For many leaders, the idea of a trusted employee defrauding their business is unthinkable. How could someone you work with every day – maybe even someone you chose to hire – end up abusing their access to organizational systems, information, or money?
Unfortunately, insider threats can and do exist. In fact, research suggests that insider incidents have been increasing each year, which you can see in our comprehensive guide to insider threats.
We’ve also previously looked at the different types of insider threats and incidence rates. But which specific actions can you take to protect your business, especially if you don’t want to micromanage or second-guess your people?
Let’s explore ways to reduce risks without sacrificing a positive and trusting culture.
1. Segregation of Duties
Regardless of whether a threat is intentional or unintentional, segregating duties remains one of the most reliable ways to reduce fraud risks and data insecurity. Unfortunately, according to Eftsure survey data, 40% of organizations do not have a segregation of duties policy, potentially heightening their chances of an insider incident.
But what is segregation of duties? Basically, it’s an approach in which accountability is diffused across multiple team members, ensuring that no single employee has central authority over sensitive processes like authorizing transactions. This might mean assigning responsibilities like approvals, invoice processing, or bank reconciliation to separate employees.
According to auditors – specifically, the Auditing and Assurance Standards Board – inadequate segregation of duties can make your business more vulnerable to misappropriation of assets.
By dividing responsibilities and tasks among multiple individuals, leaders make it a lot harder for a single person to commit (or conceal) fraudulent activities. A system of checks and balances safeguards your organization and can help flag potential issues before they result in severe damage or financial losses.
2. Monitor Activity and Create Audit Trails
Especially if you need to detect or prove a potential insider threat, it’s important to have records of employee actions and access. Look for solutions that flag suspicious behaviors and can help you retrace users’ digital actions.
Of course, you’ll want to strike a balance between critically necessary audit trails and over-surveillance. Fortunately, the right technology solution can help you neatly partition user responsibilities and record employee actions within sensitive processes – without making employees feel constantly watched.
3. Lean on Technology
Technology can play a crucial role in enforcing segregation of duties within organizations, particularly in mitigating risks associated with payment fraud and error. Leveraging technology not only automates and simplifies the enforcement of segregation of duties but adds a layer of security and auditability that manual processes typically can't achieve.
Workflow Management
Approval processes. Automated workflows ensure that different stages of a process can be approved by separate individuals. For example, one person might set up the supplier, another to review the payment, and a third to process the payment.
Automated Controls
Role-based access controls. Customizable roles and permissions that limit which actions and approvals a user role can take within the workflow process, ensuring that no single person has control over all parts of a financial payment transaction.
Access restrictions. Manage specific user access parameters and enforce restrictions where needed, preventing access to sensitive operations or data beyond a user's role requirements.
Reporting
Eftsure's solution can help with all of the above. Request a demo to see how Eftsure mitigates your insider threat risks.
4. Consider People and Culture Policies
Working with HR, or people and culture teams, can help you mitigate risks associated with disgruntled employees, negligence, or improper training. We know from research that many insider incidents stem from unhappy employees – those who feel they’ve been mistreated or passed over for promotions, for instance.
Minimizing these risks means working with people and culture specialists to refine your onboarding and offboarding policies, documentation and policies around career progression, and quantitative measurement like NPS scores or qualitative evidence like Glass Door reviews.
5. Know the Warning Signs
With the right processes, culture, and technology solutions, you can build a zero-trust environment that eliminates the need to constantly micromanage or second-guess your people. But no system is 100% infallible – it’s still important to keep an eye out for red flags.
Warning signs include:
Unusual access or activity times. Implementing a segregation of duties policy can bar employees from accessing systems or information they shouldn’t, but it’s another reason why user monitoring is important – you’ll need to keep an eye out for employees accessing (or requesting access to) systems that aren’t part of their usual responsibilities. Even if an employee has appropriate access permission, watch out for unusual hours, such as someone accessing a network remotely late at night.
Unusual levels of data transfer. Work with your IT team to understand if and when employees are transferring or downloading unusually large amounts of data. This can be an indication that a worker is sending information somewhere they shouldn't.
Stressed or upset employees. Of course, this one is critical regardless of whether you think an employee could pose an insider threat – and it’s another reason why it’s important to work closely with people and culture leaders. They can help if you notice that an employee is expressing lots of skepticism about their role, workplace, or colleague, or help you step in if someone on your team seems to be experiencing inordinate amounts of stress.
Eftsure's solution helps you protect against insider threats by segregating duties, creating audit trails, and flagging potentially fraudulent transactions.
See the rest of the warning signs and statistics, along with in-depth case studies and strategies, with our Insider Threat Guide.
