Common questions on insider threats help define detection and prevention

Unhappy employees, financially strapped executives, wayward new hires, even organised crime. Insider threats keep finding new ways to present themselves as 2023 draws to a close, and you can bet it will be at the top of the fraud and financial crime agenda in 2024. Insider threats have been rampant since the pandemic and have taken on a life of their own even as remote work evolves into a hybrid work model. Before you find out about this latest fraud attack vector the hard way, we’ve assembled this “common questions” feature that shows the causes of this type of fraud, the people most likely to commit it and ways to mitigate it.  

How do you define insider fraud? 

First things first. It’s important to understand what insider fraud is and what it isn’t. As early as the 1980s, insider fraud was associated with privileged insider stock trading and stock price manipulations. Insider trading still occurs, but not as often as SEC regulations have tightened the rules around stock trading for employees that own stock in their company. Insider fraud – also known as occupational fraud - is largely associated with financial institutions but is certainly not limited to them. We like the definition from Law Insider because it gives the appropriate level of detail and delineation of insider fraud at banks: “Insider Fraud means, as applicable, any fraudulent activity of any employee or agent of Company or Bank, or any Affiliate, or Subcontractor of Company or Bank that is (i) identified and traceable back to such employee having access to any Cardholder Data or Customer Data (including a Party’s systems that have Cardholder Data or Customer Data) or any Transaction involving a Credit Card, (ii) fraud that is enabled through the provision of servicing activities by such employee by or on behalf of Bank or Company (such as processing Credit Card Applications or Transaction) on any Account and (iii) fraudulent activity involving Cardholder Data or Customer Data or any other data that was undertaken in the course of performing servicing by or on behalf of Bank or Company, in each case that originated within Company or Bank or any Affiliate or Subcontractor of Company or Bank, even if a specific employee cannot be identified.”

In short, insider fraud is any activity that results in a loss of funds as a direct result of an internal account usage in manipulating or taking advantage of sensitive cardholder or customer data.

How do you define insider threat management?

Insider threat management is the detection of and defense against insider fraud. It uses technology and data analytics to help banks and businesses monitor potential bad actors by detecting and preventing potential criminal activity. Best-in-class solutions use cross-platform monitoring to prevent insider fraud and identify it as it happens, while refining itself with machine learning, rich analytics and years of experience. It also uses enterprise case management solutions to investigate and resolve incidents of insider fraud. 

How big is the insider threat problem? 

Understand first that not all insider threats get reported. However, we know that insider threat incidents have spiked since the pandemic created the widespread use of hybrid work environments. Because of reporting inconsistencies, it’s best to cite several sources to gauge the size of the insider threat issue. According to Bottomline’s 2023 Business Payments Barometer, which surveyed 1,600 corporate finance leaders split between the US and Great Britain, 72% of US respondents and 59% of GB respondents reported concerns over insider threats. According to a 2023 Cybersecurity Insider Report, 74% of all companies say insider attacks have become more frequent. More than half of them have actually experienced an insider fraud incident over the past year and 8% have experienced more than 20. 

How much does an average insider fraud incident cost? 

Once again, because reporting is inconsistent, the cost estimates vary. The accepted primary source on insider fraud cost comes from IBM and the Ponemon Institute. It estimates that the average cost of a data breach (not limited to insider fraud) reached an all-time high in 2023 of $4.45 million. This figure represents a 2.3% increase from the 2022 cost of $4.35 million. The IBM report attributes 6% of all fraud occurrences to insider fraud incidents, but the price attached to them was the costliest, at an average of $4.90 million, which is 9.6% higher than the global average cost of $4.45 million per data breach. Phishing was the most prevalent attack vector for insider incidents. 

Who does it? Is there a typical insider threat profile? 

Many sources describe the typical internal threat as coming from a “low and slow” approach. A trusted employee stealing small amounts over a long period, this type of fraudster can reduce the chance of detection. As a result, they tend to inflict more damage. According to a recent report from Deloitte, “Many fraudsters would have been working with an organisation for a substantial period of time before starting to undertake fraudulent activity. This provides time for the fraudster to understand how the business operates and exploit any vulnerabilities. They can also gain the trust of their superiors and increase their authority within the organisation. Additionally, the perpetrator’s seniority within an organisation is highly correlated with the size of the fraud.”  

