Defending against insider fraud
May 2016 | COVER STORY | FRAUD & CORRUPTION
Financier Worldwide Magazine
Companies are coming to terms with the threat of attack from malicious parties. In recent years, cyber crime and cyber terrorism have become facts of life for businesses of all sizes. As the battle with external forces has intensified, companies have spent trillions of dollars beefing up their security provisions.
In the modern business climate, companies face a cavalcade of malevolent forces that are willing and able to test every facet of an organisation’s defences. But one of the biggest threats organisations face is not external – it’s the threat from within. Technological proliferation has gathered pace over the course of the last decade, and as companies have become ever more diverse and complex, insiders have begun to seize upon myriad opportunities. In all likelihood there has been no real growth in the numbers of exploitative insiders in companies as the years have gone by; the only real difference between 2016 and any other point in history is that malicious actors now have more opportunities and better tools with which to perpetrate fraud.
According to Imperva’s recent ‘Hacker Intelligence Initiative Report’, 100 percent of the customer environments tested by the company experienced insider threat events. The company found that in the majority of cases, tested insiders took advantage of granted, trusted access to data, rather than trying to directly hack databases and file shares.
Clearly, insider fraud is a real and substantial danger companies must overcome, a process which requires investing considerable financial and time resources. It costs companies, and the wider economy, trillions of dollars every year as employees commit theft and fraud against their employers, often without detection. For some analysts, insider fraud poses an even greater risk to companies than outsider or some cyber crime incidents. “While the media and many organisations tend to focus on external threats, insider fraud is more insidious, difficult to prevent and often more damaging,” says James Ratley, president of the Association of Certified Fraud Examiners. “Insiders have an inherent advantage due to their direct access to systems and the ability to take advantage of trusting relationships. Employers are often reticent to acknowledge the possibility that a trusted employee has committed fraud. As for the most common types of insider fraud, our 2016 Report to the Nations on Occupational Fraud and Abuse shows that the most pervasive are asset misappropriation schemes related to the billing and accounts payable functions.”
A crucial issue in the fight against insider fraud is determining who exactly a company may be fighting as they attempt to mitigate the threat. Risks are posed to a company by a number of different actors. Malicious insiders, exploited insiders and careless insiders all pose challenges.
Primarily, insider threats are posed by current or former employees, and third parties such as contractors or business partners, who have authorised access to an organisation’s network system or data. It is important to note that the individuals posing the threat come from a diverse cross-section; they are not always necessarily disgruntled employees at the bottom of the food chain. Malicious activity can come from the front line, or it can come from an executive’s office. Furthermore, these individuals engage in a range of illegal activity. “Employees, officers and directors are accused of diverse illegality, ranging from petty theft, to intricate fraud, cyber crime and insider trading, for example,” says Andrew Matheson, a partner at McCarthy Tetrault. “The rise of technology and the increased complexity of companies have contributed to the key variable in fraud risk: opportunity.”
However, accidents are another common threat. Insiders may be tricked or manipulated into causing harm to a company, or allowing a third party to do so. Often the accidental insider believes they are operating in the best interests of their employer, but that is not always the case. Regardless of the intention, insider threats, be they malicious or otherwise, can be hugely damaging.
According to David Debenham, co-chair of the Fraud Law Group at McMillan, many insiders operating today are acting out disenchantment with their social or economic standing. “The typical insider is approaching middle age, has been with the same employer for over a decade, has frustrated career aspirations, believes they earn less than they deserve, and feels under-appreciated by the employer. These fraudsters begin to embezzle to maintain a lifestyle they believe they are entitled to in the face of peer pressure of an over-achieving social group, the additional costs of an affair or divorce, or some form of additive behaviour,” he says.
Typically, malicious insiders use the access they are afforded by their employers to intentionally compromise the confidentiality, integrity or availability of an organisation’s data or systems. These malicious parties may steal intellectual property or commit fraud; they might conduct unauthorised trading or destroy valuable data. In reality, given the scope of access for individuals in the ‘right’ areas of a business, an insider may be able to commit untold damage to an organisation, often without detection.
Insiders also have a substantial advantage over external agents as they can more easily outwit internal security measures – both electronic and physical. Bearing in mind the threat level posed by insider fraud, how can companies prepare to defend themselves? Can insiders be stopped?
Fighting the good fight
Given how deeply entrenched insiders can be, fighting back can be a difficult and costly process, although by no means fruitless. The first step companies should take is to identify their most important and sensitive assets and determine who has access. This, in the first instance, should enable companies to develop a solid foundation for their insider threat programme.
Organisations must also ensure that education and training sessions are held for all employees, which helps them to understand their role in any potential breach. “All employees, from the mailroom to the boardroom, should receive fraud awareness training that provides a tangible connection to the repercussions of insider fraud,” says Mr Ratley. “Without effective training, employees are often simply unaware of potential threats, how they are carried out and how they can be mitigated. Training can also have a deterrent effect by letting employees know that the company is serious about stopping internal fraud. Companies should also ensure they have an effective reporting programme in place that includes a fraud hotline. According to our 2016 Report to the Nations, organisations with reporting hotlines are almost 20 percent more likely to detect fraud through tips than organisations without a hotline.”
