The threat from within: dealing with insider fraud and theft

“Cybercrime” has become an all-encompassing term that covers everything from young hoodie-clad bedroom-based hackers to international gangs of high-tech criminals. What many businesses tend to forget however is that one of the biggest threats facing their data is from within the organisation itself.

The 2015 Information Security Breaches Survey commissioned by the UK government and conducted by PwC found that 81% of companies reporting incidents said that there was an element of staff involvement in some breaches. While these incidents are often the result of accidents – such as emailing to the wrong participant = many breaches come from a concerted effort to steal data and make a profit or harm the company.

Worse yet, PwC’s more recent Global Economic Crime Survey 2016, issued last month revealed a trend for more “silver fraudsters”; these being older, senior staff members in trusted positions. The research found half of the instances of company fraud were committed by staff aged over 40, with the number carried out by staff aged 50-plus shooting up from 6% to 18% in just two years.

While items ranging from customer records to intellectual property can make for tempting targets for unscrupulous employees looking for an extra payday, anything relating to finance is particularly vulnerable.

A strong example was provided in the US last year when an advisor at Morgan Stanley stole the data of more than 730,000 customers, including 350,000 wealth managers. The insider, who was later fired and then arrested for the breach, copied addresses, account numbers, investment information and other data to his home computer while apparently in talks with competitors for a job. Details from 900 customers ended up posted online, although Morgan Stanley asserts that none of them lost money.

Not all breaches are motivated by financial gains however. This was demonstrated by the case of Andrew Skelton, an internal auditor for the UK-based supermarket chain Morrisons. Skelton received an eight-year prison sentence last July for deliberately leaking the bank, salary and National Insurance data of 100,000 staff online. His abuse of his position cost the company more than £2m to rectify and led to a class action lawsuit from those affected. While this was an act of revenge calculated to draw attention to and embarrass the firm, much more damaging are financially-motivated thefts that can often go completely unnoticed.

Reducing the risk

One of the most effective ways to combat the threat of insider theft and fraud is to ensure that all users have only as much access as they require for their job roles. The less people that can access the data, the smaller the chance of it being used inappropriately, as well as making it less likely to be accidentally leaked. The threat of external hackers can also be reduced in this way, as attacks that manage to take control of an employee machine will have a much tougher time accessing the restricted data.

However, many companies still do not follow best practice on user access and this includes many larger corporations. Windows Active Directory, the native tool which governs how access is assigned to users, can be a cumbersome system to employ, especially when large numbers of staff are joining or moving at once such as during projects or due to merger and acquisition (M&A) activity.

As a result, many system administrators find proper due diligence in managing access management for every new starter to be too time-consuming and there is a dangerous trend to simply give all users admin access by default. This also means that many organisations are left with little idea about what information their staff can access, and rarely rescind access once granted – even when someone has left the business.

Watching the watcher

Among the most difficult challenges posed by insider threats is that the perpetrator may well be misusing files that they are cleared to access as part of their job role, making it much harder to identify any wrongdoing. Senior employees are especially difficult to catch, as they may well be the ones trusted with oversight in the first place.

To address this challenge, firms should ensure they have systems in place that will alert them whenever certain key files or folders are accessed. In addition, more advanced access rights management systems can send real time alerts specifically for when information is accessed outside of usual parameters, preventing the copying of data unobserved from remote locations or out of office hours.

With so much at stake, finance and treasury head cannot afford to take any chances in protecting the vital financial information under their care. It is down to them to ensure they have the technology and processes in place to tightly control how data is accessed to make accidental and intentional data leaks as difficult as possible.

While the threat from hackers may be severe, overlooking insider threats would be like buying a premium safe door for the premises but leaving its windows open. Only with both internal and external security can organisations rest assured that they have done everything in their power.


Related reading