From startups to big banks, the technology and financial services sector have already seen tens of thousands of layoffs in 2023. Not only do these cuts challenge main business functions, but they could lead to serious trouble down the road in the form of insider fraud. Bottomline Technologies’ Chris Gerda talks about new approaches banks and financial institutions should take to protect their commercial clients.
In these times of big tech layoffs and general economic malaise, here’s a statistic that should send a shiver down the spine of every compliance and security professional. Almost two-thirds (63%) of all employees admitted to taking data from their previous job to their current job. Here’s an even scarier one: 71% of companies surveyed don’t know how much data departing employees take to their next job or while searching for a new one.
And these behaviors take place in an environment where the workforce has become decentralized, scattering key employees and their devices to home offices, shared workspaces and coffee shops. The statistics illustrate a lack of awareness around a dangerous current threat — insider fraud.
Our experience over the past six months shows that a perfect storm of economic pressure, hybrid work arrangements, migrations from old to newer technologies and new fraud vectors have created opportunities for employees and outside forces to capitalize on their access to data, intellectual property and capital.
What’s more, the ability to mitigate insider fraud has now become a competitive issue, especially for banks. Recent client interactions prove to us that banks stand a chance of losing their commercial customers if they can’t extend solutions to mitigate this threat effectively. And in turn, those commercial entities can lose customers due to financial and reputational damage if insider fraud continues its destructive path. And perhaps the most significant risk, illustrated by the real-world data, is that insider fraud often goes undetected. We see it as the reputation killer that could lurk behind the scenes within companies of every size and business vertical.
A relatively new law (the Defend Trade Secrets Act) aims to give businesses a legal framework to fight against theft of trade secrets by insiders. María Amelia Calaf of Wittliff Cutter explains the nuances of the law and discusses how businesses can prevent misappropriation of valuable trade secrets.Read more
New approaches needed
While it may occasionally involve more recognizable payments fraud, which banks especially have made progress on detecting, insider fraud is a different kind of offense and will require different actions. For example, it’s easy enough to flag a payment from Company A to Company B if it looks to be inconsistent with standard business patterns.
But valuable data is another matter. If a company sees that a competitor suddenly gains valuable information about key accounts, it can be challenging to identify that as fraud rather than a result of hard work or luck. The reality may be that a current or former employee has accessed and shared sensitive account information. Some other use-case examples that could indicate insider fraud includes performing account/customer inquiries that exceed the average, behavior that is inconsistent with the employee’s responsibilities (e.g., off-hours inquiries, examining other departments’ accounts) or erratic interactions like attempting to send large files to personal email addresses.
However, compliance officers and security professionals have sophisticated technology and new operational strategies available to identify, detect, prevent and, if necessary, prosecute insider fraud. These translate into the following actions:
Work across the financial and operational functions to identify internal behavior patterns that could indicate fraud
The use cases above are just the tip of the iceberg for insider fraud. It’s critical to work across financial and operational functions to identify internal behavior patterns that could indicate fraud or ongoing anomalous behavior.
A common scheme is the “ghost employee” or “ghost company” vendor. In this case, an employee will create a new record and supporting documentation to allow that “ghost” to be paid. The employee then sends funds to an account they can access, concealing the transaction by moving internal funds to offset anything suspicious, changing inventory numbers or generating fake invoices for generalized, non-tangible services. Here, security professionals need to invoke the “principle of least privilege,” a control that blocks system access from employees who don’t need them.
That principle of least privilege should never be enforced by one manager or even one detection technology. Dual controls mean that more than one senior employee approves access to sensitive data or finances. It’s a common-sense solution that too many companies fail to implement.
Work with IT and compliance management to identify threats that are not technically insider fraud but will be enabled by it
Social engineering frauds, such as identity theft, account takeovers or a rash of fraudulent checks written against a specific account all could be entangled with some form of insider fraud. Businesses need to have data loss prevention measures in place on email, web uploads, USB ports and other areas where people might exfiltrate data. Flagging and proactively blocking these is critical to stopping data loss and detecting suspicious activity from employees who, for example, may never need to email anyone externally or access 150 customer accounts in a normal day.
Create data and best practice alliances
The best threat mitigation technology providers, whether they’re in payments, cybersecurity or employee monitoring, all aggregate the interactions across their networks and can see aberrations within it. Example: Healthcare Company A receives malicious emails that several employees tag as suspicious. Those emails are confirmed as malicious by the cybersecurity provider. Then Healthcare Company B receives the same emails but doesn’t yet know they are threats. The intelligence from Company A gives them evidence to block the senders.
Another best practice can involve payroll theft. Employee payroll account numbers should never go into the company ERP to pay vendors or be duplicated on other employee account records without dual-approval processes.
Security professionals are undoubtedly aware of Cressey’s fraud triangle, which identifies the conditions to commit fraud as pressure, rationalization and opportunity. In the context of fighting insider fraud, those three conditions are magnified. It’s better to accept that they present a legitimate threat that companies must prevent before an incident occurs, whether they use human-driven practices, technological solutions or a combination of both.