Resource guide: Data and investigations make the case for insider threat management
Fraud and Financial Crime
As International Fraud Awareness Week unfolds, it’s clear that insider threats have been one of the most important fraud and financial crime stories of 2023 and will top the agenda next year as well. While hybrid work arrangements have been one of the drivers of this threat, it’s also becoming evident that this issue has gone beyond simple explanations. This resource guide lists ten must-read research reports, articles and primers that will make the case that insider threats have spread beyond banks and beyond work-from-home vulnerabilities.
If the insider threat has a foundational research resource, this report from IBM and the Association of Certified Fraud Examiners Report to the Nations would be the top choices. The Ponemon Institute executed IBM’s Cost of a Data Breach research, and while it’s not limited to insider threats, it does a great job of showing the damage done and the damage it could do if unchecked. The key quote comes from the section covering “malicious” insiders. “Although relatively rare at 6% of occurrences, attacks initiated by malicious insiders were the costliest, at an average of USD 4.90 million, 9.6% higher than the global average cost of USD 4.45 million per data breach. Phishing was the most prevalent attack vector and the second most expensive at USD 4.76 million. Breaches attributed to system errors were the least costly, at an average of USD 3.96 million, and the least common, at 5% of occurrences.”
Association of Certified Fraud Examiners Report to the Nations 2022
The ACFE calls insider fraud “occupational fraud.” It is the standard for benchmarking the likely candidates for malicious internal bad actors, the frequency of their actions and the consequences of their actions. It is a potent mix of data and analysis. Quote: “There are two key reasons why this type of crime (insider or occupational fraud) is so prevalent. The first is that any organization with employees must, to some extent, entrust those employees with access to or control of its assets, whether that’s managing its bank accounts and books, safeguarding its inventory, overseeing payroll or supplier payments, etc. It is this very trust that can make organizations vulnerable to occupational fraud. Because all frauds, at their heart, are based upon breaches of trust. The second reason occupational fraud is so costly and common is simply that so many people are in a position to commit these crimes. The global labor force consists of more than 3.3 billion people, a large majority of whom will never steal or abuse the trust of their employers. But if even a tiny percentage of these individuals cross the line, the result is millions of occupational fraud schemes being committed annually.”
Bottomline’s Insider and employee fraud solution overview
This primer from Bottomline covers all the bases for insider fraud and insider threat management. It is a complex issue that includes many different strategies and tactics, from enterprise case management to application-level monitoring technology to investigation workflows. Key quote: “Insider and Employee Fraud solutions are specifically designed to identify and track suspicious employee activity by monitoring each user’s action and analyzing those actions for unusual behavior and key risk indicators. When an employee’s actions or pattern of actions are deemed by the analytics as potentially fraudulent, an alert gets triggered for compliance officers to review and investigate. These analytics take several factors and data points into account.” For more insight on this topic, visit Bottomline’s landing page, which includes exclusive research from FStech.
Adversaries use valid credentials to compromise cloud environments
This report by Security Boulevard draws the line from insider threats to ransomware. IBM’s X-Force research shows that over 35% of cloud security incidents occurred from attackers’ use of valid, compromised credentials. In other words, outsiders act like insiders and get away with it. Those compromised credentials make up nearly 90% of assets for sale on dark web marketplaces. Key quote: “As access to more data across more environments becomes a recurring need, human error continues to present a security challenge. The growing need for more dynamic and adaptive identity and access management can be met with advanced AI capabilities in the market today.”
Insider threats are not limited to banks. In fact, the next three resources make that case convincingly. But it is a grave danger to financial institutions of all sizes, as this FDIC report shows. Organized by separate subject areas, it summarizes potential problems, lists warning signs of possible fraud and insider abuse, and suggests action for investigation. Quote: “Insider fraud has accounted for over one-half of all bank fraud and embezzlement cases closed by the FBI during the past several years. Insiders are in a position of trust and can abuse that trust for their own personal benefit. Insider abuses include failure to disclose their interests that borrow from the institution or otherwise have business dealings with the institution; diverting assets and income for their own use; misuse of position by approving questionable transactions for relatives, friends and/or business associates; abuse of expense accounts; acceptance of bribes and gratuities; and other questionable dealings related to their positions at the institution. Insider abuse undermines confidence in institutions and often leads to failure.”
