Rogue Employees Are Good At Covering Their Tracks


Incidents of insider activity tied to data breaches often are not reported by companies, leaving many data breach studies analyzing security incidents regarding credit card theft or the exposure of personally identifiable information. That's because the vast majority of documented breaches are linked to reporting requirements maintained by compliance standards. A financial loss at a bank or trading firm because of a rogue employee often can be written off or regained through legal measures, according to one security expert who conducts computer forensics investigations for the insurance industry.

CRN pulled together five key findings from the second annual "Risk of Insider Fraud" study conducted by the Ponemon Institute.

Insider Fraud Happens More Frequently Than You Think: On average, organizations have had approximately 55 employee-related incidents of fraud in the past 12 months, according to the study. This translates to slightly more than one fraud event perpetrated by a malicious insider per week. Ponemon found that privileged users sometimes alter application controls to access or change sensitive information and then reset the controls, something that can be detected by proactively monitoring system logs or using behavioral analysis software.

Malicious Insiders Take Financial Toll: Rogue insiders that steal data or conduct fraudulent transactions caused brand damage or financial loss in 74 percent of the organizations that experienced an incident. Fraudulent activity can be simply accessing private customer data without authorization or frequently accessing data, signaling a breach, the Ponemon study found. Sharing employee credentials or stealing an executive's credentials to gain elevated rights to bypass separation-of-duty controls was documented by 79 percent of respondents.

Security experts told CRN that senior executives are partially responsible for the activity. Sharing account credentials is common with executive-level staff, often to enable lower-level personnel to perform assistance that requires access to restricted systems.

Available Technologies Are Lacking: Data loss prevention, database activity monitoring and log management are great ways to detect suspicious activity and can immediately help reduce inadvertent employee errors that lead to a data breach, but they often will fail to miss a malicious insider that is good at covering their tracks, according to the study.

Jason Clark, chief strategy and security officer at Accuvant, said some enterprises are considering behavioral analytics and other measures to attempt to detect suspicious activity and stop insiders before data is leaked. Clark told CRN that the growing interest is being fueled by the National Security Agency leaks and other high-profile incidents connected to malicious insiders. An emerging set of analytics technologies that track and maintain a snapshot of employee behavior can detect anomalous activity over time that may signal a future problem with an employee, he said.

Poorly Communicated Policies Fuel Insider Activity: Poorly written and communicated policies often fan the flames on activity that can lead to a security incident, the Ponemon study found. Sixty-six percent of respondents to the survey strongly agree that policies are inadequate or sometimes too restrictive, forcing employees to find ways to get around restrictions. Even if policies were communicated effectively, businesses often lack an enforcement mechanism to detect and inform an employee when their behavior constitutes a data handling violation, the Ponemon report found.

Temporary and part-time employees are seen as posing the most risk to organizations, according to the study. Yet only 44 percent of those surveyed said governance controls procedures are in place to prevent or curtail insider fraud, including unauthorized access or misuse of IT resources.

Need For Forensic Specialists On The Rise: The time it takes to resolve insider fraud is increasing, according to the Ponemon study. The study found that on average it takes nearly 90 days to recognize insider fraud activity and then most investigations last three months before the root cause of the incident is determined. Businesses are frequently contracting with antifraud or forensic specialist teams to conduct independent investigations followed by an investigation by internal auditors.

Investigators often find mobility and an increased use of smartphones, tablets and other devices by employees a burden when tracing an incident to its root cause. Of those surveyed by Ponemon, 78 percent said employee access to devices hampers visibility to the security and compliance teams.

PUBLISHED DEC. 23, 2013