Insider fraud – preventing the attack from the inside

Posted: 24th November 2017

First published by Thomson Reuters during November 2017

Insider fraud is considered a significant element of the fraud threat, and one which continues to develop.

The Kroll Annual Global Fraud Risk Report 2016/17, compiled from interviews with 545 senior executives worldwide, revealed that that the most common perpetrators of fraud, cyber attacks and security incidents in the past 12 months had been current and former employees.

In fact, 60 percent of respondents confirmed the involvement of one or more of the following groups in instances of fraud:

• Senior or middle management employees of our own company.
• Junior employees of our own company.
• Ex-employees.
• Freelance/temporary employees.

In addition, the recent release by HM Treasury of the National Risk Assessment of Money Laundering and Terrorist Financing 2017 highlighted that almost half of insider fraud cases also potentially involve money laundering. Given the findings, it is clear that some of the long-held assumptions about fraud, cyber and data loss (and the primarily external nature of the threat) are misguided.

Employees in a position of trust with the access and ability to move significant data and funds can be detrimental to a firm if early prevention controls are absent or insufficient.

Breaking down the insider threat

The Fraudscape Report 2017, produced by Cifas, asserted that the most common type of insider fraud took place via theft and deception. Employees who hold a position of trust and act dishonestly can commit thefts of data that severely disrupt the organisation and lead to financial and reputational loss. Often, insiders are equipped with the requisite knowledge of the company and its processes to cover their tracks.

The "insider threat" goes beyond fraudulent monetary transactions. Earlier this year, The Economist headlined an article "The world's most valuable resource is no longer oil, but data"; a firm's data is a valuable commodity and can be used to commit fraud, manipulate markets or destroy a business.

Data needs to be treated with the highest security controls, and in the same manner that the firm handles and secures company and customer funds. Many firms are constantly upskilling and adapting, with costly technology programmes to address the cyber and fraud threat. In 2013, however, the National Security Agency (NSA) in the United States was probably considered one of the most secure centres in the world, and it took the actions of one contractor, Edward Snowden, to copy and leak classified information on a phenomenal scale.

It seems clear that the issues of fraud and data breaches are not just about technology-based defences, if those defences can be negated by the actions of a single employee. A holistic view that includes collaboration between the firm's financial crime, compliance, fraud and information technology teams can work together to close down vulnerabilities and bolster its defences.

Risk identification

There have been a few theories regarding the motivations for fraud, but one of the most prevalent is Donald Cressey's fraud triangle, which breaks down the main elements needed in a fraud, such as pressure, rationalisation and opportunity. The fraud triangle can be used to assess the risk of internal fraud and cyber data breaches perpetrated by those inside the business:

• Pressure — focuses on what motivates the crime. This would involve an individual who resorts to a criminal act to resolve their problem (e.g., stealing cash to fund a gambling habit or stealing business secrets for a market advantage).
• Rationalisation — is the process of how the individual justifies the criminal act to themselves (e.g., a disgruntled employee who has not received a company bonus, or cyber espionage for ideological reasons.).
• Opportunity — the individual will be attracted to vulnerabilities where there is a good chance of not being caught (e.g., falsification of paper-based process or copying company secrets to a third-party cloud).

The entanglement of insider threats and compliance

Section 21 of the Money Laundering Regulations 2017 now places a compliance duty on firms to carry out screening on their employees and agents, which includes an assessment of their skills, knowledge, expertise, conduct and integrity. A continuous employee screening programme is a useful tool in mitigating the risk.

Fraud and bribery have a close link in terms of methodology and motivation. Firms that fail to prevent bribery without adequate considerations are open to criminal liability. The UK Bribery Act 2010 encourages firms to identify the risks inherent among their employees, agents and other service providers to have a defence against the facilitation of bribery.

Similarly, firms that focus on their people, processes and technology using a holistic approach to fraud and cyber crime will mitigate risks more successfully. Firms that create a security culture that targets deliberate insiders, prevents negligent practice with effective employee due diligence and monitoring, and mitigates unintentional errors through training awareness will have a comprehensive fraud and security programme that is set up to tackle internal and external threats.

Looking to the future

In 2018, the focus on data breaches will be much more acute with new regulation.

On May 25, 2018, the General Data Protection Regulation (GDPR) will come into force in the UK, and this will strengthen and unify data protection laws within the European Union. The GDPR will require firms to have procedures in place to detect, report and investigate personal data breaches.

To this end, does the firm know where its data is stored, and what details are kept on customers? If there was a breach, would the firm be aware of the data loss? Do the right level of people in the firm in terms of risk exposure have access to the right levels of data? The GDPR requires firms to be able to map and control their data.

Personal data breaches will have a 72-hour notification period to the supervisory authority, and in serious cases will include a notification to the public. Failure to notify of a breach can result in significant fines of 10 million euros, or 2 percent of the firm's global turnover, as well as associated reputational damage.

The strict timescales for reporting a breach highlight a need to have appropriate systems and controls to investigate data breaches diligently and expeditiously to comply with the GDPR.

Preparation is vital to tackling the issue

The Fraudscape Report showed that the most common means of discovering internal fraud were internal controls and audit. Staff reporting and whistle-blowing were also among the common causes for apprehending internal fraudsters.

There are many drivers for those committing financial and cyber crime to attack a business. Understanding the threat posed to the firm, the effective identification of its vulnerabilities and taking proportionate, proactive action is paramount. Some practical considerations to help firms to address the threat of insider fraud include:

• Top-level commitment — promoting both a culture of ethical behaviour and a security-conscious environment is vital.
• Internal controls/audit — cross-referencing of financial irregularities will discourage insiders with the threat of being caught.
• Data loss prevention tools — to alert a firm to, or prevent, data leakage.
• Education and awareness — cyber/fraud prevention, security awareness and fostering a code of conduct.
• Single customer view — map and control customer data throughout the organisation.
• Effective vetting and recruitment processes using a risk-based approach — i.e., high-risk roles involving a position of trust should attract more stringent due diligence procedures prior to appointment.
• Monitoring and supporting staff — personal circumstances can present risks that motivate fraud and cyber crime. Prevention can be achieved through staff welfare and support.
• Developing (or reviewing, if already in existence) the firm's whistle-blowing/ethics line — anonymous reporting lines for employees to highlight suspicious activity within the firm.

A long-term approach

It is a perennial challenge to detect all instances of insider fraud. Given the column inches committed to technology as the overarching solution however, it is likely that a firm's staff are an underused resource when it comes to protecting it against malicious insiders.

Ensuring the firm's control environment blends the necessary investment in technology with the correct management of people (whether in positions of trust or not) will go a long way to mitigating the threat of insider fraud. Firms that identify, investigate and instil a compliance culture will stay ahead of regulatory fines, fraudulent losses and data breaches, and, most importantly, will protect both the firm and its customers.