What are inside fraudsters after? Is it just about the money?

According to CIFAS, a not-for-profit fraud prevention service in the UK, some 270 staff in the financial sector were reported to the Enhanced Internal Fraud Database in 2021, with 41 percent of those cases involving the theft of cash. According to the Association of Certified Fraud Examiners, there are three primary categories of occupational fraud. Asset misappropriation, which involves an employee stealing or misusing the employer’s resources, is the most common, with 86% of cases falling under this category. These schemes cause the lowest median loss at $100,000 per case. The second type – financial statement fraud schemes – involves an employee who commits a material misstatement or omission in the organisation’s financial statements. They are the least common (9% of schemes) but costliest ($593,000) category. The third category, corruption – which includes offences such as bribery, conflicts of interest, and extortion – falls in the middle in terms of both frequency and losses. These schemes occur in 50% of cases and cause a median loss of $150,000. 

Is ransomware an insider threat?

It can be. Data shows that a ransomware threat happens every two seconds, racking up $20 billion in damages last year, a figure that’s expected to rise to $265 billion by 2031, according to Cybersecurity Ventures. The consequences of a ransomware attack can be financially catastrophic and reputationally devastating. Until now, defences against it have been limited to general fraud prevention tactics, but that is changing. Newer technology designed to uncover insider threats from Bottomline has been shown to be effective in detecting ransomware attacks by identifying patterns bad actors create as they try to identify and then compromise the “privileged users” that keep the keys to codes and access credentials to internal data, operations and finances. The insider threat angle recognises these bad actors when they make themselves appear as “insiders” rather than external hackers. By integrating application-level technology, companies can see these patterns emerge, create alerts as they’re detected and then investigate the threats before they become actual ransom demands.

Are some verticals more vulnerable than others? 

You don’t need to look much further than recent headlines to see that banks are the most vulnerable vertical. On November 6, three members of an organised crime gang were convicted of recruiting banking insiders to steal £1 million from a bank in the UK. The very next day, a former contractor working for a UK bank as a senior market data administrator and financial analyst, pleaded guilty to redirecting more than £2.2 million in refunds for the bank into his own external business account. The bank became suspicious of the employee after a document was found on a printer in his office. It had been altered to falsely indicate that the employee's business account was part of the bank he worked for. Other vulnerable verticals include insurance, telecommunications and government. 

How does AI play in the insider threat management space? 

AI systems can learn and establish a baseline of normal activities specific to the organisation and its users. By continuously monitoring and analysing user behaviour, AI can detect anomalies that may indicate insider threats. For instance, if an employee accesses sensitive data at an unusual time or downloads an unusually large amount of data, the AI system can flag this activity for further investigation.

How can you measure the ROI of insider threat management?

ROI is an art as well as a science. As one executive told us recently, “If you can figure this one out, call me.” More seriously, it’s hard to measure the ROI of any fraud initiative because if it works well, there’s no fraud to benchmark it against. Measuring the ROI for fraud prevention and defence can be complex because the benefits often come in the form of avoided losses rather than direct revenue. Still, many banks and financial institutions have developed frameworks to quantify the value of their fraud defence efforts such as tracking the average cost of investigation, containment, and remediation for incidents over time. 

What are my detection and prevention options?

The best advice here is to embrace a complete insider threat management (ITM) solution such as the one described in question two. Technology can serve as a marked point of differentiation among ITM vendors. For example, application-level monitoring technology that detects suspicious activity in designated sensitive applications. Some examples of application-level monitoring touchpoints include the core banking system, a payment system through which an insider can make unauthorised transactions, a customer data warehouse or even a compliance platform where fraudulent activity can potentially be disguised. On an application level, Bottomline’s ITM solution includes “record and replay” functionality. If suspicious user activity is detected, record and replay can repeat the suspicious behaviour on a screen-by-screen basis, allowing security professionals to have a visual record of suspected or actual insider fraud and, in the process, compile proactive forensic evidence. Further, that same record and replay technology can extract field level data which can be utilised to enhance analytics and improve investigation efficiency.