It is widely known that internal staff can be one of the biggest threats to a company’s information and security. Here’s how Bank of the West developed new prevention measures that may also be incorporated into your company.
A few years ago, the Bank embarked on a process to re-evaluate its internal threat program and ensure it was up-to-date with the latest technologies and research.
To kick off the evaluation process interviews were conducted with dozens of financial institutions and government agencies large and small. The advice was from external organizations was consistent “Do not do it the way we are doing it.” The traditional approach of purchasing technology to find insider activity through surveillance and convert investigations was very costly and not producing the desired outcomes. According to the Association of Certified Fraud Examiners (ACFE)’s 2016 Report to the Nations, a surprising new finding it that—“Surveillance/ Monitoring” (the most traditional approach) is less than half as effective as by discovering an information breach by accident. It was clear to us that this area of fraud prevention and security was ripe for innovation.
Based on these insights, the Bank of the West team took a step back and re-evaluated what causes an insider threat. Academia has a lot of research on this subject that seems to be generally ignored by the financial services industry. The two main categories academia has identified are: 1) the Accidental Fraudster (good employee, breaking bad) and 2) the Career Criminal. These two problems need to be addressed differently. One way to separate the career criminal from the accidental fraudster—when doing historical case reviews—is coming to understand that career criminals go bad quickly (18 months or less) and accidental fraudsters typically take many years sometimes decades to commit the first offense.
"The traditional approach of purchasing technology to find insider activity through surveillance and convert investigations was very costly and not producing the desired outcomes"
Accidental Fraudster: Breaking Bad
The leading theory of occupational fraud asserts that three factors must be present for fraud to occur. Pressure, rationalization and opportunity. This is commonly referred to as the Fraud Triangle, originally proposed by Cressey / Sutherland (authors of Principles of Criminology). If you can remove one of the factors, fraud will not occur. You have essentially kept the honest employee from crossing the line to the dark side. We decided to leverage our existing controls in a noisy way to remove the perceived opportunity. Much like if you had a supply room with a shrinkage problem, putting a video camera up may stop the shrinkage. You may not even have to turn the camera on or monitor it. Existence of the camera reduces the perceived opportunity and may help keep the good employees from becoming the accidental fraudster.
Figure 1: Source ACFE 2016 Report to the Nations
Banks have controls. Financial controls, physical security controls, information security controls, the list could go on and on. The existence of these controls is not always evident to insiders, therefore they may perceive an opportunity to get away with fraud. Be noisy with your controls by sending email alerts to employees and managers. Here is an example of using existing controls in a noisy way:
■ Odd Hours Access: Many documented cases show that nefarious activity commonly takes place after business hours. Create an odd hours access alert for physical or logical access. Send an email to the team member copying the appropriate level of management to ask for an explanation for the odd hour’s access.
■ Excessive Fee Reversals: Research into the accident fraudster behavior indicates that negative activity tends to start small and escalate over time. Finding potential policy violations like excessive fee reversal scan catch and stop negative behavior before it escalates.
■ Exfiltration of Data: Data can be stolen in many ways. The most common are email, web (upload to a cloud provider) and through removable storage. When you see attempts to send large amount of data in these channels, send an alert to the team member that the activity is logged and will be reviewed and record the business justification for the activity.
■ Accounts Payable: Analysis of accounts payable date cross referencing employee information may turn up potential conflicts of interests or misappropriation of funds. Investigating phone, address and other personal information may turn up interesting connections.
The noisy controls reduce the perceived opportunity and add management review (third best control in the 2016 ACFE Report to the Nations). The entire process only takes a few minutes for all parties involved, but promotes the best outcome: Keep the honest employee honest. This approach helps impact culture. Team members will discuss the controls, so the impact is not limited to the employees that receive notifications. We call this,“stopping fraud with false positives.”
Career criminals will steal from you quickly. Try not to hire them. This is best addressed through good interview methods and back ground screening. Noisy monitoring can help catch negative behavior early and thus mitigate the damage of a career criminal. These will normally be the true positives in your noisy monitoring system.
Be innovative. The technology investment for this approach is minimal, instead you will be leveraging existing controls and data. This is an opportunity to get more value of existing technology spend with systems like data loss prevention (DLP), badge readers, security information and event management (SIEMs), web proxies, fraud detections, account payable, procurement and data warehouses. Before embarking on any insider threats program, be sure you are authorized to perform the activity. Having executive support and representation from legal, HR, security, compliance, communications and business units is critical. The Be Noisy approach is most effective when coupled with good corporate culture, effective training and awareness and whistle blower procedures.