The report was sponsored by (we're not making this up) the Department of Homeland Security Science and Technology Directorate's Homeland Security Advanced Research Projects Agency Cyber Security Division. Wow. Also contributing was the US Secret Service and the CERT Insider Threat Center of Carnegie Mellon University. Of the 80 cases, 67 were insider fraud cases, and the remaining 13 were external to the organizations harmed.
- Criminals who executed a "low and slow" approach accomplished more damage and escaped detection for longer
- On average 5 years went by between a subject's hiring and the start of their fraud, with detection averaging almost 32 months before they were caught.
- This is real money too -- cases less than 32 months averaged over $380,000 and longer cases averaged about $479,000.
- Few of the subjects were in technical roles like a database administrator
- In more than half the cases, the insider used some form of authorized, but often expired access
- Manager fraud caused nearly twice the economic damage and was took twice as long to detect
- Only 16% of fraud involved some type of collusion, and these subjects were mostly working with outsiders
- Routine auditing caught 41%, with only 6% of cases involving detection by software and systems designed to detect fraudulent activity
- Roughly 1/3 of cases were targeting PII, with younger, non-managers generally being the ones committing this type of fraud
So, with the analysis of the types of fraud going on, what do they suggest to avoid it? They are really pretty basic, but the key is an effective implementation.
Behavioral and/or Business Process
- Clearly document and consistently enforce policies and controls.
- Institute periodic security awareness training for all employees.
- Include unexplained financial gain in any periodic reinvestigations of employees.
- Log, monitor, and audit employee online actions.
- Pay special attention to those in special positions of trust and authority with relatively easy ability to perpetrate high value crimes (e.g., accountants and managers).
- Restrict access to PII.
- Develop an insider incident response plan to control the damage from malicious insider activity, assist in the investigative process, and incorporate lessons learned to continually improve the plan.
Uplogix local management enhances enterprise security by extending role based administrative access policies to network devices and by providing detailed auditing and reporting in support of attaining and demonstrating regulatory compliance. All of these capabilities are maintained even in the event of a network outage.
By automating many routine network management actions, we ensure that your policies are followed to the letter, each and every time. No shortcuts because an admin is in a hurry to get to lunch, no sessions left open on a device.
See how this is working today in the financial industry in the Uplogix Global Financial Institution case study.