The riskiest guessing game: a guide to insider threats
It’s an uncomfortable reality, but leaders can’t ignore it
A growing amount of fraud incidents stem from malicious insiders. Rather than micromanaging or distrusting their own people, finance leaders should look to mitigate risks of insider fraud and error through zero-trust procedures and tech solutions.
Foreword
A note from Mark Chazan, Chief Executive Officer, Eftsure
High-profile data breaches and cyber-attacks have rattled business communities worldwide, with headlines dominated by shadowy cybercriminals who target an organisation from the outside.
But there’s an under-discussed yet critical risk: the dangers inside an organisation.
Insider threats are just as risky as external ones, with the potential to cause major financial losses, compromise data, erode customer trust and damage company reputation. Not only are trusted insiders closer to critical processes and sensitive data, but they also have more ways to cover their tracks and can operate with a sophistication that rivals external actors.
It can be hard to imagine an employee acting maliciously or negligently, and it’s true that most of your people are almost certainly acting in good faith. But leaders can’t just rely on “hiring good people” because the risks are too big.
Fortunately, the right processes and technology create a zero-trust environment in which all employees and contractors are held to the same standards, reducing your fraud risks and offloading the need to second-guess your people. This guide will dissect insider threats and arm you with the knowledge to protect yourself – without compromising your team culture.
Defining and classifying insider threats
Defining and classifying "insider threats"
Breaking the term insider threat down
Insider: The US Cybersecurity and Infrastructure Security Agency (CISA) explains an insider as anyone who has (or used to have) “authorised access to or knowledge of an organisation’s resources, including personnel, facilities, information, equipment, networks and systems.”
Threat: CISA defines an insider threat as “the potential” for an insider to use that authorised access or understanding of an organisation to harm that organisation or its personnel.
This definition encompasses any type of threat to the organisation’s security or its employees’ security, including physical threats or violence. However, this guide will focus on the threats that fit more squarely within a finance leader’s purview – that is, potential insider fraud or theft.
Even when it comes to financial misconduct or fraud, many organisations focus on traditional security controls that heavily target external threats, which are not always capable of identifying internal threats. By nature, insider threats are difficult to detect. It’s the intimate knowledge these employees possess that enables them to execute fraudulent activities discreetly and effectively.
Types of insider threats
Malicious insiders
These insiders intentionally engage in activities that harm their organisation. They may be driven by financial gain, revenge, ideology or personal reasons. Malicious insiders usually steal intellectual property, sabotage systems, leak confidential data, misuse funds or engage in fraudulent activities. Their actions can be extremely damaging and difficult to detect.
Negligent insiders
These individuals pose a threat due to gross carelessness or a lack of understanding of security controls. This type of insider threat goes beyond good-faith mistakes or one-off misunderstandings. Instead, these insiders ignore finance, IT or security processes despite being familiar with them. They lack malicious intent but still pose a persistent threat.
Compromised insiders
Another type of unintentional threat, compromised insiders unwittingly act as conduits for malicious actors. Cybercriminals may compromise an individual’s email account or device, gaining unauthorised access to sensitive information or systems. Credential theft is on the rise, according to Proofpoint estimates. They estimate the cost of this kind of incident increased 65% from $2.79 million in 2020 to $4.6 million in 2022.
Understanding different types of insider threats helps organisations prioritise risk mitigation strategies appropriately. Negligent insiders are the root cause of most incidents—Proofpoint claims that 56% of incidents were due to negligence, averaging $484,931 per incident. Malicious insiders, while less common, cause even higher losses, averaging $648,062 per incident.
Insider threats are rising in both frequency and cost
Frequency
According to a 2023 Trellix analysis, insider threats have increased by 47% over the last two years. Research from the Ponemon Institute and DTEX indicates that the number of incidents has been rising steadily since 2018.
The DTEX 2022 Insider Risk Report estimates that 57% of fraud incidents involve insiders. In 2023, 71% of companies experienced between 21 and 40 insider incidents per year, up from 67% the previous year.
Organisations in North America are reportedly spending the most to address insider risks.
Cost
Across all types of insider threats, annual costs per incident are rising. Malicious insider incidents are particularly expensive, consuming significant resources, damaging relationships and causing lost revenue.
What are red flags for insider threats?
Internal fraud can be notoriously difficult to identify. Insiders often have more avenues to obscure their actions than external actors. It’s essential to know the warning signs—and to build a culture where staff can recognise and report red flags.
1. Requesting unnecessary access to systems and networks
Access to systems and sensitive data should always be on a need-to-know basis (the principle of least privilege). Be alert when an employee:
- Makes unusual requests to access a system or file
- Requests greater privileges than already granted
- Seeks access to sensitive information not needed for their role
- Goes around managers to obtain access
Always assess whether granting additional access might undermine your segregation of duties policies. For example, editing vendor banking details when only read-only access was originally granted should be scrutinised carefully.
2. Disorganised or incomplete record-keeping
Employees who maintain poor records may deliberately obscure malicious activities.
Be cautious when an employee:
- Fails to attach receipts or invoices consistently
- Uses vague descriptions for expenses
- Fails to organise or file financial documents properly
- Ignores record-keeping protocols
- Consistently overlooks reporting errors or discrepancies
Every organisation should invest in ensuring they have the right policies and oversight of records to ensure that proper standards are maintained. Regular internal audits will be able to identify problematic record-keeping practices at an early stage, so they can be rectified promptly. In short, you need to keep on top of employee record keeping.
