In Mission Impossible: Ghost Protocol, Ethan Hunt garbed as a Russian General insider, crouches behind an ingenious and magic screen which projects an image of a quiet Kremlin hallway. The screen creates an illusion that he is invisible to the unsuspecting guard on duty.  He slides the screen down the hall remaining invisible.  He eventually reaches the door to a highly secured vault without a trace.  Going into the vault and seizing the files, he can now continue his mission to stop a nuclear war zealot.

While Ethan Hunt is posing as an insider in a fictional scenario, it serves to raise many questions about what level of planning, technology and intelligence is really required to pull off insider criminal activity such as we see in financial services today.

Malicious Insiders: Important Questions to Ask

In the financial sector where malicious insiders are among the most significant threats, what is the profile of the criminal fraudster, what is the motivation, and what are the tactics used to complete the mission?  And more importantly, what should firms be doing to prevent it? These are serious and significant questions challenging our security leaders.

DHS sponsored and directed a study which was published by members of the CERT ® Insider Threat Center at Carnegie Mellon.  The conclusions of this study indicate, it does not take an Ethan Hunt or his planning and intelligence.  In fact the most damaging acts of insider fraud are committed by those executing a “low and slow” plan performing common business transactions indicative of their assigned responsibilities.  These are stealth criminal acts masquerading as business as usual.  As it turns out, these are trusted insiders who are most often not in a technical role but in a business role with elevated privileges, and have an understanding of business operations.  They have the knowledge and authority which can be used for their own personal gain.

Managers versus Non-Managers

It was also found that substantially more damage was done and lasted longer when carried out by managers rather than by non managers.  Additionally, most criminal acts do not require the Ethan Hunt power team and are most often performed without assistance from the outside or inside. Moreover, most acts were discovered by audit, aware co-workers or irritated customers. And finally, the target was not always financial but PII.

The Fraud Triangle

To assist in the recognition of these findings and attributes of the study, it is additionally important to understand the principles of the system dynamics that underpin these events.  The principles were developed by the criminologist Donald Cressey in the mid 1950s. They follow the tenets of Fraud’s Triangle of system dynamics.

The Fraud Triangle points to (1) Pressure being felt by the person committing the act, often a financial stressor or problem.  (2) Opportunities or avenues are open to execute the fraud.  Authority, access and business knowledge give rise to this capability.  Organizations have more ability to contain this tenet than the others.  (3). Rationalization that enables the person to reconcile the situation within their own value systems.  This could include the thinking that the person will return the money and is really just borrowing it for a short time.

Actions to Take

So what can financial institutions do in the mission that they have chosen to accept to prevent fraud?  The recommendations of the study point to some of the best practices that many have in place today.  These practices should be re-visited with new understanding and evidence considerations.  Policies and standards should be revised with guidance from legal counsel on compliance with applicable regulations.

Practical recommendations for review:

  1. Audits should consider fraud and include risk baselines; consider adjusting the frequency for faster resolution
  2. Consider employee assistance when facing personal challenges
  3. Review the approach of least privilege and Separation of Duties
  4. Consider all employees with focus on their business role when implementing security practices
  5. Review the manager role and consider the accesses privileges
  6. Educate employees to be on the alert for suspicious activity and how to reporting the activity
  7. Consider opening new communications channels with anonymity for employees
  8. Focus on protecting PII at a similar value point as money

In summary, with thoughtful knowledge and insight, solid and directed policy, and sound and tested practices, the mission of preventing fraud is not so impossible.

Access here for more information on the Insider Threat Study: Illicit Cyber Activity Involving Fraud in the U.S. Financial Services Sector.

 

More from Banking & Finance

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

Exploring DORA: How to manage ICT incidents and minimize cyber threat risks

3 min read - As cybersecurity breaches continue to rise globally, institutions handling sensitive information are particularly vulnerable. In 2024, the average cost of a data breach in the financial sector reached $6.08 million, making it the second hardest hit after healthcare, according to IBM's 2024 Cost of a Data Breach report. This underscores the need for robust IT security regulations in critical sectors.More than just a defensive measure, compliance with security regulations helps organizations reduce risk, strengthen operational resilience and enhance customer trust.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today