Within these walls: tackling insider crime

February 2023  |  FEATURE | FRAUD & CORRUPTION

Financier Worldwide Magazine

February 2023 Issue

Insider crime is by no means a new problem, but financial institutions (FIs) worldwide still struggle to manage and control it. According to a report by the Ponemon Institute, between 2020 and 2022, incidents of insider crime increased 44 percent, with cost per incident up more than a third to $15.38m. IBM reports that companies in North America experienced the highest average annual cost of insider threats. Though it can be difficult to quantify, companies that fall victim to insider attacks can suffer direct costs, indirect costs and lost opportunity costs.

All organisations are at risk of insider breaches, but research indicates that the finance, manufacturing and healthcare sectors can be particularly susceptible. That said, the technology sector was the most threatened industry, with 38 percent of all intellectual property (IP) theft incidents targeting the sector, according to DTEX Systems.

Causes of insider crime

In recent years, a number of developments have caused insider malfeasance to rise. Changes in working practices, new communication channels, heightened market volatility and financial hardship have facilitated this growth. Recent years have seen a perfect storm of circumstances for fraudulent activity to thrive. The coronavirus (COVID-19) pandemic and Russia’s war in Ukraine have had a significant impact on the cost of living globally, which, in turn, has made individuals more likely to commit fraudulent acts.

Whatever the profile or motivation of a malicious actor, insider fraud is typically enabled by either a lack or failure of appropriate controls. Worryingly, the majority of businesses feel vulnerable to insider threats. Seventy-eight percent of individuals who responded to a Cybersecurity Insiders survey said they did not believe their company had very effective processes in place to manage IT privileges. Often, companies are not equipped to know where or when these attacks might originate. Sometimes it is not obvious when a user is carrying out their day-to-day tasks or acting maliciously. Too often, insider threats do not set off alarms or raise suspicion.

Careless employees are one of the biggest threats companies face. Insider threats can take many forms, and they may not always be malicious. Often, they can result from negligence, rather than malice. Negligent insider threats often take the form of inadvertent employee errors, such as falling for phishing scams or accidentally deleting files. Due to pure negligence, employees may not even know they are exposing sensitive information. Humans are of course prone to error and can be manipulated by social engineering such a phishing. According to Verizon, around 85 percent of breaches in 2020 had a human element, with nearly 19 percent of breaches involving “miscellaneous errors” and around 35 percent featuring social engineering in some form.

The rise of remote and hybrid working patterns, as well as the use of personal devices for work purposes, means that fewer employees now operate within the same security framework compared to when they were in the office. A Gartner survey of industry leaders across representative sectors revealed that 82 percent of companies plan to provide a remote work option at least “some of the time”.

Whatever the profile or motivation of a malicious actor, insider fraud is typically enabled by either a lack or failure of appropriate controls. Worryingly, the majority of businesses feel vulnerable to insider threats.

A report from DTEX Systems notes that the transition to remote working has essentially required security teams to find ways to protect thousands of remote offices at once. Since remote and hybrid working is likely to remain a permanent fixture, rather than a reactionary trend, company leaders need to assess and respond to the security concerns created by flexible arrangements.

In addition, many companies utilise the cloud, so huge volumes of data leave their ecosystem, and security parameters, to reside with third-party providers. Enhancing a company’s defensive posture could make a significant difference. According to the Centre for the Protection of National Infrastructure, insider crime can cause financial damage from the loss of assets including IP and sensitive data, operational damage through physical or cyber sabotage, and reputational damage.

Cyber crime in all its forms is increasingly lucrative. The worldwide damage it causes is expected to grow by about 15 percent every year over the first half of the 2020s, reaching around $10.5 trillion by 2025, according to Cybercrime Magazine. In its 2019/2020 Global Fraud and Risk Report, Kroll notes that incidents caused by insider threats account for 66 percent of the total reported by organisations.

Potential perpetrators

Insider threat actors come in many guises, including current or former employees, contractors or business partners. Privileged users, such as administrators and C-level executives, are often cited as being the most dangerous. According to Cybersecurity Insiders, 63 percent of organisations think that privileged IT users pose the biggest insider security risk. In a Bitglass survey, 60 percent of companies said managers with access to sensitive information were the top insider threat actors, followed by contractors and consultants at 57 percent, and regular employees at 51 percent.

Internal actors may be granted legitimate access to a network that external attackers can only dream of. Such access can be exploited if appropriate measures are not taken to protect data. Companies should restrict user access only to that data that is required to carry out daily duties, segregate roles and responsibilities, and monitor for suspicious or unusual behaviour.

