In Mission Impossible: Ghost Protocol, Ethan Hunt garbed as a Russian General insider, crouches behind an ingenious and magic screen which projects an image of a quiet Kremlin hallway. The screen creates an illusion that he is invisible to the unsuspecting guard on duty. He slides the screen down the hall remaining invisible. He eventually reaches the door to a highly secured vault without a trace. Going into the vault and seizing the files, he can now continue his mission to stop a nuclear war zealot.
While Ethan Hunt is posing as an insider in a fictional scenario, it serves to raise many questions about what level of planning, technology and intelligence is really required to pull off insider criminal activity such as we see in financial services today.
Malicious Insiders: Important Questions to Ask
In the financial sector where malicious insiders are among the most significant threats, what is the profile of the criminal fraudster, what is the motivation, and what are the tactics used to complete the mission? And more importantly, what should firms be doing to prevent it? These are serious and significant questions challenging our security leaders.
DHS sponsored and directed a study which was published by members of the CERT ® Insider Threat Center at Carnegie Mellon. The conclusions of this study indicate, it does not take an Ethan Hunt or his planning and intelligence. In fact the most damaging acts of insider fraud are committed by those executing a “low and slow” plan performing common business transactions indicative of their assigned responsibilities. These are stealth criminal acts masquerading as business as usual. As it turns out, these are trusted insiders who are most often not in a technical role but in a business role with elevated privileges, and have an understanding of business operations. They have the knowledge and authority which can be used for their own personal gain.
Managers versus Non-Managers
It was also found that substantially more damage was done and lasted longer when carried out by managers rather than by non managers. Additionally, most criminal acts do not require the Ethan Hunt power team and are most often performed without assistance from the outside or inside. Moreover, most acts were discovered by audit, aware co-workers or irritated customers. And finally, the target was not always financial but PII.
The Fraud Triangle
To assist in the recognition of these findings and attributes of the study, it is additionally important to understand the principles of the system dynamics that underpin these events. The principles were developed by the criminologist Donald Cressey in the mid 1950s. They follow the tenets of Fraud’s Triangle of system dynamics.
The Fraud Triangle points to (1) Pressure being felt by the person committing the act, often a financial stressor or problem. (2) Opportunities or avenues are open to execute the fraud. Authority, access and business knowledge give rise to this capability. Organizations have more ability to contain this tenet than the others. (3). Rationalization that enables the person to reconcile the situation within their own value systems. This could include the thinking that the person will return the money and is really just borrowing it for a short time.
Actions to Take
So what can financial institutions do in the mission that they have chosen to accept to prevent fraud? The recommendations of the study point to some of the best practices that many have in place today. These practices should be re-visited with new understanding and evidence considerations. Policies and standards should be revised with guidance from legal counsel on compliance with applicable regulations.
Practical recommendations for review:
- Audits should consider fraud and include risk baselines; consider adjusting the frequency for faster resolution
- Consider employee assistance when facing personal challenges
- Review the approach of least privilege and Separation of Duties
- Consider all employees with focus on their business role when implementing security practices
- Review the manager role and consider the accesses privileges
- Educate employees to be on the alert for suspicious activity and how to reporting the activity
- Consider opening new communications channels with anonymity for employees
- Focus on protecting PII at a similar value point as money
In summary, with thoughtful knowledge and insight, solid and directed policy, and sound and tested practices, the mission of preventing fraud is not so impossible.
Access here for more information on the Insider Threat Study: Illicit Cyber Activity Involving Fraud in the U.S. Financial Services Sector.
Security Strategist and Financial Sector Lead at IBM