Security: Fraud’s Insider Story

Linda Punch

When data breaches happen, fingers often point instinctively to shadowy hackers in distant lands. But the real culprits often are inside the office. Security experts say preventative measures must include better screening and monitoring of employees.

When data breaches hit the headlines, the instigators typically are portrayed as shadowy criminals huddled in a back room in some Eastern European country devising sophisticated schemes to bust through a company’s computer security. But the people behind the breaches might just as likely be sitting at desks in the company’s main office or data-processing center.

By some estimates, so-called inside agents are involved in up to 50% of all data breaches. That number includes breaches due to negligence and malicious activities.

Most companies aren’t eager to publicize insider involvement in breaches. “It’s always what people don’t talk about,” says Avivah Litan, technology and security analyst at Gartner Inc., Stamford, Conn.

Indeed, for many years, all but the most security-conscious companies didn’t have the tools to ferret out and measure malicious inside fraud, says Larry Ponemon, chairman and founder of the Ponemon Institute, a Traverse City, Mich.-based firm that researches security and technology issues. In many cases, inside fraud was mistakenly categorized as negligent fraud caused by an employee’s careless security practices. But more sophisticated technology and greater awareness are revealing the true breadth of insider involvement in data breaches.

Although the total number of insider-related data breaches has remained fairly constant, “what has changed is more companies that would previously label an insider as negligent are actually labeling the incident as malicious insider,” Ponemon says. “That is actually a pretty significant change over the last eight years.”

Where the Data Are

Further, insider-related breaches tend to be more costly, many experts say. In a recent study, the Ponemon Institute found that malicious insiders caused 31% of all data breaches, with an average cost of $318 per lost record, above the mean loss of $222 found for malicious or criminal attacks from outsiders in another Ponemon study. Ponemon defines insider fraud as malicious or criminal attacks on an organization by employees, temporary employees, and contractors.

With insider-related breaches, the employee typically knows where the most sensitive—and therefore most valuable—data are located, Litan says. “It’s very difficult for the external fraudsters to know where the sensitive information is,” she says.

Adds Ponemon: “Typical hacking activity is like a fishing expedition. They really are hunting for weakness in the system. Even with malware, it’s usually less expensive for a company to detect or even prevent with better firewalls and perimeter controls.”

Other experts, however, downplay the extent of the threat posed by insider fraud.

“Through our investigations, insid­er issues are actually very small, we’re talking 1% or less of our investigations involve any type of insider,” says Nicholas Percoco, senior vice president of Trustwave Holdings Inc., a Chicago-based firm that investigates data breaches. “The threat from the outside is much, much larger.” Trustwave doesn’t investigate petty data thefts, like skimming, that are more likely to be committed by insiders, he adds.

In addition, some studies are based on the results of investigations of data breaches, while others are based on surveys of company security officials, which can lead to different assessments of the scale of insider fraud.

Some observers also say, in contrast to Ponemon’s findings, that financially motivated insider fraud results in lower losses than outside attacks.

“When they’re an insider, typically they’re just going after something because they’re looking for some money for themselves,” says Marc Spitler, senior risk analyst, Verizon Business Services, a unit of New York City based Verizon Communications Inc. “They’re not trying to capture thousands [of accounts] to ultimately do a more sophisticated fraud—like creation of fake debit cards.”

‘Marketable’ Data

Nevertheless, there is evidence that insider-related breaches, particularly malevolent ones, are common occurrences and could become more prevalent. A recent Ponemon survey of 707 individuals at the manager level or above in organizations found:

– Employee-related incidents of fraud, on average, occurred weekly in organizations in the survey;

– 64% of those responding say the risk of insider fraud is very high or high within their organizations;

– The majority of insider-fraud incidents go unpunished, leaving organizations vulnerable to future incidents;

– The majority of managers don’t believe their organization has the appropriate technologies to prevent or quickly detect insider fraud.

In many organizations, preventing insider fraud is not given a high priority because upper management doesn’t view it as a high risk, Ponemon found. Only 16% of those surveyed said chief executives and other senior executives in their organizations view insider risk as very significant, and 19% say it is significant. Less than half (47%) strongly agreed or agreed that their organization considers the prevention of insider fraud as a top security priority.

What is most troubling is that insider-related breaches don’t typically trigger alerts on technology designed to detect external attempts to break into systems using malware, viruses, or similar methods. Typically, the insider has privileges to access data and doesn’t set off any alarms.

The Ponemon study found that, on average, it takes 89 days to first recognize that insider fraud has occurred and another 96 days or more to determine the root cause of the insider-fraud incident and its consequences. That fact hasn’t escaped the notice of criminals outside of an organization, Ponemon says.

“It does seem as if criminals have learned they can commit some very significant crimes for real profit by focusing their efforts not on account takeovers, but basically getting a position in a company and having access to that information,” he says. “It’s like a treasure trove.”

