Ah, complacency. That quiet sense of security or satisfaction with the status quo that prevents a person from acknowledging the potential dangers or risks around them.
We become complacent about internal controls, believing our employees have always been trustworthy and therefore we can eliminate extra steps in the process. We slack off in our security training, thinking “surely our team knows not to click on an unfamiliar link.” Or, we fail to conduct a background check because the applicant is the nephew of one of our fellow executives.
In our recent blog, 4 Culprits of Complacency, we highlighted some of the underlying factors that lead to complacency. In this blog, we bring forth five stories that expose the negative fallout and damage that can occur when organizational complacency takes root.
1. The Law Firm with Weak Accounting Controls
A law firm specializing in intellectual property let complacency derail its internal controls. The firm has five offices throughout the United States, and the satellite offices normally forward their customer payments to the corporate office for processing. Recently, however, customers from at least one of the five locations notified the firm that their previously cashed payments were being duplicated, forged, and re-cashed, leading the customer to have fraudulent withdrawals taken from their bank accounts. Fraudsters left some of the personalized information on the check, such as handwritten notes in the memo line, but had replaced the recipient name, date, and check number with false information and deposited it remotely through an ATM. Rather than keeping customer payments in a secure, locked location, the firm’s complacency in its failure to follow its own internal controls led to this embarrassing and costly mistake.
2. The National Political Committee Duped by Social Engineering
It was the hack heard round the world, all perpetrated by a simple case of spear phishing made possible by complacency. Hackers sent an email to members of the committee that looked like it had been sent by Google and requested them to click a link to reset their passwords due to malicious activity on their accounts. Several members took the bait, and with the new credentials in hand, hackers subsequently breached (and later published) more than 150,000 emails stolen from the Gmail accounts of committee members.
3. The Nursing Home That Failed to Check Employee Backgrounds
A Texas nursing home employee was caught on video physically assaulting an 83-year-old resident, who had advanced Alzheimer’s disease and could barely move, talk, or understand what was going on around her. The family sued the nursing home for $1 million for its negligent hiring of a 23-year-old employee who had previous arrests for fraud, marijuana possession, and criminal mischief on his record. Had the facility not succumbed to complacency, it would have required all workers to undergo a background check before being hired.
4. The Business Merger That Skipped Due Diligence
Two regional telco companies that had been in competition with one another decided to take the plunge and merge, with Company A doing the actual acquiring and Company B being the one acquired. The executives of both teams had been collegial over the years and knew each other’s respective businesses fairly well, so Company A opted to forgo a formal due diligence process. It was only four months into the new merger that Company A realized Company B had inflated the size of its client base and the average revenue per subscriber (ARPS) for each of those clients. Yes, Company B had 800 clients in their account records, but a full 200 of those clients had discontinued service at some point in the preceding timeframe, leaving only 600 active clients. The true value of revenue, then, wasn’t ARPS x 800 clients, it was ARPS x 600 clients, a reduction of about $600,000 in revenue a year than had been presented in the pre-merger discovery process. Once again, complacency reared its ugly head.
5. The Medical Diagnostic Company Lacking Sound Loss Prevention Strategies
We like to think that all of our employees are honest, but even with good internal controls in place, people find ways to cheat their employers. In this case, a manager set up a series of fake companies, invoices and expense reports to reimburse himself for more than $1.2 million in false expenses. His deception was ultimately uncovered through mismatched addresses used on his falsified documents. While loss prevention tactics can’t necessarily filter out every deceitful action, it’s far better to be proactive than remain complacent, as this company did.
Is complacency a risk factor in your organization?
Lowers and Associates works with a wide range of industries, including financial institutions, healthcare providers, casinos, couriers, and insurance companies, to protect their people, brands, and profits. We offer a full range of services, from cash-in-transit evaluations to venue security to IT risk assessments.
If you’re concerned your business is at risk of being complacent, let’s talk. We’d love to help.