Insider threats continue to rise with layoffs and data manipulation

As the US Department of Defense kicks off National Insider Threat Awareness Month, the global banking industry finds itself grappling with new complexities in detecting and defending against this dangerous variety of fraud. It affects other business verticals as well.  Layoffs, data manipulation and management of “innocent” bystanders have all shown themselves to be thorny new angles in the fight.

Among the new dynamics affecting insider threats are from the employee that has left the company either through layoffs or through their own on their own volition. Several US banks have announced layoffs during the month of August, but they pale in comparison to layoffs across the technology sector. As Security Management reported recently, “layoffs and terminations are often a trigger for negative actions—employees on the way out the door might feel entitled to keep their laptop, their work, or other materials over which they feel a sense of ownership. Even if they do not take tangible assets away from the company, they might be targeted by competitors or foreign firms to share some of their institutional knowledge about the inner workings of the company or a key product or process.”

And while outright data theft has long been reported as an outcome of insider fraud, new instances of data manipulation are also being reported more frequently. According to the US Cybersecurity and Infrastructure Security Agency (CISA) data manipulation is usually found when malicious insiders use “technical means to disrupt or halt an organization’s regular business operations, identify IT weaknesses, gain protected information, or otherwise further an attack plan via access to IT systems. This action can involve changing data or inserting malware or other pieces of offensive software to disrupt systems and networks.” 

Number three on the list is managing what many security agencies call “the bystander effect.” For example, an employee might notice a colleague engaging in suspicious activity, but if no one else seems concerned or if there's a culture of turning a blind eye to such activities, the employee might ignore it. And to compound the problem, Bottomline research has found that companies are overlooking the practices and technology that can protect them against internal bad actors looking to steal or manipulate data, intellectual property and financial capital. It can also alert them to more benign access patterns from the employee who makes an innocent mistake. 

The most recent check on insider threats comes from the 2023 Business Payments Barometer, released in mid-June. When 800 US businesses were asked to rate the level of concern among different fraud types, 73% singled out “a great deal or a fair amount of concern” about insider fraud, followed by the same sentiments attached to authorized push payment fraud 72% and external cyber-attacks also 72%. The most concerning issue is that banking and fintech partners can mitigate insider fraud. The Barometer findings showed that 47% of respondents have deployed employee monitoring solutions to ward against it. However, that means that 53% are missing technology that can be effective, especially when combined with background checks, employee screening, training programs and continuous awareness of insider threats among employees. 

Without the right technology tools, compliance and security teams can find themselves at a crossroads on insider threat management.  The findings are concerning and might just be the tip of the iceberg given the prevalence of hybrid work environments where a company’s devices are taken to remote locations. For example, security and compliance personnel might suspect unethical or even criminal behavior. But without solid evidence many cases slip off the radar. The hybrid work environment also adds a different level of complexity because some of these actions happen unintentionally. Companies are also discovering that it’s not just financial threats at risk, but other actions as well like leaking or stealing sensitive company data. Add macroeconomic pressures to the mix and you have a perfect environment for insider threats. 

The Barometer findings cut across all corporate categories and business sizes. But that “perfect environment” has been particularly problematic for banks. A joint 2022 Themis-Bottomline survey report, “Insider Fraud in Banks: The Post-COVID Threat Landscape,” found that 75 percent of banks have seen a spike in insider fraud since the start of the pandemic. Like the Barometer, the Themis report found a potential technological oversight: 50 percent of survey respondents identified insufficient technology tools as a major obstacle to detecting fraud and collusion.

And the threat has found its way into other verticals as well. The insurance and manufacturing industries, for example, have also been hard hit. A report from QBE North America said insider fraud was the top-rated concern of financial risk managers, describing the following scenario: “An employee with financial stress may decide to impersonate an accounts receivables executive at the new supplier to trick the company’s accounts payable into sending a payment into a bank account held by the employee. Or the employee may instead collude with someone working at the new supplier to manipulate the invoice, overcharging the company by 30% and sharing in the illicit proceeds.”

There are many ways to attack insider threats including the newer ones posed by layoffs and data manipulation.  There are a few practical and technical ways to combat insider fraud, some of which we have mentioned on a general level, but more specifically:

Tighter hiring and onboarding practices: Not only is remote work making it easier for fraudsters to access insider information and finances, but remote hiring is also an issue. Hiring someone via a Zoom call may save on travel time and expense, and in a global marketplace is a necessary option. But it misses the body language and general sense of a potential employee’s character. Background checks will pick up a criminal, but they won’t necessarily catch an employee who may be tempted to steal to meet economic pressure. Also: remote work has made it harder to monitor onboarding practices. Those will need to be made stricter as new hires may be entering the workforce for the first time and in some cases may simply be acting innocently when accessing sensitive data or IP. This approach will also show a “bystander” that they need to take an active reporting role. 

Log files: These are essentially chronicles of computer system activities, providing a detailed account of what users are doing within a system, ranging from routine operations to suspicious transactions. Unfortunately, the data in these files doesn't always provide enough evidence for detecting insider fraud. These files heavily depend on data availability and data quality. Another issue with log files is that they must be parsed manually and while they can show suspicious interactions, they only show them after the fact and possibly after the damage is already done. 

Enterprise Case management (ECM): ECM helps financial institutions and corporates to organize, prioritize and manage cases in a single, accessible repository and allows them to collect all the evidence in one system. Let’s not forget that insider fraud is a financial crime and as such can require investigations and evidence for potential prosecution. 

Insider fraud cases are typically overseen by a dedicated team, which means that the ECM system's workflow for such cases may involve HR, Legal, Security, or the CISO. Consequently, the case management system must be tailored to provide users access solely to information pertinent to their respective roles, safeguarding employee data privacy and security.

Application-level monitoring technology: These tactics can work together to defend against insider threats. But technology is the final and most essential piece. At Bottomline we have pioneered application-level monitoring technology that detects suspicious activity in designated sensitive applications Some examples of application-level monitoring touchpoints include the core banking system, or a payment system through which an insider can make unauthorized transactions, a customer data warehouse or even a compliance platform where fraudulent activity can potentially be disguised. On an application-level we have developed a solution we call “record and replay.” If suspicious activity is detected, record and replay can replay suspicious behavior on a screen-by-screen basis, allowing security professionals to have a visual record of suspected or actual insider fraud and in the process to create forensic evidence. 

The Bottom Line: Insider threats are clearly happening with increasing frequency at banks and other verticals. Regardless of where it exists, a proactive mix of application-level monitoring technology and ECM are the best defense. Without it, bad actors can cause potential financial and reputational damage. Insider threats represent a carefully orchestrated and severe form of financial crime, demanding the collection of undeniable evidence and immediate engagement of law enforcement.