In December 2023, a lady who runs a makeup business in Nairobi posted online about how her now-former employees had been stealing from her company. She said it was well-planned theft and the group had stolen millions of shillings in one year alone.
The employees would tell clients that the official mobile money number was not working, so they would direct the clients to pay by other means. This money, of course, did not reach the company but went to these employees.
She also said that one employee asked a prospective student to pay KShs. 62,000 for upcoming training and to prepare a further KShs. 15,000 for ‘graduation and gown.’ Official fees are KShs. 48,000 per student, not 62,000, and the business does not charge for graduation.
New employees were either intimidated into silence or joined in on the theft.
Some clients asked to see the business owner and were told that she does not see clients. Others were told she is booked until the following year.
At least one client asked for services at her home and the employee she spoke to took up the job and did it in her private capacity, with the payment going to the employee, not the business.
The business lady said she was posting so no employer would ever experience the same pain and loss she was undergoing. In the same spirit, let us consider some measures that could have been taken to reduce the risk of these incidents.
Photo by Peter Kalonji on Unsplash
Information security is about taking measures and using systems to protect the assets of the company, including the reputation of the company and, of course, money. Let us consider some measures that could have been taken to reduce the likelihood of this theft.
Separation of Duties
One principle in information security is Separation of Duties. This is the practice of ensuring that a critical organisational process cannot be undertaken from start to finish by one person alone. This practice can be seen in some hospitals, for example. When paying cash, before consultation, payment must be made at the cashier. The doctor does not receive the money, but checks that payment has been made. Before any lab tests, payment must be made at the cashier. The lab staff do not receive cash, but check that payment has been made before performing the tests. Similarly, the pharmacist checks the prescription, checks the prices and directs the patient to pay at the cashier. Services and medicine are given only after payment has been made at a separate place.
It seems that the business in question did not have a dedicated cashier and payment was made either using mobile money or presumably to the employee who was serving the client. It would be better to have a receptionist to receive clients (and also track how many clients come in), other employees to offer the actual service and a cashier to receive payment. Having a cashier would also mean that a specific person – the cashier – would be held accountable for any missing payments. This would serve as a deterrent to the cashier from blatantly stealing company money.
Digital Payment
The business rightly had a digital payment system, but the employees told clients that it was not working. Had there been a dedicated cashier, that cashier would be held to account for payments made outside official channels. In other words, it is only the cashier who would have had opportunity to tell clients to pay outside the system.
Loyalty Points
Implementing a loyalty point system would encourage clients to pay through official channels so as to receive loyalty points, even for off-site services.
Website and Email
An employee quoted inflated fees to a prospective student, presumably intending to pocket the difference. Having a website would enable the business owner to publish official training fees for any prospective students to see for themselves.
As for the clients who were told that the business owner was unavailable, an official email address on the website (and elsewhere) and a contact form would allow clients to communicate directly with her to make appointments or provide feedback. If she wished to delegate the responsibility of handling these communications, she could still have incoming email automatically copied to her, just to be aware of what is being communicated.
Hotline
The business could prominently publish a telephone number through which customers could give compliments or make complaints, such as if they were told that the loyalty point system was not working.
Security Cameras
Good, old closed-circuit television (CCTV) would not only help deter employees from going against company procedures, but also provide evidence in case of disputes. In addition, footage could help in audit, for example, if the number of clients seen on the footage on a given day, does not match the number of payments made at the cashier’s.
Training and Awareness
Regular training and awareness sessions or other interactive meetings would help remind employees, especially the new ones, of the official procedures. This could embolden some to resist the temptation to join in the theft and possibly even to report the events to the business owner, even if anonymously.
These and other measures, taken together, would significantly reduce the chances of such theft as was taking place at the business. It would perhaps still be possible to steal, but that would require a bit more effort on the part of the thieving employees and chances are the theft would be known sooner.