Don’t Be A Passive Bystander — Take An Active Approach To Insider Risk
Like most analyst firms, most of Forrester’s content is either gated, expensive or both. This blog post from analyst Joseph Blankenship is free to access and worth a look. Blankenship focuses on training and internal culture as the most important defenses against insider fraud. Quote: “Bystanders can be passive or active. Passive bystanders may witness an incident but not get actively involved. Active bystanders get involved. They help out. Addressing insider risk requires an active approach to prevent, detect, and respond to insider incidents. One of Forrester’s best practices for managing insider risk is to turn your employees into advocates for the program. This goes beyond traditional security awareness training. It involves changing your security culture so that users are good data stewards.”
Insider fraud investigations require ‘very different’ approach, warns lawyer
It’s always a good idea to check with the lawyers. This piece from the UK’s Pinsent Masons firm gets into the details of the investigations necessary to bring fraudsters to justice and hopefully recover stolen funds and/or data. Quote: “Quite often the initial discovery of wrongdoing may just be the tip of the iceberg and so, for example, if you take new fairly standard action, in accordance with policies and procedures in response to that, you may not have the full picture and that can have some quite serious consequences. So if the employee has been stealing from the company, there may actually be a web of other third parties involved in it, they may be giving money to third parties outside the business, there may be other employees who are acting in conspiracy with the particular individual, and so it’s very important not to ‘tip off’ other people who are involved so approaching an investigation in a very cautious manner is the right thing to do in these situations.”
The Hidden Risk of Insider Threat in Healthcare
Healthcare has its own unique issues with insider threats, as this article from Health Tech Zone shows. Insiders can manipulate patient records, which could result in inaccurate diagnoses, delayed interventions, or inappropriate therapies. Insider threats can also take its toll on patient confidence in the healthcare system and prejudice final medical results. Quote: “Insider threats seriously threaten patient safety, data privacy, and the reputation of healthcare organizations. In order to adopt preventative measures and create a robust security framework, it is essential to understand the causes and types of insider events. Organizations may safeguard patient data, uphold trust, and remain committed to delivering high-quality healthcare services while reducing the covert risk of insider threats in the healthcare sector by taking a proactive approach.”
Data Loss Prevention in Insurance Institutions
Insurance companies rely heavily on data and privacy. And with that orientation comes vulnerability, as personal data plays an important role in understanding customers' needs and behaviors so that insurance companies can offer the right products and stay competitive. This piece shows that the industry is on top of the issue and that the threat might be as serious as it is for banks. Quote: “In a nutshell, insider threats are very prevalent in insurance companies. A whopping 34% of breaches or incidents in the finance and insurance industries come from inside the institution. These can be malicious or – usually – accidental. Weak passwords, sending data to the wrong email address by mistake, a departing employee that retains access to company records, losing or getting a device stolen that has sensitive information on it – these are all very common causes for data loss in insurance companies.”
Defining insider threats in government
Even the government needs insider threat management. This resource from the Cybersecurity and Infrastructure Security Agency (CISA) defines insider threat more seriously than in other verticals as it covers the military as well as various agencies. According to this report, insider threats manifest in multiple ways: violence, espionage, sabotage, theft, and cyber acts. Quote: “The intentional insider is often synonymously referenced as a “malicious insider.” Intentional threats are actions taken to harm an organization for personal benefit or to act on a personal grievance. For example, many insiders are motivated to “get even” due to a perceived lack of recognition (e.g., promotion, bonuses, desirable travel) or termination. Their actions can include leaking sensitive information, harassing associates, sabotaging equipment, perpetrating violence, or stealing proprietary data or intellectual property in the false hope of advancing their careers.”