Over the last ten years, criminals have developed more sophisticated markets and online exchanges for selling sensitive, stolen corporate information, Ponemon says. “It could be card-company data, it could be data about people or passwords,” he says. “That information is actually very marketable. The bad guys have recognized the value of stealing data.”

In some cases, the criminals not only recruit employees already working at a company, but also will plant one of their own within the firm. If the company doesn’t have stringent access authorization policies in place, a criminal can easily tap into sensitive data, Ponemon says, adding, “A lot of companies just don’t manage access very well.”

He cites a case in which a contractor was given data-access privileges beyond her role in the company. “She was working with someone on the outside from a certain country in Central Europe,” Ponemon says. “They collaborated and were able to gain access to very, very sensitive records.”

Too Much Trust

The lack of control over employee access to information is one of the reasons why insider-related data breaches are so difficult to stop, he adds. “The company either trusts too much or they don’t feel like they have the tools, the ability to control access. People tend to get more access rights than they really need.”

Poor access-management policies also can lead to data breaches instigated by former employees, Verizon’s Spitler says. “We do see instances where former employees are going back in and using privileges that haven’t been revoked, accounts that haven’t been disabled,” he says.

Companies also should address what Spitler calls “authorization creep.”

“Make sure employees only have access to what they need to have access to in order to do their business function,” he says. “And certainly, when they leave the company for whatever reason, have proper termination policy and procedure in place that you acquire all your corporate assets,” including shutting down physical access to buildings, taking away key cards, and disabling accounts so they don’t have access to any of the computing assets.

To prevent insider fraud, companies have to be as diligent at setting up internal fraud monitoring as they are at setting up external fraud detection and prevention. The first step is careful screening of employees, Ponemon says.

“People who have criminal records, who basically have a checkered past, you definitely don’t want those people to have access to your company’s confidential or sensitive information,” he says

And background checks are important not only for full-time employees but temporary or part-time employees as well, he says.

“A lot of companies, even when they just hire a contractor, think ‘why do I have to screen? This person is part time, and they’re only a contractor. They’re not a privileged user,’” Ponemon says. “But it seems like that’s one of the great mistakes. Background checks and getting to know who is in your organization is very important—not just for the senior level people but even for the people who are cleaning your office who have access to paper files that could actually result in crime.”

Smarter Bad Guys

But screening employees is only the first step. Companies also need to take advantage of the technologies available to monitor employees’ activities for signs of potential fraud.

“Companies with more than 15 employees, especially large organizations, have a difficult time understanding what people are doing and who has access to what,” Ponemon says. “That’s why you need to have technologies to help you to do that with some degree of precision.”

One such set of tools addresses data-loss prevention. “These are tools that companies deploy to help identify what we refer to as a wrongful outflow of information, meaning that the information shouldn’t be leaving the organization,” Ponemon says. “It shouldn’t be an attachment to an e-mail, it shouldn’t be in a system that’s going outside, it shouldn’t be transferred to your mobile device, and it certainly shouldn’t be copied to a USB drive or memory stick.”

Another set of tools known as security intelligence helps companies identify whether an employee’s actions fit his role within the company. “For example, I have the right to see the payroll file when I’m in my office between 9 a.m. and 5 p.m. but I don’t have the right to see the payroll file from my home office ever or beyond a certain time of the day because it wouldn’t make sense,” Ponemon says.

Such monitoring tools can help detect problem employees. “Most internal fraud is conducted by regular employees executing regular commands that they’re entitled to execute,” Litan says. “They’ll just go into an application where they’re allowed access and take information.”

Internal fraud-monitoring systems allow companies to monitor “everything an employee is doing and record every keystroke” and apply those actions against rules in the system designed to look for aberrant activities and anomalies, she says.

Companies can further protect data by encrypting sensitive information, whether it is in storage or being transmitted from one point to another, by using data masking, tokenization, or other methods.

“Most bad guys, unless they’re former KGB-level experts in cybersecurity, wouldn’t spend the time trying to de-encrypt an encrypted file,” Ponemon says. “If they get an encrypted file, they basically realize, ‘Forget about it.’ It’s worthless to them.”

More companies are starting to deploy security tools internally, in part because the technology is becoming relatively inexpensive, Ponemon says.

“Even moving your data to the cloud, which seems like a risky proposition, has the potential to reduce the insider problems because the cloud could spread evenly the cost of security,” he says. “So if you’re a small company and you can’t afford to buy the best latest and greatest tool, you can still have access to it in a cloud environment.”

But Ponemon doesn’t discount the ingenuity of the criminals.

“Bad guys are actually getting a lot smarter and stealthier,” he says. “In that category of insider crime, I don’t expect that it’s going to change all that significantly. It’s going to be like a game of chess—as the good guys do something, the bad guys will usually follow suit pretty quickly. And sometimes the bad guys take two steps.”