Some of my favorite stories about insider threats come from a book written by Vasili Mitrokhin. For those of you unfamiliar with the name, Mitrokhin was formerly a senior Soviet intelligence officer who defected to the UK in 1992. In the book “The Mitrokhin Archive” he describes in detail how some of the most trusted individuals within the British Intelligence services during the Cold War were passing secrets back to Russians. Some of the names involved: Burgess, Philby, Maclean amongst others go down in history as infamous traitors to their country.
Dealing with insider threats is certainly nothing new. Espionage and spying are amongst the oldest political and military trades. For instance, there are references to spies in accounts of ancient Greek history, and ancient Egyptian spies were among the first to develop methods of carrying out acts of internal sabotage.
Corporate espionage also has a long history. Back in 1943, for example, Proctor & Gamble were prosecuted after being caught stealing trade secrets from their main competitor, Lever Brothers.
As I’ve said a number of times in the past on this blog, insider related threats are a major concern but there doesn’t seem to be much good guidance available on how to deal with them. For instance, today I came across an article entitled “The Threat from Inside” online here in the CPA Technology Advisor. This article suggests that the way to handle insider threats is to use passwords, document management controls, rotation of duties, and by limiting access to resources.
The problem with approaching the issue in this way, and as described in many other guides on the subject where the focus is on technology based controls, is that it fails to account for the fact that the people we are most at risk from are those who are likely to have the most access to systems, and those with the most authority to manage financial transactions, or access to the most sensitive data. In short, those we trust the most. For example the Finance Director who swindled £2million from her company. And just ask the City of San Francisco (see here) or Société Générale about how effective their technical controls were in preventing insider mischief.
What the article in CPA fails to mention is supervision and management. It also doesn’t talk about background checks on staff, or the importance of promoting decent corporate ethics, treating staff fairly, and security awareness. Do you know how you would recognise a fraud, or even where to go to look to find out?
People can be very cunning and very clever about how they cover up their activities. A great example is the case of a school secretary who embezzled over £200k (see http://archive.worcesternews.co.uk/2001/2/24/336660.html) over a 4 year period. No-one suspected a thing until the auditors discovered some errors in the paperwork.
I don’t like quoting statistics that I can’t find a reference in support but I’ll make an exception here. An expert on the subject of insider threats once told me to expect that in an average organisation, 15% of employees will be willing to commit some form of fraud or theft given the opportunity and more to the point, if they believe they will get away with it. And opportunities for maliciously minded insiders are only bounded by their imaginations as described in this excellent article on the subject at http://cooperator.com/articles/697/1/Fraud-Detection-and-Prevention/Page1.html
There’s the vengeful employee who believes he’s been wrongly terminated and decides to “punish” his employer by misappropriating resources; the purchasing manager who receives kickbacks from vendors or suppliers; or the experienced manager who realizes she has no further room for career advancement and decides to divert funds to “supplement” his or her retirement savings
So, I hope I’ve made the point that technical controls, as described in the CPA article are not the solution. They can play a part but there are many other factors we need to be thinking about.