32 months: according to the CERT Insider Threat Center, that’s the average span of time between the beginnings of insider fraud activity to the time of detection by the company being defrauded.
Recent studies performed by The CERT Insider Threat Center have determined that, on average, there is a five-year span from an employee’s hiring to the beginning of their insider fraud activity—that’s enough time for an employee to gain the trust of his or her employer and learn the processes necessary to develop a successful scam.
The costs of insider threats can be significant, and not just in dollars but also in loss of trust from customers and the communities in which the organizations operate. On average, losses from insider fraud perpetrated by managers within an organization can be as much as $1.5 million, and losses from non-managers can reach $287,000. This difference in dollar amounts makes sense, as managers have greater access to sensitive systems and data than do non-managers.
Insider fraud is defined by CERT as “an insider’s use of information technology for the unauthorized modification, addition or deletion of an organization’s data for personal gain or the theft of information which leads to fraud, identification theft, credit card theft, etc.” These incidents of fraud are most common in the following industries (ranked most common to least common):
1) Banking and Financial Industries
2) Local, state and federal governments
There are three general categories of insider threat risks, including information technology sabotage, theft of intellectual property and/or insider fraud. Generally speaking, most organizations struggle to mitigate these risks. The main reason is because would-be fraudsters have been granted access to authorized systems and many times know how to bypass existing controls. What’s worse, potential fraudulent activity looks normal, even when a fraudster has the intent to complete a malicious attack.
Although addressing these risks can be daunting for most organizations, putting forth some controls can offer greater protection from insider threats. One common misconception is that insider threats can be solved with technology. While technology can certainly prove useful in tracking down an attack, a simple review and analysis of activity logs won’t tell the reviewer which activity is normal insider behavior and which is insider threat behavior.
The Warning Signs
According to the U.S. Small Business Administration, studies have shown that perpetrators of fraud often feel under-appreciated, perceive that management is being unethical or unfair, or rationalize their behavior based on feeling the company “owes” them something. Look for these warning signs:
- Changes in employee behavior (good or bad)
- Changes in the number of vacation days the employee is taking (typically fewer)
- Optioning to work after hours or taking work home rather than working under supervision
- Disappearance of financial records
- Sudden, unexplainable debt
Mitigating the Risk of Insider Fraud
Take the following steps to minimize your risk of insider fraud:
- To prevent information technology sabotage, CERT recommends resilient control systems, backups, access controls, code reviews and log analyses.
- To prevent theft of intellectual property, data loss prevention solutions, encryption and intrusion detection systems should be implemented.
- To prevent other kinds of insider fraud, business practices, such as two-factor authorization, forced vacation, auditing technologies and technology for detecting unauthorized additions or modifications of data in a database, should be adopted.
- Implement pre-employment background checks and check references before hiring. This is your best line of defense against repeat offenders.
- Don’t be afraid to audit. Conducting audits is often the best way to detect insider fraud. If you’re in a high-risk industry (like banking or healthcare), conduct audits every six months for best results. Be sure to cover areas like business expense reports, cash and sales reconciliations, violations of social media and/or website policies and vacation/sick day reports.
Even though technology controls cannot eliminate insider threats, there are technologies that can help mitigate some of the risks associated with insider threats. There is no silver bullet for mitigating risks associated with insider threats and fraud. A combination of the right technologies and the right processes is the key to improving detection.