole legal process. We watch TV and hear about the person who got burnt by the McDonald's coffee and won a million dollars. We think if we have a simple case to make, we can win in court. But for the most part there’s very little upside to any lawsuit.
Once you get to the legal process, the damage is done, and your odds of remediation are very low. The trick is to go into offensive mode to begin with. The sooner you catch an employee, the better off you will be long-term. If you catch an employee a year in, after they have stolen all the info and taken several other employees with them, good luck. Even if you win the lawsuit, you still have to actually collect.
The bigger issue here is that many small businesses, who are basically existing paycheck to paycheck, can’t afford a case like this. They have to catch the problem early so they can use a cease and desist or simply send a letter to the person—enough to keep the issue from getting any worse.
Here is the key to remember: having an agreement in place is not enough; you have to actually enforce it. Even if you are right in a legal situation, it doesn’t mean you have a strong case; you have to have proof. Yes, have employees sign the non-compete and non-solicit agreements, as a scare tactic if nothing else, but don’t assume that’s enough.
The best place to engage a company like ours is early. If you even suspect an employee is thinking of competing or soliciting employees, you can benefit from keeping an eye on them. We can identify the truth and really nip the problem in the bud right away, before it festers into something more significant.
Competitor vs. New Company
In many cases, an employee is not necessarily going to a competitor but is starting something new. If you are an innovator in your field, you have to be especially aware of employees who would want to take company knowledge because they feel they can do the same thing in a better way as a competitor.
The effect of a new competing company depends partly on the level of the employee who decides to leave. If we hire a great VP of Sales or VP of Business Development, each of them will have intimate knowledge of the inner workings of our business. If they go start another Trustify or work for a competitor, the damage would be great. On the other hand, if a lower level employee wants to go do the same thing, it may not matter as much. That said, almost any employee is going to have a certain level of access to information that you don’t want them taking anywhere else.
Sometimes, employees who are still working for the company are funneling information to somebody who isn't. One good example has been all over the news: the mole in the White House that our president keeps talking about. We do get involved in different political matters, whether it's at a local, state, or federal level, and we have gained some insight into these situations. It's interesting to notice how much opposition research is happening and to observe the level of concern over information sharing.
In these cases, we look for relationships and who's connected. Who was together? When and where were they together? By focusing on relationships, you can get to the truth. You have to understand how to find multiple degrees of separation. Sometimes, we even find a smoking gun.
When we found out the connection in the medical marijuana case, we discovered a treasure trove of information that linked people together. And that was almost entirely through cyber investigation. In that case, the government official giving the license to their buddy probably had some skin in the game. In that sense, it was similar to how non-compete cases work. Someone was using and giving away information for their own benefit. They were sharing information with a friend for their own gain, and the action was corrupt.
As with every different way your business might be at risk, you have to understand how to protect yourself. The initial way to protect yourself is to have your upfront hiring process structured and streamlined. It doesn’t have to be sexy. It will probably be boring. But you have to have something in place that makes extremely clear what you expect from employees if they do choose to leave. It’s very easy and affordable to shape or outsource this upfront information for employees. This initial step will keep most employees from ever even considering competing or soliciting employees.
The second thing to do is to learn to be more aware. If you suspect an employee might be thinking of competing or soliciting, it’s time to have a conversation or send a letter. This doesn’t have to be done in a heavy-handed way, but you do need to be clear. If you believe the employee has already started something else, you don’t have to create a cease and desist. Just send a letter so that it is documented. The more quickly you do this, the less likely it is that the employee will go through with anything because he or she will know that you have positioned yourself well and have a better case to make in the case that you do have to go to court. Nine times out of ten, this simple letter will scare the employees who considered starting down this road.
Sometimes, you won’t know if a former employee is breaking one of these agreements. If you have a suspicion, physical surveillance can go a long way. The person is going somewhere to work, so where are they going? Where’s the office? This is pretty easy to check. A clear identifier that something is happening is when you notice other employees leaving to go with them. In this case, you just have to catch one of the employees to know what is happening. Protection becomes a bit more complicated with a virtual staff. How can you really know who did what? In these cases, we have to take the cyber sleuth route to connect the dots. We have done this with success in several cases. Again, you might be surprised about how much you can connect to individuals by tracking the trail online. You can get a pretty clear picture together pretty quickly.
