Insider Threats Confound Enterprise Security Efforts

Wednesday, June 20, 2012



CIFAS, a UK-based nonprofit association with members in both the private and public sectors, reports that they measured a 14.5% increase in the number of reported cases of staff initiated fraud in 2011 over those reported in 2010.

The organization initiated the Staff Fraud Database in 2006 which collects data from more than 220 member organizations across multiple sectors.

"This type of fraud can damage businesses reputation, brand and staff morale - as well as losing thousands of pounds. Employers must be on their guard when vetting prospective employees and ensuring that appropriate controls and a zero tolerance culture exists within their organisations to ensure that staff fraud cannot prosper," CIFAS states.

The group also reports the following trends:

  • CIFAS Members' data sharing efforts have revealed the most common way for staff frauds to be identified are through an organisation's own monitoring and controls - demonstrating the important role that effective management plays.
  • The value of reported fraud, as revealed in BDO Stoy Hayward's Fraudtrack report rocketed to more than £2bn in the UK in 2011, representing a 50% increase on 2010's figure of £1.4bn. This means that since its launch in 2003, when fraud totalled £331m, there has been a seven-fold increase in the cost of reported fraud.
  • There has been a massive rise in identity theft in recent years: from 77,500 cases in 2007 to over 113,000 cases in 2011, with organised criminals frequently targeting insiders within an organisation in order to obtain the personal data needed to commit this crime.

The insider threat is particularly troublesome for organizations, as the the perpetrators have access to the most confidential of information, and breach detection usually only occurs after the damage is done.

"The majority of staff within any organisation are trustworthy and honest. But businesses must understand the scale of the threat posed by the small proportion of staff who act dishonestly and defraud their employer and the numerous ways in which an organisation can be targeted," said Arjun Medhi, CIFAS Staff Fraud Adviser.

"The way in which organisations approach the issue of staff fraud is changing to respond to the increased risk. Many organisations have historically been anxious to play down the threat from within and focus, instead, on the fraud risks presented by customers. The days when the majority of cases would be handled quietly with no publicity are long gone however, with customers and shareholders wanting to know that organisations are doing all that they can to safeguard against the threat," Medhi continued.

A survey of 1000 white collar employees conducted by Imperva in 2010 revealed that more than two-thirds of employees admitted they are willing to take everything from client and customer records to the intellectual property of their employer.

The study reported that 85% have confidential company information on their home computers or personal mobile devices, 75% admit to having client records, and 27% admit to having sensitive intellectual data.

At least half of the employees surveyed had reported they had accessed data they were not cleared to peruse, and three-quarters stated that the data access control mechanisms in place were easy to bypass.

"Employers should adopt a risk-based approach to managing employee fraud and dishonesty which is appropriate to the organisation, the industry sector and different job roles. It is also vital that [counter] fraud teams engage with HR departments as a balanced approach is required to manage the risks while maintaining the trust of the vast majority of honest employees," said Mike Emmott, CIPD Employee Relations Adviser.

The trick is to implement controls in such a was as to avoid developing an atmosphere of mistrust. Emmot recommends that along with controls, clear and concise policies need to be developed and the intentions of those policies need to be clearly communicated to employees.

"CIPD research shows that organisations that seek to monitor their employees excessively are unlikely to create a work environment that encourages trust, loyalty and commitment. So, it is important for employers to communicate clearly why policies are in place, so that employees know that there is a good reason behind the approach being taken and that it is not simply a 'Big Brother' encroachment on their privacy," Emmott cautioned.


Possibly Related Articles:
Enterprise Security
fraud Enterprise Security Insider Threats Security Strategies Training Headlines Controls Employees Policies and Procedures CIFAS
Post Rating I Like this!
Jayson Wylie It is important to constrain and monitor access and well as having behavior monitoring from either a trained professionals or management.

DLP is not there yet and most employees are able to USB to their companies data stores for non constrained extraction. Most companies have horible ACE and Everyone Full access might be present on the sensitive or out of job focus data.

There can't be a major element of distrust to the employees and this especially includes the Infosec professionals. I was once accused of production hacking and my machine was taken for forensics.

The talented staff who know they can find better will just resign to find better. Lackluster talent may take it but it will still affect their disposition and perception of placement or value in the organization.

Before the insider threat becomes the focus on witch hunting management, they need to consider what the accusations really mean.

Taking my PC for forensics is a first step in a criminal investigation which could also be seen a character defamation or slander when it's not true.

My intent glows pure white but not everyone can see that aura through the dark haze of fear based and ill informed management incident decisions to press down hard on those who might be trying to affect things in a positive light.

Fraud can also be seen by cooking books and self dictation of pay or bonus scale. Everyone might have opportunity but a crime is a crime at the top to the very bottom. Zero-trust is probably where it's at but do not create a culture around the concept.

Call it as you see it but insider threat can be misplaced onto others when the accuser(s) are of poor character or knowledge and there may be another hidden agenda. A distraction.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.