RiskFinancial CrimeThe threat from within: dealing with insider fraud and theft

The threat from within: dealing with insider fraud and theft

Companies are increasingly alert to the risk of data breaches, but too often assume that the threat comes from outside rather than closer to home.

“Cybercrime” has become an all-encompassing term that covers everything from young hoodie-clad bedroom-based hackers to international gangs of high-tech criminals. What many businesses tend to forget however is that one of the biggest threats facing their data is from within the organisation itself.

The 2015 Information Security Breaches Survey commissioned by the UK government and conducted by PwC found that 81% of companies reporting incidents said that there was an element of staff involvement in some breaches. While these incidents are often the result of accidents – such as emailing to the wrong participant = many breaches come from a concerted effort to steal data and make a profit or harm the company.

Worse yet, PwC’s more recent Global Economic Crime Survey 2016, issued last month revealed a trend for more “silver fraudsters”; these being older, senior staff members in trusted positions. The research found half of the instances of company fraud were committed by staff aged over 40, with the number carried out by staff aged 50-plus shooting up from 6% to 18% in just two years.

While items ranging from customer records to intellectual property can make for tempting targets for unscrupulous employees looking for an extra payday, anything relating to finance is particularly vulnerable.

A strong example was provided in the US last year when an advisor at Morgan Stanley stole the data of more than 730,000 customers, including 350,000 wealth managers. The insider, who was later fired and then arrested for the breach, copied addresses, account numbers, investment information and other data to his home computer while apparently in talks with competitors for a job. Details from 900 customers ended up posted online, although Morgan Stanley asserts that none of them lost money.

Not all breaches are motivated by financial gains however. This was demonstrated by the case of Andrew Skelton, an internal auditor for the UK-based supermarket chain Morrisons. Skelton received an eight-year prison sentence last July for deliberately leaking the bank, salary and National Insurance data of 100,000 staff online. His abuse of his position cost the company more than £2m to rectify and led to a class action lawsuit from those affected. While this was an act of revenge calculated to draw attention to and embarrass the firm, much more damaging are financially-motivated thefts that can often go completely unnoticed.

Reducing the risk

One of the most effective ways to combat the threat of insider theft and fraud is to ensure that all users have only as much access as they require for their job roles. The less people that can access the data, the smaller the chance of it being used inappropriately, as well as making it less likely to be accidentally leaked. The threat of external hackers can also be reduced in this way, as attacks that manage to take control of an employee machine will have a much tougher time accessing the restricted data.

However, many companies still do not follow best practice on user access and this includes many larger corporations. Windows Active Directory, the native tool which governs how access is assigned to users, can be a cumbersome system to employ, especially when large numbers of staff are joining or moving at once such as during projects or due to merger and acquisition (M&A) activity.

As a result, many system administrators find proper due diligence in managing access management for every new starter to be too time-consuming and there is a dangerous trend to simply give all users admin access by default. This also means that many organisations are left with little idea about what information their staff can access, and rarely rescind access once granted – even when someone has left the business.

Watching the watcher

Among the most difficult challenges posed by insider threats is that the perpetrator may well be misusing files that they are cleared to access as part of their job role, making it much harder to identify any wrongdoing. Senior employees are especially difficult to catch, as they may well be the ones trusted with oversight in the first place.

To address this challenge, firms should ensure they have systems in place that will alert them whenever certain key files or folders are accessed. In addition, more advanced access rights management systems can send real time alerts specifically for when information is accessed outside of usual parameters, preventing the copying of data unobserved from remote locations or out of office hours.

With so much at stake, finance and treasury head cannot afford to take any chances in protecting the vital financial information under their care. It is down to them to ensure they have the technology and processes in place to tightly control how data is accessed to make accidental and intentional data leaks as difficult as possible.

While the threat from hackers may be severe, overlooking insider threats would be like buying a premium safe door for the premises but leaving its windows open. Only with both internal and external security can organisations rest assured that they have done everything in their power.

Related Articles

Why working in silos is a killer when battling financial crimes

Cyber Security & Fraud Why working in silos is a killer when battling financial crimes

3m Andrew Simpson
PSD2: dull name, but seismic effect

Clearing & Settlement PSD2: dull name, but seismic effect

6m Alex Kwiatkowski
Staying one step ahead: PSD2 and the future of fraud

Financial Crime Staying one step ahead: PSD2 and the future of fraud

6m Seth Ruden
8 predictions for treasury in 2018

Financial Crime 8 predictions for treasury in 2018

7m Bob Stark
FDIC sues 9 European banks over Libor

Banking FDIC sues 9 European banks over Libor

11m Victoria Beckett
Appreciating supply chain cyber risk

Cyber Security & Fraud Appreciating supply chain cyber risk

11m Peregrine Storrs-Fox
The death of the password: biometric banking

Automation The death of the password: biometric banking

11m Paul Sheldon Foote
The insecurity of fraud victims in the fight against cyber-assailants

Bank Relationships The insecurity of fraud victims in the fight against cyber-assailants

11m Keiron Dalton