Experienced, mid-level employees may be the ones to watch when it comes to insider fraud in financial organizations, according to a recent report from Carnegie Mellon University.
On average, insiders are on the job for more than five years before they start committing fraud, the authors wrote in the “Illicit Cyber Activity Involving Fraud in the U.S. Financial Services Sector” study, released July 30. The study, funded by the the U.S. Department of Homeland Security in conjunction with the CERT Insider Threat Center at CMU’s Software Engineering Institute and the United States Secret Service, found that it takes employers nearly three years to detect illegal activities by employees.
The authors examined technical and behavioral patterns from 80 fraud cases that occurred between 2005 and 2012. Of the analyzed cases, 67 were caused by insiders and 13 fell under external fraud. While the sample size was very small, the study highlighted some interesting patterns across the fraud cases.
The researchers compared the technical security controls commonly used to prevent internal and external attacks, Dougla Maughan, director of the cyber security division at the Homeland Security Advanced Research Projects Agency at the Department of Homeland Security, wrote in the report. The researchers developed “insights and risk indicators of malicious insider activity” within the banking and finance sector. “Their findings can be used to inform risk management decisions being made by government and industry and to support law enforcement in cybercrime investigation,” Maughan said.
Most insiders committing fraud generally took a “low and slow” approach in order to avoid being detected, the report found. Taking more time also helped these fraudsters generate more damage, as they were able to operate for a longer period of time. About half the cases analyzed lasted for 32 months or less and had an average monetary impact of $382,750, researchers found. In contrast, the other half, which lasted longer than 32 months, had an average actual monetary impact of $479,000.
Insiders did not employ very technically sophisticated methods for fraud. Nearly 93 percent of the fraud incidents were executed by employees who did not have privileged access to organizational systems or hold a technical role within the organization, Randy Rtzeciak, technical lead of the Insider Threat Research team at SEI and one of the authors of the paper said in a statement.
In more than half of the cases, the insider was authorized to access the systems, or had access previously. In a few cases, insiders used a non-technical method to bypass authorized processes, the report found.
Managers caused the most damage in these insider fraud cases, with an average of $200,105 in actual damages, the report found. In contrast, non-managers caused $112,188 in damages on average. Manager-initiated fraud also lasted longer, about 33 months, compared to the 18-month average by non-managers.
However, accountants also bear some watching. Accountants caused an average of $472,096 in damage and managed to avoid being detected for as long as 41 months, the report found.
Most incidents were detected through an audit, because a customer complained, or a colleague because suspicious. Nearly 41 percent of incidents were detected through routine or impromptu auditing, and only six percent of the cases were detected by software or other types of fraud-detection systems.
“Many people think that insider crimes can be addressed solely by technical controls, but the most effective way to prevent and detect insider crimes is to make it an enterprise-wide effort to master both the technical and behavioral aspects of the problem,” Trzeciak said.
Employers should log, monitor, and audit employees’ online activity, as well as restrict access to PII, the authors recommended. Employers should also “pay special attention to those in special positions of trust authority,” such as managers and accounts, they wrote.
The full report is available here.