Five Steps for Investigating and Responding to Employee Fraud
Within hours, sometimes minutes, after an insider threat or employee fraud incident is discovered, executives are met with a flurry of emails and phone calls asking about the extent of the damage, the departments involved and the overall impact on the business.
In the midst of this whirlwind of activity, there’s a tendency for some companies to play the blame game, assigning fault to a specific department or executive for failing to prevent the attack. With blame assigned, the implicated department engages in damage control.
Depending on the extent of the attack and the missteps that allowed it to happen, one or more employees may lose their jobs. Shortly thereafter, the internal audit department, or sometimes the compliance department, issues a report that often lacks a complete understanding of the facts associated with the attack. The report identifies failure points and compels the departments involved to fix them within a certain period of time.
As companies struggle to return to normalcy, many overlook critical lessons regarding how and why the incident happened in the first place. In the rush to close the chapter on the attack, weaknesses remain undiscovered and unaddressed. So what’s the alternative? Is there a better way for companies to recover from an insider attack?
A Five-Step Approach to Investigating Employee Fraud
Whether an attack involves a current or former employee, contractor, or business partner who intentionally or unintentionally played a role in a breach, there’s a great deal of sensitivity around insider attacks. Unlike attacks perpetrated by a third party, companies know the identity of the alleged attacker. Consequently, at the risk of violating that individual’s rights, executives proceed with far more caution than is the case when responding to an incident from outside the organization. Nonetheless, recovering from an insider attack requires strong leadership. Without a standard operating procedure related to these incidents, executives lack direction and the company’s response flounders.
Before an insider attack happens, it’s important to develop comprehensive incident procedures that detail your company’s response strategy. The policy can borrow concepts from your organization’s data breach procedures, but since these incidents involve employees, the strategy must include representatives from legal and human resources. Circulate a copy of the policy with key stakeholders and solicit their feedback. Update the policy to reflect their feedback, then secure their approval to adopt it.
Security teams can develop strong incident response procedures by taking the following steps in the wake of an insider attack.
1. Convene a Meeting of Your Quick Reaction Team
Mitigating the effects of an insider attack requires quick, decisive action. A quick reaction team is made up of representatives from departments with the means to implement measures to limit exposure to an attack. Typically, the team includes IT, information security, legal, compliance, corporate security, human resources, corporate communications and representatives from the business units impacted. Make sure to address pressing problems, such as deleting the perpetrator’s system access credentials and stopping transactions they initiated.
2. Create a Cross-Divisional Team to Establish One Version of the Truth
Invite representatives of the departments that possess information regarding how the attack transpired to share their knowledge as well as any relevant documents associated with the incident. The team may need to meet on multiple occasions. Identify someone on your team to take notes and develop a timeline of the events. For particularly complex incidents, develop a flowchart that encapsulates how the attack took place. It’s also important to revisit the steps taken to mitigate the effects of the attack to ensure there are no loose ends.
3. Investigate What Drove the Insider to Attack
While many companies spend most of their efforts mitigating the effects of an incident, they often don’t dedicate time to understanding the attacker’s motivations. Use the collective knowledge of the cross-divisional team to ascertain what drove the insider to attack. By understanding his or her motives, you may uncover ways to improve your organization’s defenses. For example, if an employee knew that his or her compensation was far less than his or her peers and felt justified in stealing to make up the shortfall, it may be worth reviewing your payroll system for additional employees who may be underpaid.
4. Conduct a Root Cause Analysis to Identify Failure Points
With a detailed understanding of how the attack evolved, classify each factor that contributed to the incident as a failure of technology, a process or a person, bearing in mind that some observations may qualify as more than one classification. For example, if an employee opened a phishing email and clicked on an attachment, the company’s ability to detect such emails may need improvement, and employees may also need more education on the dangers of opening unsolicited messages.
5. Develop a Remediation Plan and Assign Ownership
It’s one thing to identify a failure point, but fixing it is what really matters. Yet developing a remediation plan is where many organizations fall short because it requires someone to assume responsibility for bridging the gaps that facilitated the attack. That’s why it’s important to establish a concise means of documenting the status of the remediation efforts.
To ensure accountability, some organizations opt to continuously share the status of remediation with key stakeholders until completion. Remember, by fixing a control deficiency, you’ll raise the perception of detection — the belief among employees that if they commit fraud, someone within the business will uncover their criminal activity quickly.
Detecting Future Insider Attacks
What constitutes a significant insider incident varies by organization. Some focus on the potential dollar losses, while others concentrate on the impact to customers or the alleged insider’s role within the organization. In reality, the thresholds detailed in the above incident procedures serve as a guide. If an incident fails to breach these thresholds but still feels significant, it’s OK to apply the procedure.
In addition to creating a comprehensive incident response procedure, some organizations go a step further by creating an internal threat mitigation working group to gather and analyze insider attacks reported in the news. Building such a library enables these organizations to learn from the trials and tribulations of others.
Start by gathering examples of insider attacks within your business sector, then broaden your efforts to include companies outside your industry. Use the cases to identify gaps in your business that require remediation. If an incident involved an employee who stole intellectual property before he or she left to join a competitor, use this case to revisit the protections you have in place to prevent similar cases of fraud.
Unlike attacks from outsiders, many organizations don’t have a process to deal with incidents that involve insiders. An incident response procedure tailored to insider attacks eliminates much of the hesitancy and doubt that often paralyzes the executive team.