If you suffer a security breach, there’s a good chance it will come from within your company. It’s even more likely that the incident won’t be reported.
A recent Carnegie Mellon report found that 50% of incidents involving the exposure of private or sensitive information were the result of insiders.
Compounding the problem, according to Gartner, nearly 60% of workplace misconduct goes unreported. And because insiders tend to cover their tracks, their attacks are more difficult to uncover in the first place.
To make matters even worse, when insiders are caught, the issue is often downplayed or handled internally to avoid the publicity that might result from prosecution.
In this article, we’ll speak with an expert in the field, define the different types of insider threats, and discover practical ways to reduce internal security risks.
Q&A with Andi McNeal, director of research for the ACFE
According to the Report to the Nations from the Association of Certified Fraud Examiners (ACFE), IT departments have a median occupational fraud loss of $225,000, the highest of any department excluding executive/upper management.
The report also found that small businesses lose nearly twice as much per insider incident as larger companies. To find out more, I spoke with Andi McNeal, CFE, CPA, director of research for the Association of Certified Fraud Examiners (ACFE).
GetApp: Looking at the Report to the Nations, it seems that when occupational fraud occurs in the IT department, the loss is relatively severe. Why do you think that is?
Andi McNeal: Generally speaking, fraudsters exploit the opportunities that are presented to them as part of their ordinary duties when committing their schemes. Just as fraud perpetrators in the accounting department tend to divert outgoing company payments and those who work in the warehouse tend to steal inventory, fraudsters in the IT department often have access to both high-value technology and sensitive proprietary information as part of their jobs.
So whether they are misappropriating computer equipment, taking kickbacks for directing technology purchasing decisions to a specific vendor, or selling the company’s proprietary information, their access to higher-dollar assets tends to result in more severe losses.
ACFE’s occupational fraud risk by department (Source)
GA: In what ways are small businesses more vulnerable to insider attacks than large companies?
AM: Small businesses have several aspects that make them particularly vulnerable to insider attacks. First, these companies typically do not have the resources to invest in sophisticated prevention and detection mechanisms that larger organizations do, which leaves them more susceptible to being victimized.
The smaller staff size compounds this challenge, as many duties that can be separated at larger organizations are performed by a single person at smaller companies, which gives that individual increased opportunity to both commit and conceal a fraud scheme.
Small companies also tend to run on trust more than larger organizations—that is, many small businesses have a familial culture, where everyone knows and trusts everyone else, so formal checks and balances often go unenforced. Finally, management at small businesses is more likely to underestimate the risk, either due to lack of technical knowledge about insider threats or to the common “it can’t happen here” mindset that many small-business owners or leaders hold.
The culmination of these factors is illustrated by the fact that small organizations suffer disproportionately large losses from fraud schemes; as noted in the Report to the Nations, the median loss per case of fraud at a company with fewer than 100 employees (USD 200,000) is nearly twice the size of that at an organization with 100 or more employees (USD 104,000).
GA: What measures can small businesses take to mitigate the threat of insider attacks?
AM: The most important measure small businesses can take is to educate all employees about how these schemes affect the company, its reputation, and its staff, and how it’s everyone’s job—not just IT’s—to help guard against these schemes.
Employees should not only be taught IT security best practices and how to perform their jobs to limit risk, they should also be encouraged to watch for warning signs that the company has been or could be victimized—from observing suspicious behavior to identifying a weakness in the system that could be exploited—and provided with specific information on how to report such concerns.
Due diligence and background checks during the hiring process can also help small businesses make sure they’re not inviting a known thief in through the front door.”
GA: How can software or technology be used to detect occupational fraud?
AM: Our research shows that the use of software to proactively monitor and analyze data for anomalies is one of the most effective ways to combat fraud. In the Report to the Nations, organizations that used proactive data monitoring and analysis caught schemes more than twice as fast and experienced frauds that were 56% smaller than organizations that did not use a similar approach.
And while implementing an analytics program can involve investing in expensive software tools and needing highly-trained staff to write sophisticated queries, there are also numerous analytics techniques to help identify occupational fraud that can be run in Excel or other low-cost solutions.
Other technology controls that can be used to help prevent and detect employee fraud schemes include automating the enforcement of a strong employee password policy and restricting and/or monitoring employee access to systems and accounts.
