Can you really trust your employees?
As an IT professional who works with businesses and organizations, I have personally witnessed numerous cases of employee fraud over the years. Frequently these crimes are perpetrated by the most trusted employee – the one who has been there the longest, the one who has been given the greatest access to the company’s data and finances, the one who is counted as a company insider. Often these acts are committed over long periods of time, without detection, resulting in the embezzlement of impressively large sums of money. In each case the business owners were blindsided when it was discovered. “We would never have thought so-and-so could do this or that.” A good rule of thumb for your employees should be: The more trust is extended, the more caution should be exercised.
There are ways to manage these insider threats, but we first need to take a look at the types of threats that exist, the business roles of the people involved, and the signs that typically exist when an employee is not complying with policy, law, or ethics. Armed with this information, organizations can then implement administrative, technical, and physical controls to mitigate insider risk.
Three Primary Types of Insider Threats
Intellectual Property Theft
Intellectual property (IP) is any “creation of mind” created or owned by an organization. For our purposes, examples include:
- Engineering designs/drawings
- Software created in-house
- Trade secrets
In many situations, the creators of IP (engineers, software developers, etc.) believe they have ownership rights. In others, financial gain or professional advancement is the motivation for theft. The tipping point from good to rogue employee usually happens when creators don’t receive recognition for their work or when they don’t perceive themselves as adequately compensated and appreciated. The U.S. Computer Emergency Readiness Team (CERT) lists several objectives for IP theft, including:
- Starting a new business
- Providing a competitive advantage to a new employer
- Providing it to a foreign country (especially a country with which an employee has cultural, political, or ethnic ties)
Because people allowed access to IP are the ones most likely to steal IP, detection can be difficult. However, close attention to common IP removal paths is the first step in mitigating risk from IP loss, including:
- Company email
- Remote network access
- Storage on laptops and other mobile storage devices
- File transfer services (FTP or SFTP)
Fraud
Fraud is theft of financial assets. Employee fraud is much more common than most organizations believe. In an article at CFOOnline.com, Tracy L. Coenen writes, “Experts estimate that on average it costs companies 3% to 5% of revenue each year.” For example, a payroll clerk creating a false employee, paying that employee, and then collecting and cashing the check commits fraud. Other types of fraud include misuse of expense accounts or payment to vendors when they provide no services or products. People deep in debt with no hope of digging themselves out tend to top the list of insider threats in this category.
Fraud occurs across many channels, and involvement might extend beyond employees to external criminal individuals or organizations. Again, employees resorting to fraud usually seek financial gain. Methods include:
- Selling stolen information
- Modifying information to realize financial gains for self or others
- Receiving payment for adding, modifying, or deleting information
Most employees committing fraud avoid complex technological pathways. For example, the last two examples above simply require alteration of a database without removal of data. When data is removed, it is often downloaded to a home computer, copied to mobile storage, faxed, or emailed.
Damage to Information Resources
Damage to information resources is usually an attempt to break one or more business processes, thereby resulting in significant harm to the business. In most cases, only someone with administrator access can successfully achieve these goals. For example, a programmer might plant a logic bomb that destroys a database, irreparably damages server software, or causes an application to perform in unexpected ways. In addition to logic bombs, reconfiguration of network devices in ways that cause significant loss of productivity is a surreptitious malicious act often difficult to remediate.
Administrators don’t always want to make themselves known with a large, visible event. Rather, creation of additional administrator accounts often provides an attacker with long-term access for small but costly hits against a current or former employer. Organizations without proper log management would have a very difficult time assigning responsibility when the rogue account is eventually identified.
Collusion
Individual employees don’t always have access to everything needed for theft or system damage. Many organizations raise barriers with separation of duties enforced with role-based access control. Enterprising insider threats circumvent these controls using collusion. What is collusion? Peter Vajda writes, “Collusion takes hold when two or more individuals co-opt their values and ethics to support their own – and others’ – misdeeds.” The key word is support. While an engineer, for example, might have full access to all relevant components of the IP he or she intends to steal, a payroll or accounts payable clerk might not. Consequently, the person planning the theft might recruit key employees with access to information or processes otherwise unavailable.
Collusion increases the risk for the perpetrators, but it also decreases the opportunities to detect theft. Bypassing separation of duties via collusion circumvents a key control. According to CERT research, it isn’t uncommon for multiple individuals (including outsiders) to participate in long-term fraud.
Managers like to believe their employees will behave with integrity, but collusion is a common cause of insider risk. According to a Fraud Matters Newsletter article posted at the EFP Rotenberg website, “Collusion accounts for as much as 40 percent of fraud, with median loss of approximately $485,000 – nearly five times that of crimes perpetrated by an individual alone.” The amount of loss from fraud associated with collusion significantly elevates associated risk to levels needing close attention by security teams and management.
Up Next: Mitigating Attacks
In Part 2 we will explore how to recognize problem employees and implement controls to reduce insider opportunities.
Additonal Sources: Tom Olzak/TechRepublic