Sometimes in an investigation, we find that the employer has been paranoid, and the former worker isn't doing anything wrong. Of course, that’s the best possible outcome for everyone involved. However, when there is smoke, there is often fire. People's gut instincts tend to be correct more often than not. When clients come to us, it’s because they have already been observing and sensing something is not right. Unfortunately, they are often correct.
Fair Credit Reporting Act
In cases of non-compete and non-solicit, there’s a lot of room for interpretation. FCRA applies in these cases as well. There are certain things you can and cannot do when it comes to employees' personal information, and so that limits you a little bit. This is another reason why you might want to use a professional instead of your HR person, who doesn’t know the laws about violating the FCRA compliance.
What we do in our company is simply make it very clear upfront that employees must sign an FCRA waiver, which states that we can dig further if we wish. If someone won’t sign the form, they can’t work with us because of the nature of the work we do. We are mainly considering how we need to protect our customers.
In cases that someone won’t waive FCRA, you can still check some information, but the information will be extremely limited. Some might argue that getting permission isn’t meaningful, but it can certainly become important when you need to take a deeper dive.
Legal Resources to Protect Your Company
There are a few kinds of investigative routes you can take for non-compete and non-solicit situations. Whether you hire us or some other investigator or not, here are some things to keep in mind.
First, you need to check early and often. What most employers do is assume that everything is fine, that they’ll be able to win some big lawsuit if need be. As we’ve discussed, that's just not the case. So you really need to nip the problem in the bud early. It's like catching your dog peeing on your carpet. You have to spot it early, or it isn’t actually helpful.
Being proactive, and even aggressive, is key in these cases. When someone leaves and you have any concerns at all, trust but also verify. If you believe someone is competing with internal information, you can hire a PI to follow. Surveillance can tell a lot right away. If you think someone is soliciting other employees, cyber work goes a long way. Does that former employee suddenly now have 30 new LinkedIn connections that are all from your company? These are the types of things a cyber investigator will think to look for that most of us would not. Sending out a cease and desist can also be money well spent. If you have information and send it early before the issue blows up, that will be your best use of an attorney.
Trust + Verify
Let’s return to the first question of the book: are you going to lose your business? Will all these problems we have discussed catch up to you?
On one hand, my answer is yes. If the potential problems we’ve discussed go unchecked and you do nothing to change after reading this book, the escalating frequency and impact of fraud, theft, and dishonesty very well may catch up to you.
The good news is that because of technology, innovations, and lessons learned by many businesses already, you have more options. It's more affordable, more accessible, safer, easier, and faster to trust and verify, even to engage professional help to ensure none of these things happen to you.
I don’t believe any business owner should fear losing his or her business. That said, if you put your head in the sand and assume you’ll be okay, as the world continues to become less safe and less trustworthy, you will continue to lose money, if not your business.
One final note to mention is that there is a huge amount of underreporting going on. Some businesses are too embarrassed to admit something went wrong. If that’s you, you have a bigger problem on your hands that you need to deal with on a personal level. Retail companies have been dealing with these issues for a long time; there is no shame around them. However, most businesses do still have shame around these issues. The problem is that not reporting can cause major problems for you and others. Yahoo! is a good example. They had a massive data breach, one of the biggest ever, but it went unreported for years. As with any other crime, there will always be some victims who are too embarrassed, too traumatized, or too scared to report. If that’s you, we hope this book has revealed to you why transparency and addressing issues head on is so imporant. You will never solve or minimize your losses unless you take a proactive step against these issues.
When you are proactive in protecting yourself and reporting issues to law enforcement when necessary, you might be stopping the same thing from happening to somebody else. A whole ecosystem exists among businesses because businesses are made of people. What you do, or do not do, will impact other businesses. Just look at the recent real estate bust. It produced a domino effect that got out of control.
Today, many businesses feel a greater threat around loss because of everything happening in the news. Cyber warfare seems to be increasing, and more and more low-tech copycats are getting back at their employers. Sometimes, it feels like an enormous crash is on the horizon. The final message I want to leave with you is that it doesn't do you any good to be paranoid. Yes, you need to be clear-eyed and realistic. You also need to realize that you have the power to manage your risk—starting today.