Whistleblower programmes are increasingly popular for many organisations, however they must go hand and hand with education schemes. If employees are expected to report incidents of malfeasance or suspicious activity, it is imperative that they are first given help to understand the types of behaviour they should be guarding against. “Whistleblower programmes have gained momentum in Canada, as a result of wider availability, greater profile and more legal protection,” says Mr Matheson. “Aside from formal whistleblower programmes, fostering an open work environment, in which employees are comfortable asking questions and raising concerns, can mitigate fraud risk, as well as have other salutary effects. A pattern of undue deference to a senior employee who wields excessive control over an aspect of the business, particularly in finance or bookkeeping, may be a red flag. A proactive measure that companies should consider is defining and confining their employees’ zone of privacy in the workplace, especially in respect of company issued technology. Reasonable surveillance is an essential part of a fraud defence strategy.” Whistleblowers should form just one part of a wider corporate culture which promotes accountability and curiosity among employees. Staff members should be comfortable enough to engage in a dialogue with higher management.
For some, employers have been directing their energies in the wrong areas when it comes to monitoring employees, and their approach to technology. Rather than looking at technological development as a new way in which employees can while away the hours that they should be working, companies should embrace technology as a means to fight the corrosive effects of insider threats. But that only works when combined with other strategies for monitoring and managing employees. “Technology can be used to address pilfering and asset misappropriation involving GPS tracking of corporate assets, while internal controls, segregation of duties, job rotation, and random audits prevent embezzlement. At the end of the day, employees who perceive they are treated fairly through transparent and 360 degree performance evaluations don’t steal from their employer,” says Mr Debenham.
Legislative and regulatory responses to insider threats have been sporadic. In November 2015, the House of Representatives passed a bill aimed at establishing a programme to identify and mitigate insider threats from rogue employees. However, that bill appears to do little to protect whistleblowers. The lack of regulatory support for companies in the tussle against insider threats is, in many respects, a response to companies’ own insufficient mitigation techniques. “As one can imagine, the legislature is not that interested in protecting those who won’t protect themselves,” explains Mr Debenham. “In Canada, the main development of note is an amendment to the Criminal Code to provide, as of November 2011, that anyone convicted of a fraud over C$1m faces a mandatory minimum sentence of two years in prison. What this means is that there is no eligibility for a community-based sentence such as a conditional sentence of house arrest. Many insider frauds take place over many years and exceed this threshold.”
Law enforcement agencies are coming under increasing pressure to step up the speed and effectiveness of their response to all sorts of commercial crimes, including insider fraud. Accordingly, cross-border investigations into insider fraud have become more common. But the real fight should start at home. Companies need to do more and direct their efforts to the right areas.
Companies have been called upon to ‘support the honest majority’, and one of the most powerful, cheap and cost effective means of doing this is by sharing fraud data between organisations. Organisations should also look to invest heavily in strong internal controls as well as thorough vetting checks. Companies are becoming accustomed to completing ‘know your client’ checks; they should also be prepared to carry out ‘know your employee’ checks.
The tech revolution of the last few decades should help organisations to identify and mitigate internal threats. But technology is not a panacea; it must be embraced and implemented as part of a wider culture of security. Via the creation of an overarching security culture, companies can begin to mitigate internal threats. Sustained security awareness programmes that embrace technological innovation are a must. Applications and processing, including database activity monitoring, whitelisting, network flow analysis, security information management and data loss prevention, can all be valuable tools, though they are by no means the only weapons available.
As the march of technological progress continues, it is the responsibility of companies to roll with the punches and embrace new developments with vigour. “Technology will have a powerful impact on the identification of insider threats in the future,” says Mr Ratley. “While changes in personality, lifestyle and other factors might alert an organisation to a rogue employee, technology such as behavioural analytics software can identify far less noticeable behavioural changes that might indicate fraudulent activity. As an enhancement to existing data analytics programmes, behavioural analytics can be used to detect anomalous activity by comparing an employee’s baseline profile to his network activity. This type of technology can be difficult to implement and result in significant false positives, but it will become increasingly effective as it is refined over time.”
It is worth noting, however, that technology itself can be risky. Accordingly some companies may be hesitant about pressing it into service in the fight against insider threats. For Mr Matheson, however, the positives outweigh the negatives. “While technology brings risks, it also brings solutions,” he says. “Improved sophistication around technology and further dialogue around appropriate boundaries of privacy in the workplace will bring about greater fraud protection over time. Older techniques remain important too: employees should not be siloed and left with excessive control over vulnerable aspects of a business. It is better for fraud protection, as well as employee morale and productivity, for employees to work on teams and to change responsibilities as much as reasonably possible.”
To tackle insider threats, companies must be sure that they understand their first responsibilities are to protect the privacy of their employees and the integrity and confidentiality of their corporate data. The global economy is becoming increasingly predicated on the storage and leverage of intangible assets, so organisations must go to great lengths to protect their data and IP. The first step companies should take is identifying the ‘crown jewels’ that must be protected at all costs.
Furthermore, by creating an inclusive culture of security and compliance that takes into account all aspects of the firm’s leadership, companies will set themselves on the right path. But they must do more. Technology solutions that will complement internal risk mitigation can be invaluable; biometrics such as fingerprint scanning should be explored and implemented if feasible. Companies should also ensure that concepts such as the ‘principle of least privilege’ are enforced across their entire workforce to ensure that employees or users are given access to the minimum amount of data access to be effective at their roles. Multi-factor authentication processes should also be enabled. As the insider threat level rises, companies need to be more proactive.
© Financier Worldwide