Lack of technology leads five drivers behind rise of insider threats

As 2024 opens perhaps the most important story in the risk solutions sector is the continued rise of insider fraud. It has certainly taken its share of late year financial news headlines from the November conviction of a UK-based bank teller for diverting £2 million to his personal account to the late November alert sent out by the FBI in the US. 

Why is this happening? We’ve covered the usual suspects of remote work and the Cressey fraud triangle that details the personal vulnerabilities that would turn a good employee into a thief. But if remote work and economic pressure were the only keys to insider fraud, companies could and would do more to stop it. That hasn’t been the case. In fact, according to IBM’s “Cost of a Data Breach 2023” report, when malicious insiders are involved with data or financial theft, the cost is higher than any other kind of fraud —the 2023 price tag for insider fraud: $4.9 million per incident.

There are important new developments and nuances to consider when evaluating the drivers behind the rise and complexity of insider threats. By understanding these drivers, companies can become more effective at countering insider fraud with new technologies and best practices that comprise insider fraud mitigation strategies. We’ve identified five such drivers, which will set the table for part two in our insider fraud series covering the details behind insider threat management. 

One: Ransomware. The aforementioned FBI alert was issued in response to a globally organized ransomware gang called LockBit that has extorted more than $100 million over the past three years from banks, defense contractors and governments. It’s the latest in a banner year for this type of insider fraud. Cybereason recently surveyed 1,500 cybersecurity professionals and found that almost three-quarters of organizations (73%) reported at least one ransomware attack. The total number of attacks was 33% higher than the previous year's report. Ransomware can be an external job in many cases. But in most of them, the outsider (like LockBit) acts like an insider after they’ve gained access. Until now defenses against it have been limited to general fraud prevention tactics, but that is changing. Newer technology designed to uncover insider threats from Bottomline has been shown to be effective in detecting ransomware attacks by identifying patterns bad actors create as they try to identify and then compromise the “privileged users” that keep the keys to codes and access credentials to internal data, operations and finances. 

Two: Personas: Before the pandemic, insider threats were simple to detect. They were employees who usually had an opportunity to steal data or money, the economic pressure to make the leap and the ability to rationalize their behavior. That’s the essence of the Cressey fraud triangle model: opportunity, pressure, rationalization. Then came the pandemic, and the pool of malicious actors was joined by remote workers who either saw an opportunity for insider fraud or stumbled into benign incidents of accessing or requesting access to core systems. Now, the pandemic’s worst days are hopefully behind us. Businesses are trying with varying degrees of success to bring workers back to centralized locations. With this move, the persona of the malicious insider threat has evolved to include senior executives who don’t fit the Cressey triangle or the remote worker profile. According to the Association of Certified Fraud Examiners (ACFE), owners and high-ranking executives committed 23% of all insider fraud in 2022. 

Stated the report: “One of the challenges of dealing with fraud committed by high-level perpetrators is that these individuals often have the ability to evade or override controls that would otherwise detect fraud. Additionally, fraudsters in positions of authority might bully or intimidate employees below them, which can deter those employees from reporting or investigating suspected wrongdoing. Both of these factors might contribute to the longer duration of frauds committed by high-level employees.”

Three: Persistence of Remote Work: This has gone from THE reason for insider threats to one of the reasons. According to a July 2023 paper from MIT it’s difficult to pinpoint the percentage of remote, hybrid and centralized workers. Estimates for working from home range from 27 to 50% of MIT survey respondents, although the authors admit the range could be even wider. Regardless of the actual percentage, it’s important to understand that it is just one of many factors that can heighten the threat of insider fraud. A recent research project from FS Tech shows that remote work is still the greatest threat (54%) but is closely followed by failure to thoroughly vet new hires (42%), oversharing of sensitive data (36%) and lack of employee monitoring (31%). 

Four: Insider threats spreading to other verticals: Banks have the most to lose if a malicious insider accesses data or core financial systems. No surprise that it has taken most of the attention from fraudsters as well as the companies trying to stop them. But other sectors have also been hit hard, from healthcare to governments to telcos and even the airline business. As an example, if a bank gets hit by an insider attack, it could lose data, money, and reputation. But look what happens in a healthcare scenario: “People with insider access to healthcare systems can change test results, treatment plans, or prescription dosages in patient records. Such behaviours may result in incorrect diagnoses, improper treatments, or postponed interventions, which can seriously affect patient safety.” 

Five: Lack of mitigating technology: When the FS Tech survey asked organizations how they were addressing insider fraud, employee monitoring tools were only in place for 57% of the respondents. That was followed by division of duties (51%), policies and procedures (44%) and awareness training (32%). It’s here that technology has the biggest role to play. Network-level and application-level monitoring can be the deciding factor in whether an insider threat is detected or acted on. If it’s acted on, technology can play a limited role in investigation and recovery. It is essential, however, to prioritize detection. As the FS Tech survey states: “Internal bad actors can find ways to evade or bypass policies and procedures, making it easier for them to commit fraud. That is why relying solely on (them) is not considered to be sufficient in preventing and detecting internal fraud.”

The Bottom Line: These five drivers are not the only dynamics behind the rise of insider fraud. In fact, because this threat vector is so often not reported or underreported, there may be more threats, losses and reasons to commit it. But these five have evolved as the year has progressed and will form the foundation for our next article on insider threat management.