The threat from within

Today, the threat from within a company is far more complex and difficult to deal with. When it comes to addressing traditional fraud, such as investigating the misuse of corporate funds, companies are often well-prepared and alert to various scenarios. However, these processes are being challenged by cyber-attacks that are increasingly problematic to detect, expensive to investigate and challenging to prosecute.

Article by Preben Danielsen

Employees today work very differently to those just 15 years ago. At the core of this, lies data and information which is increasingly valuable to criminals. As cyber-attacks are increasingly commonplace, companies must have reliable and trustworthy employees, who are both diligent in their work and savvy to potential cyber threats, such as email phishing. Employers also need to be constantly developing the skills of their employees in order to keep up with the latest threats.

Insiders enable attacks

Insiders are defined as current and former employees, contractors, business partners or others who have access to confidential information regarding an organisation’s IT systems or security practices. However, not all insiders are malevolent. In fact, according to some statistics mistakes and misuse cause more harm than a disgruntled employee. Negligent or ignorant behaviour can lead to errors and misuse. This can include incompetence, such as misconfiguring servers to allow for unwanted access or publishing data to the wrong server or online.

According to an Observe IT(* study , “organisations are spending 60% more on dealing with all types of insider threats than just 3 years ago and 25% more since 2018.” These investments are made into detecting and investigating insider threats, with costs in these areas “increasing by 86% in only 3 years.”

Not just an IT issue

This is not just an IT issue, every area in the organisation is at risk. Insiders can be in almost any department, from sales teams for example, offering to sell confidential information about new products to competitors.

The employee´s ethical compass should be based upon the values of the organisation. This is about trust, and perhaps more importantly companies need to be attentive - there may be plenty of policies, guidelines and rules in place, but if an employee’s ethical compass is not intact, these will be of little value.

Importantly, society and commercial organisations absolutely cannot afford to be naïve. We must main­tain a high level of trust, but at the same time secure and implement good and well-functioning control measures.

From the factory floor or the mail room to the executive offices, all employees pose a potential risk for fraud. Consider which employees have access to critical IT infrastructure or are aware of details relating to the company IT security systems and practices. It is common for employees working in certain roles and with specific responsibilities to have access to such information on a daily basis.

The age of digital espionage

Corporate espionage not only still exists, it is becoming increasingly sophisticated, with some attacks being state-sponsored. Over the years, there have been cases involving third parties that facilitate and fund individuals to apply to work in a targeted company with the sole purpose to work as an insider.

Expert criminals posing as interns or contractors can quickly learn for example what IT systems are in place, how these are protected, and locate possible vulnerabilities in the IT infrastructure. This form of espionage requires exceptional alertness from the targeted company’s employees to ensure that such persons are not recruited into the organisation or selected as service providers or partners of the targeted company.

On the darker corners of the internet, current and former employees can also be found selling information or offering to provide access to their employer’s IT network. This criminal activity makes hacking into a company extremely easy for organised criminal groups.

As technology continues to move the boundaries of what is possible, it can be difficult for companies to keep up. Artificial intelligence and machine learning are just a few examples of emerging technologies that can also become valuable tools for cybercriminals.

Why trust matters

By default, employees are expected to behave in a way that protects the company and secures its operations. Partners and stakeholders are likewise entrusted to be working with good intentions, in support of the targets and purpose set by the organisations they serve. However, organisations must have processes and practices in place to secure their operations thoroughly.

One such practice is the principle of segregation of duties, which is based on shared responsibilities of a key process that disperses the critical functions of that process to more than one person or department. Without this separation in key processes, fraud and error risks are far less manageable.

Alongside regular audits which help to safeguard their operations, products and services, as well as their business, companies need to implement and use fraud detection tools effectively to protect themselves.

Organisations can reduce their exposure to risks by being vigilant about the people they hire and the company’s they engage with– even when these risks are becoming more difficult to recognise and mitigate.

A certain degree of awareness combined with due diligence and implementation of well-functioning control and security routines should help to reduce the risk of insiders harming organisations. This includes limiting the level of access and permissions for employees. It is also important to train your staff on a practical level, e.g. to spot phishing attempts in their Inbox. Perhaps most importantly, organisations must clearly communicate their set of values and highlight the importance of everyone taking responsibility for protecting the company’s assets, even if the threat comes from a colleague.

*)Source: Observe IT

  • Risk Consulting 3/2020

    There are several articles that might interest you in the Risk Consulting 3/2020, Cyber issue . Did you already read them all?

    All articles in Risk Consulting 3/2020
  • cover page of risk consulting magazine

    Not yet a subscriber?

    Risk Consulting is If’s professional magazine on risk management and loss prevention, and is one of the oldest client magazines in the Nordic countries.

    Risk Consulting is also available in print.

    Subscribe to Risk Consulting