Individuals are often motivated by financial gain. Fraud (55 percent), monetary gain (49 percent) and IP theft (44 percent) are, according to Fortinet, the leading reasons behind insider attacks. According to DTEX Systems, theft of either data or IP was the most common motivation for committing insider crime, with data loss around twice as common as accidental or unauthorised disclosure. Sabotage was some way behind in third place.

Though financial gain is a key motivator, insider crime can also be driven by other factors, including perceived slights or ongoing workplace grievances related to inadequate pay, social justice activism, an organisation’s high growth and high margins, or an existing culture of fraud within the organisation.

Malicious insider threats include rogue and disgruntled employees or contractors who purposely leak an organisation’s confidential data for financial gain or misuse access to systems to inflict damage or disruption. Criminal insiders may work alone, collude with competitors or affiliate themselves with organised hacking groups.

One of the most notable insider threats in recent years involved an incident at Canadian e-commerce platform Shopify. In September 2020, two members of support staff abused their access rights to steal customer data, including names, addresses and order details, from almost 200 merchants that used the platform. The incident was followed by a 1.3 percent drop in Shopify’s stock price. Such instances lay bare the threat posed by malicious insiders.

Prevention

There is increasing pressure on FIs to make long-term adjustments to counteract insider crime threats and develop new ways of preventing them in the first place. But doing so is often harder than for external attacks. Nevertheless, prevention is always better than cure, though it comes with drawbacks – defensive measures can cost millions, require long hours of user training and need significant amount of manpower. Even with appropriate resources in place, it is unlikely that companies will be able to avert every cyber attack or instance of insider crime.

There is no ‘silver bullet’ when it comes to insider crime prevention. But, by implementing technical controls to prevent, monitor and audit employee activity, companies can gain a better understanding of what is occurring within their networks. Since the COVID-19 pandemic, these controls should include employees operating under bring your own device (BYOD) policies or working remotely. The rise in flexible working offers benefits but has also introduced challenges to security, including risks of data exfiltration. This also extends to external contractors and business partners.

Companies rely on a number of different tools and strategies, such as behaviour analytics, in-app audit systems, user training and education programmes, and information security governance. Focus is often on detecting internal threats and forensically analysing them post-breach. According to IBM, behaviour analytics, privileged access management, and user training and awareness tend to result in the highest cost savings.

It is important for companies to take various steps to prevent insider crime. Particularly with respect to remote and hybrid work, companies should consider mandating strong passwords and multi-factor authentication (MFA) for all accounts and devices, including home routers, and ensure they have automatic updates active. Other measures include data loss prevention tools and network segmentation, as well as restricting access rights based on the least privilege principle and zero trust approach, to limit potential damage arising from an incident.

Virtual private networks (VPNs) are commonly deployed to offer secure remote access connections between employees and their private corporate network. However, if not configured properly, VPNs can also present a risk.

On the people side, companies may use psychometric testing to help identify where human weaknesses exist, so they can develop better security protocols and more personalised training. Also beneficial is modifying working culture so those at home do not burn out – a condition which makes individuals more susceptible to social engineering scams.

Beyond the company perimeter, organisations should also conduct thorough due diligence to vet their business partners and suppliers, and assess their capacity to mitigate insider threats.

Building a dedicated insider threat team to monitor and investigate suspicious activity is another prudent step. This team should have responsibility for drafting and deploying best practice policies for hybrid working, network access, user privileges, password hygiene, unauthorised applications, BYOD policies and data protection, among others.

New technology is increasingly at the forefront of early and effective insider crime detection. Artificial intelligence (AI) and machine learning (ML) are becoming more widely adopted. Automated workflows, fraud identification, behavioural analytics and regulatory compliance solutions can help spot malicious actors.

Alongside practical measures, companies should also implement organisation-wide cultural improvements to help break possible patterns of fraudulent activity. This requires company leaders to send the right message to their employees and set the right tone from the top. Leaders must ensure that employees know that criminal activities will not be tolerated. Furthermore, they should establish and communicate best practices in resource management, as well as cross-business working groups which focus on employee conduct.

Ultimately, people and process are key to detecting insider threats before data is removed and likely becomes impossible to retrieve. Security awareness programmes that embrace technological innovation should be deployed and updated as needed.

Going forward, as companies seek to prevent insider crime and build resilience against malicious actors, detection and deterrence need to go hand-in-hand. Companies must be prepared to receive reports of potential threats and anomalous behaviour, have the systems in place to properly assess those threats, and implement management solutions to reduce future instances.

© Financier Worldwide

BY

Richard Summerfield

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.