Within hours, sometimes minutes, after an insider threat or employee fraud incident is discovered, executives are met with a flurry of emails and phone calls asking about the extent of the damage, the departments involved and the overall impact on the business.

In the midst of this whirlwind of activity, there’s a tendency for some companies to play the blame game, assigning fault to a specific department or executive for failing to prevent the attack. With blame assigned, the implicated department engages in damage control.

Depending on the extent of the attack and the missteps that allowed it to happen, one or more employees may lose their jobs. Shortly thereafter, the internal audit department, or sometimes the compliance department, issues a report that often lacks a complete understanding of the facts associated with the attack. The report identifies failure points and compels the departments involved to fix them within a certain period of time.

As companies struggle to return to normalcy, many overlook critical lessons regarding how and why the incident happened in the first place. In the rush to close the chapter on the attack, weaknesses remain undiscovered and unaddressed. So what’s the alternative? Is there a better way for companies to recover from an insider attack?

Download the IBM research report: Battling security threats from within your organization

A Five-Step Approach to Investigating Employee Fraud

Whether an attack involves a current or former employee, contractor, or business partner who intentionally or unintentionally played a role in a breach, there’s a great deal of sensitivity around insider attacks. Unlike attacks perpetrated by a third party, companies know the identity of the alleged attacker. Consequently, at the risk of violating that individual’s rights, executives proceed with far more caution than is the case when responding to an incident from outside the organization. Nonetheless, recovering from an insider attack requires strong leadership. Without a standard operating procedure related to these incidents, executives lack direction and the company’s response flounders.

Before an insider attack happens, it’s important to develop comprehensive incident procedures that detail your company’s response strategy. The policy can borrow concepts from your organization’s data breach procedures, but since these incidents involve employees, the strategy must include representatives from legal and human resources. Circulate a copy of the policy with key stakeholders and solicit their feedback. Update the policy to reflect their feedback, then secure their approval to adopt it.

Security teams can develop strong incident response procedures by taking the following steps in the wake of an insider attack.

1. Convene a Meeting of Your Quick Reaction Team

Mitigating the effects of an insider attack requires quick, decisive action. A quick reaction team is made up of representatives from departments with the means to implement measures to limit exposure to an attack. Typically, the team includes IT, information security, legal, compliance, corporate security, human resources, corporate communications and representatives from the business units impacted. Make sure to address pressing problems, such as deleting the perpetrator’s system access credentials and stopping transactions they initiated.

2. Create a Cross-Divisional Team to Establish One Version of the Truth

Invite representatives of the departments that possess information regarding how the attack transpired to share their knowledge as well as any relevant documents associated with the incident. The team may need to meet on multiple occasions. Identify someone on your team to take notes and develop a timeline of the events. For particularly complex incidents, develop a flowchart that encapsulates how the attack took place. It’s also important to revisit the steps taken to mitigate the effects of the attack to ensure there are no loose ends.

3. Investigate What Drove the Insider to Attack

While many companies spend most of their efforts mitigating the effects of an incident, they often don’t dedicate time to understanding the attacker’s motivations. Use the collective knowledge of the cross-divisional team to ascertain what drove the insider to attack. By understanding his or her motives, you may uncover ways to improve your organization’s defenses. For example, if an employee knew that his or her compensation was far less than his or her peers and felt justified in stealing to make up the shortfall, it may be worth reviewing your payroll system for additional employees who may be underpaid.

4. Conduct a Root Cause Analysis to Identify Failure Points

With a detailed understanding of how the attack evolved, classify each factor that contributed to the incident as a failure of technology, a process or a person, bearing in mind that some observations may qualify as more than one classification. For example, if an employee opened a phishing email and clicked on an attachment, the company’s ability to detect such emails may need improvement, and employees may also need more education on the dangers of opening unsolicited messages.

5. Develop a Remediation Plan and Assign Ownership

It’s one thing to identify a failure point, but fixing it is what really matters. Yet developing a remediation plan is where many organizations fall short because it requires someone to assume responsibility for bridging the gaps that facilitated the attack. That’s why it’s important to establish a concise means of documenting the status of the remediation efforts.

To ensure accountability, some organizations opt to continuously share the status of remediation with key stakeholders until completion. Remember, by fixing a control deficiency, you’ll raise the perception of detection — the belief among employees that if they commit fraud, someone within the business will uncover their criminal activity quickly.

Detecting Future Insider Attacks

What constitutes a significant insider incident varies by organization. Some focus on the potential dollar losses, while others concentrate on the impact to customers or the alleged insider’s role within the organization. In reality, the thresholds detailed in the above incident procedures serve as a guide. If an incident fails to breach these thresholds but still feels significant, it’s OK to apply the procedure.

In addition to creating a comprehensive incident response procedure, some organizations go a step further by creating an internal threat mitigation working group to gather and analyze insider attacks reported in the news. Building such a library enables these organizations to learn from the trials and tribulations of others.

Start by gathering examples of insider attacks within your business sector, then broaden your efforts to include companies outside your industry. Use the cases to identify gaps in your business that require remediation. If an incident involved an employee who stole intellectual property before he or she left to join a competitor, use this case to revisit the protections you have in place to prevent similar cases of fraud.

Unlike attacks from outsiders, many organizations don’t have a process to deal with incidents that involve insiders. An incident response procedure tailored to insider attacks eliminates much of the hesitancy and doubt that often paralyzes the executive team.

Read the solution brief: Orchestrated Response — A Game-Changing Strategy

More from Fraud Protection

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

How Security Teams Combat Disinformation and Misinformation

“A lie can travel halfway around the world while the truth is still putting on its shoes.” That popular quote is often attributed to Mark Twain. But since we're talking about misinformation and disinformation, you’ll be unsurprised to learn Twain never said that at all. In fact, no one knows who first strung those words together, but the idea that truth spreads slowly while lies spread quickly is at least several hundred years old. The “Twain” quote also serves to…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

New DOJ Team Focuses on Ransomware and Cryptocurrency Crime

While no security officer would rely on this alone, it’s good to know the U.S. Department of Justice is increasing efforts to fight cyber crime. According to a recent address in Munich by Deputy Attorney General Lisa Monaco, new efforts will focus on ransomware and cryptocurrency incidents. This makes sense since the X-Force Threat Intelligence Index 2022 named ransomware as the top attack type in 2021. What exactly is the DOJ doing to improve policing of cryptocurrency and other cyber…