A growing number of the IT security risks companies face come as a result of employee fraud. Here are some keys IT should keep in mind to help prevent against insider threats.
In the past year, 60% of all fraud in which the perpetrator was known was carried out by an organization’s own employees or third-party agents, according to a recent report by security firm Kroll.
That was up from 55% in the previous year’s survey. According to Kroll, part of the reason for the rise in employee fraud is the increase in the amount of data companies hold — more and more of companies’ assets are intellectual property, which resides in the form of digital information. And as employees have more access to that information, it makes sense that companies see more instances where that access is abused.
To prevent employee fraud, IT must work closely with company management to develop policies and training, as well as technical controls and monitoring techniques to make sure employees aren’t using access privileges to steal data.
For IT’s part, here are some common mistakes that can make it easier for employees to commit fraud:
1. Letting users keep passwords and other sensitive info out in the open – Even if IT understands the threat of insider fraud, that doesn’t mean all users know they can’t blindly trust their co-workers. IT must create policies and train users about why they shouldn’t leave passwords written down by their PCs, keep sensitive files open when they leave their desks, or keep hard copies of confidential information lying around in full view. People need to know there’s a risk of those items being seen by not just malicious co-workers, but also cleaning staff and other third-party visitors.
2. Failing to lock down evidence during investigations – If malicious insiders had access to sensitive information, it’s also possible that they have the access they need to cover their tracks — for example, by deleting or changing log files. Therefore, the first step of any investigation into suspicious insider activity should be to make copies of all relevant evidence.
3. Missing the warning signs in malicious IT staffers – Employee fraud can occur in any department — and that includes IT, where employees have a particularly high level of access to the company’s systems. Therefore, IT managers should be on the lookout for the warning signs typical of employees who commit fraud, such as frequent absences, working late at night suddenly without a change in workload, and changes in temperament or unusual behavior.
4. Leaving access open after an employee is terminated – One common insider fraud scenario involves a disgruntled former (or soon-to-be former) employee using access privileges to steal data or sabotage the company’s operations. For example, in one recent case, a former IT employee of a pharmaceutical company used access privileges (which were still open after he resigned) to log onto the company’s network and delete the contents of several servers. That’s why IT must be in close communication with HR to make sure those privileges are revoked as soon as someone no longer needs them.
5. Not getting employees’ help – Other employees throughout the organization can be a big help in stopping insider fraud. Employees should be trained on what behavior is considered suspicious and how to report any potential fraud they witness.
6. Neglecting to verify vendors – Before contracting with any third party that will have access to information, IT should check the vendor’s references to see if they’ve ever had any security issues involving the third party. Also, part of evaluating a vendor or provider should be asking a representative how the third-party company conducts background checks on employees that deal with customer data.
7. Not paying attention to everyone in the company – Though it may be less common than with staff-level employees, it’s important for IT to realize that executives and top-level managers are capable of insider fraud. For example, in 2010, four top level executives at different companies were charged with stealing and selling insider information. The same policies, training and monitoring that apply to other users must apply to executives, as well.