What is insider threat?
The majority of people are honest, hard working and have no intention to cause damage to their organisation.
Often when we think of what constitutes a threat to our organisation we think of external threats, of hackers and other security risks.
Insider threat can be defined as the threat from someone with authorised access to systems, buildings or assets and who knowingly or not, uses their access to cause harm to the organisation.
An ‘insider’ could be anyone working for your organisation, an employee, a contractor, a consultant or a business partner.
The threat often comes from people who have joined the organisation with no malicious intent but who, out of a change in their circumstances, greed or other pressures, see that their role provides them the opportunity and the accesses required to defraud the company for their own gain.
The unfortunate effect of this type of activity is not only the financial loss faced by the organisation but it is the reputational damage caused, the loss of morale and trust within departments and the additional pressures placed on staff who may have to achieve the same outcomes with fewer resources.
What makes insider threat possible?
The Credit Industry Fraud Avoidance System (CIFAS) cite five corporate vulnerabilities that open organisations up to becoming victims of fraud:
- Reducing overheads
- More complex and complicated supply networks
- Ignorance of cyber security principles
- Churn of staff
It is likely that most people reading this document will have experience in some form or another of all five of those vulnerabilities and the impact they have on service provision and staff morale; it is easy to see how a combination of these factors could lead to issues.
The fraud triangle by American criminologist Donald Cressey suggests that every fraud involves three variables and where these are all present, conditions are ripe for fraud:
Motivation/Pressure: the need for financial gain, collusion with organised criminals, debts, domestic issues etc
Rationalisation: fraud is victimless, I won’t get caught, they owe me…
Opportunity: access levels to systems, poor controls, criminal infiltration etc
The organisational risk from insiders comes in many guises; the following areas are particularly at risk and they impact on almost every area of business:
- Data, and
Consider that NHSScotland has an annual budget of approximately £ 13 billion; it holds data on everyone registered to live in Scotland; it has a huge number of properties which are essential for the infrastructure of the country and each of these properties has portable stock and equipment which is at risk of theft. This makes our organisation very valuable and it makes it an attractive target for anyone intent on abusing it.
What types of threat do organisations experience?
Unintentional threats come from people, who without intending to cause harm, carry out some action which damages the organisation. This could be as simple as someone clicking on a link in a phishing email or inserting an infected device such as a USB stick, into their networked computer.
Disgruntled employees or former employees could pose a threat to their organisation if their accesses are not properly managed. Access includes physical access to buildings and other physical assets as well as access to IT systems, applications and other web based accounts.
Administration access rights abuses are particularly dangerous for an organisation; these happen when someone who has legitimate access to systems – often as an administrator – abuses their access rights to compromise data or exploit weaknesses in a system.
Types of fraud
- Account Fraud – changing bank account details or diverting funds for personal gain.
- Bribery – offering or accepting a bribe to carry out a relevant function improperly.
- Theft/deception – includes theft of stock; sickness absence fraud; time sheet fraud etc.
- Employment application fraud – using false ID; providing false qualifications or experience in order to gain employment.
- Data-theft – extracting data for unlawful means.
What are the ‘red flags’?
The following are indicators that someone may become a threat to the organisation.
The list is not definitive. The more factors present, the greater the risk.
- Regularly works more hours with no reason
- Reluctant to take leave / days off
- Appears stressed with no reason
- Secretive about work
- Submits inconsistent expense claims
- Regularly breaks rules
- Interrogates systems unrelated to role
- Retains hands on control of projects or work that junior staff should handle
- Unexplained wealth / change in circumstances
- Under pressure outside work
- Resigns shortly after joining organisation
While the majority of people are honest, hardworking and have no intention to cause harm to their organisation or themselves, circumstance can cause people to act in unexpected ways. Employers have a duty of care to their employees and if it appears as though someone is struggling to cope, either inside or outside work, we should take steps to address that issue and offer support. That support might be what stands between someone making a good decision, and a damaging one.
If you would like more information about Insider Threat, contact CFS to request a FREE presentation at firstname.lastname@example.org.
Download this information as a PDF document (PDF, 927KB).
Follow us on Twitter @NHSSCFS