Red Kite Housing has been the victim of a fraud that has cost the organisation almost £1m. Despite having invested in IT and developed policies and practices to reduce the risk, human factors intervened and led to a significant loss as well as a downgrade in the Regulator's assessment of their governance.
Red Kite has been admirably open about what happened and the Chair, Mike Gahagan, explained what happened:
"[By mimicking the domain and emails details of suppliers]... they managed to recreate an email thread that misled those who were copied into the email that it was a genuine follow-up to an existing conversation... Despite this, we still had an additional safety net in place, a two-stage process to verify changes to payments and accounts that ordinarily would have caught this attempt.”
But human error led to a missed opportunity to stop the fraud.
This is a key lesson for all organisations: you cannot rest on your laurels, your cyber penetration testing and having up to date policies. Training staff and eternal vigilance are needed to reduce the risk as much as possible. But equally as important is not allowing a culture to develop that sees good practice as onerous and to be circumvented when seems appropriate.
For charities with volunteers in positions of authority, this lesson is even more vital.
Even if you're an organisation that doesn't have an internal audit function you should still seriously consider commissioning ad hoc reviews of your anti-fraud policies, your training and your practice.
“One key lesson is that no matter how good you believe your systems to be the human dimension will always be a potential weakness,”