Insider Threats cannot be prevented with technology alone

Some of my favorite stories about insider threats come from a book written by Vasili Mitrokhin. For those of you unfamiliar with the name, Mitrokhin was formerly a senior Soviet intelligence officer who defected to the UK in 1992. In the book “The Mitrokhin Archive” he describes in detail how some of the most trusted individuals within the British Intelligence services during the Cold War were passing secrets back to Russians. Some of the names involved: Burgess, Philby, Maclean amongst others go down in history as infamous traitors to their country.

Dealing with insider threats is certainly nothing new. Espionage and spying are amongst the oldest political and military trades. For instance, there are references to spies in accounts of ancient Greek history, and ancient Egyptian spies were among the first to develop methods of carrying out acts of internal sabotage.

Corporate espionage also has a long history. Back in 1943, for example, Proctor & Gamble were prosecuted after being caught stealing trade secrets from their main competitor, Lever Brothers. 

As I’ve said a number of times in the past on this blog, insider related threats are a major concern but there doesn’t seem to be much good guidance available on how to deal with them. For instance, today I came across an article entitled “The Threat from Inside” online here in the CPA Technology Advisor. This article suggests that the way to handle insider threats is to use passwords, document management controls, rotation of duties, and by limiting access to resources.

The problem with approaching the issue in this way, and as described in many other guides on the subject where the focus is on technology based controls, is that it fails to account for the fact that the people we are most at risk from are those who are likely to have the most access to systems, and those with the most authority to manage financial transactions, or access to the most sensitive data. In short, those we trust the most. For example the Finance Director who swindled £2million from her company. And just ask the City of San Francisco (see here) or Société Générale about how effective their technical controls were in preventing insider mischief.

What the article in CPA fails to mention is supervision and management. It also doesn’t talk about background checks on staff, or the importance of promoting decent corporate ethics, treating staff fairly, and security awareness. Do you know how you would recognise a fraud, or even where to go to look to find out?

People can be very cunning and very clever about how they cover up their activities. A great example is the case of a school secretary who embezzled over £200k (see http://archive.worcesternews.co.uk/2001/2/24/336660.html) over a 4 year period. No-one suspected a thing until the auditors discovered some errors in the paperwork.

I don’t like quoting statistics that I can’t find a reference in support but I’ll make an exception here. An expert on the subject of insider threats once told me to expect that in an average organisation, 15% of employees will be willing to commit some form of fraud or theft given the opportunity and more to the point, if they believe they will get away with it. And opportunities for maliciously minded insiders are only bounded by their imaginations as described in this excellent article on the subject at http://cooperator.com/articles/697/1/Fraud-Detection-and-Prevention/Page1.html

There’s the vengeful employee who believes he’s been wrongly terminated and decides to “punish” his employer by misappropriating resources; the purchasing manager who receives kickbacks from vendors or suppliers; or the experienced manager who realizes she has no further room for career advancement and decides to divert funds to “supplement” his or her retirement savings

So, I hope I’ve made the point that technical controls, as described in the CPA article are not the solution. They can play a part but there are many other factors we need to be thinking about.

Join the conversation

4 comments

Send me notifications when other members comment.

Please create a username to comment.

Fraud crimes will continue to grow until the government and banks exploit KEY and PIN system described on website www.xwave.co.uk which will make signature and PIN systems reliable and foolproof to deter fraudsters from getting tempted to misuse our stolen personal and card details. Key and PIN system will deter virtually all types of fraud crimes including those Chip and PIN, data protection and biometric ID card systems will fail to deter. This system will also eliminate the need for us to protect our personal an card details since fraudsters will not be tempted to misuse these stolen details. Organisations would make their customers personalise signatures by letting them use mobile phone size device which will capture image and activate printer to print their ID sticker virtually instantly. KEY and PIN system could be treated like international ID card since it will personalise signature and PIN to the right individual in any country in the world. We hope that the banks and government will support and exploit proposed system before it is too late to stop a fraud boom.
Cancel
Thanks for the comment Roger, but I think you've missed the point. The cases I mentioned (the school secretary, the rogue trader and the finance director) did not involve individuals accessing resources they weren't supposed to be getting to: they already had all the access they needed and knew how to manipulate the systems to their advantage.
Cancel
All the items mentioned in your blog, both technical and non-technical, are required elements to address the threats from insiders across all industries. However, the CPA column highlighted in the blog is specifically focused to the needs of the public accounting industry and even more specifically to the technology which helps that industry. This column was not written to address or be linked to the general needs of all industries; their supervision or management practices; and the various non-technical solutions to insider threats.
Cancel
Thanks for the feedback John.
Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close