The threat is coming from inside the business
Recognizing that trusted employees might pose a threat is not something that most business leaders want to confront. That’s why most companies focus primarily on external security threats while preferring to ignore internal issues. After all, if you don’t look for internal problems, you won’t find any. Unfortunately, various types of insider threats exist in all business and ignoring them doesn’t make them go away.
Malicious insiders are those who take advantage of their inside position to achieve personal gain through illicit means. These employees often lack proper oversight or are in a position to both commit and conceal a misdeed. Malicious insiders are often able to rationalize their actions; they didn’t get that promotion or maybe feel their contributions go unnoticed. Other malicious employees might be facing pressures in their personal lives (e.g., debt, addiction).
Then there is the malicious insider who either obtained the job for malicious purposes or has been incentivized in some way to commit insider attacks on behalf of outsiders. This might include involvement in an organized crime ring or the sale of trade secrets in a corporate espionage scheme.
Finally, employees who plan on leaving the company might decide to take proprietary data with them to get ahead in their next role, or to start their own competing business.
A subset of malicious insiders, the motivations of disgruntled insiders stem from a need for retribution rather than personal gain. Employees who feel jilted in some way by the company, a superior, or co-worker might act with the intention of harming the company.
This might include sabotaging systems, exposing proprietary data, or attempting to harm the company’s reputation. A well-known example of this occurred at Gillette when a disgruntled product engineer shared highly confidential designs for the company’s then proprietary three-blade razor with Schick (who immediately notified Gillette).
Negligent insiders include employees who unintentionally cause security breaches due to accidental leaks, misuse of systems, or downloading malware. And while the cause is sometimes laziness or lack of diligence, it’s often the case that well-meaning employees are simply unaware of the risks posed by improper use of company applications or insecure devices.
However, employers often bear as much blame as employees.
A recent GetApp survey found that only 29% of respondents reported having an acceptable use policy (AUP) defining the ways in which employees may use company data and systems. Moreover, only 17% reported having a bring your own device (BYOD) policy governing the use of business data on employee owned devices.
Only 16% reported having a data classification policy that labels different types of data according to sensitivity. Data classification allows businesses to restrict access to the crown jewels and helps employees to know what information can be made public and what must be kept internal. The adoption of any or all of these policies will markedly improve any company’s internal security.
Phishing continues to reel in victims
Phishing attacks might originate from the outside, but their success depends on negligent insiders. Gone are the days of easy-to-spot phishing emails with obvious grammatical errors, misspellings, and clunky attempts at social engineering. Modern phishing emails are sophisticated and targeted at specific people and organizations. In fact, Symantec recently reported that 71% of all targeted attacks come in the form of “spear” phishing.
Spear phishing emails appear to come from a familiar person or organization, such as a bogus request from IT requesting that you click a link to reset your password. Spear phishers often learn about a company, its employees, and departmental structure prior to launching attacks. These schemes are commonly aimed at employees with access to sensitive data or financial information.
Employees should be encouraged to contact email senders via secondary means (e.g., direct message, walking over to their desk) to confirm unusual requests (e.g., “did you just send an email asking me to send over everyone’s tax documents?”). Businesses can also use phishing tests to determine how vulnerable employees are to these attacks and provide training on how to spot them, substantially reducing the negligent insider threat.
Vendors and contractors
Occupying a grey area in which outsiders become insiders, vendors, and contractors are often the source of insider threats. These insiders often have access to sensitive systems and regulated data that can be sold or compromised. And because these workers are not formally employed by the company, they do not always have the same allegiance to your company and might therefore be less vigilant about data security practices.
For example, the infamous Target data breach was the result of an HVAC contractor’s stolen credentials. In another instance, AT&T paid more than $25 million in fines for breaches that occurred at vendor call centers. Before handing system access over to a vendor or contractor, inquire about the controls they have in place to protect your data.
Ultimately, there is no simple solution to insider threats. Notice the title of the article mentions mitigating insider threats not preventing them. That’s because locks keep out only honest people. Dishonest people just kick your door in, take your stuff, and sell it.
We need to trust our employees and allow them the freedom to access a variety of data to do their jobs without feeling oppressed or micromanaged. Improving internal controls, fostering an ethical company culture, and educating employees about how their actions might inadvertently harm the company can reduce all types of insider threats.
This article is part of an ongoing series about the business value of IT
GetApp’s data privacy survey in November 2018 involved 190 businesses with 200 or fewer employees. The qualified respondents indicated involvement in the decision-making process for software and technology in their organizations.