Not all insider threat activity occurs at the senior management or executive levels of an organization. In fact, risk from trusted employees exists at every level.

Take insider fraud as an example. In the vast majority of cases such fraud is committed by lower-level operational and administrative staff, such as those in customer service and data entry or on IT help desks, and also among low- and mid-level managers. In all cases the employee or manager has relatively unconstrained access to the company’s customer, billing and other sensitive data.

The CERT Guide to Insider Threats defines fraud as: “An insider’s use of IT for the unauthorized modification, addition, or deletion of an organization’s data (not programs or systems) for personal gain, or theft of information that leads to an identity crime (e.g., identity theft, credit card fraud).” Not included in CERT’s definition – or this profile – is the type of enterprise-scale accounting fraud perpetrated by Enron, WorldCom, Tyco and others over the past two decades.

According to the TechTarget blog, information targeted for employee-generated fraud covers a wide range of information about an individual, including:

  • Personal identification data, such as driver’s licenses, medical identities, criminal histories and immigration applications;
  • Personal financial data, such as credit cards, credit histories, utility bills and food stamp applications; and
  • Personal medical data, such as medical records and disability claims.

For example, Anthem BlueCross and BlueShield in 2017 had to notify 18,000 of its customers who were Medicare members after an employee with one of its vendors sent their data to a personal email address and then allegedly misused the data.

Financial reasons drive most fraudsters. In some instances they are motivated by simple greed, while in others they’re facing financial stressors like mounting personal debt, medical bills or gambling losses. Another powerful predictor of workplace fraud is an employee’s dissatisfaction with his or her job, or with the work organization.

Besides the lower level of the employee, a number of other factors make fraud unique, according to the authors of the CERT guide and other insider threat experts. For one thing, it typically occurs over a much longer period of time when compared to sudden ‘big bang’ insider events like sabotage or intellectual property theft.

In the latter two cases the employee is usually headed for the exits or has already left when the attack occurs. But the fraudster tends to stay on the job for months or years, which means this type of insider can have a significant adverse financial impact on the organization.

A 2019 Cybersecurity Insiders report found that 55 percent of all malicious insider threat cases are fraud-related, a larger percentage than IP theft, sabotage or espionage. While other insider threat cases may grab more headlines, the frequency, scope and monetary impact of fraud make it a major risk factor – one requiring sustained C-suite attention and company-wide mitigation programs.

Some of the best remedies are procedural in nature. These can include regular and well-publicized audits of critical or irregular processes, stringent background checks for new staff, routine reviews of privileged access lists, training programs that educate staff on how to spot signs of fraud and employee assistance programs that try to support those exhibiting signs of financial stress.

But processes, procedures and controls alone are not enough – which is where fraud detection tools come in.

Popular technologies include SIEM and UEBA platforms that analyze network and device activity for signs of any kind of insider threat. However, the effectiveness of such tools is hampered by the fact that fraudsters are engaged in the same online activities they perform in their assigned roles, and they carry out their fraud on-site and during normal working hours. In other words, they behave like they’re just doing their jobs.

Given that fraud is a malicious act – as opposed to one caused by unwitting or negligent behavior – an effective technology solution should include data sources with information that relates to financial stressors, employee dissatisfaction and other behavioral indicators of risk that can’t be detected on networks.

The CYDERES Insider Threat Detection & Response (ITDR) managed service is a case in point, because it relies on a combination of analyzing network security data through the CYDERES Cloud Native Analytics Platform (CNAP) and also on a patented model-based approach that supplements the network signals with diverse non-network data from HR and other internal sources. The result is a more contextualized view of individual fraud risk.

Once data is applied as evidence the probabilistic model produces a list of potential fraud actors, prioritized by risk score. CYDERES then ingests, validates and triages the results and delivers detailed incident alerts to its customers along with the related evidence needed to launch an investigation.

It is this context-driven ‘whole-person’ approach that sets ITDR apart from other detection solutions. Because it’s a managed service, there’s no software to buy and no need to hire more SOC analysts to find the riskiest insiders among a mountain of noisy alerts.

And because ITDR takes a more proactive approach to fraud detection, organizations have the opportunity to intervene in time to prevent the fraud from escalating – and perhaps help an employee in financial distress.

 

 

#    #    #

Note: CYDERES’s Insider Threat Detection & Response managed service was launched in July 2021. Click here to listen to our introductory webinar detailing the features and capabilities of the service, including an in-depth demo of the operational system.