The unseen threat: insider attacks and how to stop them

The opportunity for internal fraud springs from firms' lack of ability to see all and know all under their own roofs. When a star performer suddenly becomes...

The opportunity for internal fraud springs from firms' lack of ability to see all and know all under their own roofs. When a star performer suddenly becomes a major foe after a secret scam is revealed, business leaders can only kick themselves. Can organisations ever be expected to plug loopholes that may only be obvious to a mercenary opportunist?

Companies have much lose to when they fail to do so. The money at stake is huge, and the shame is almost as bad. That is what family man - Donald Mackenzie - inflicted on the Royal Bank of Scotland when he carried out a £21m fraud based on fake loan accounts. The father of two was one of the bank's best: voted manager of the year for three years in a row with a talent for bolstering the loan business. But a new system revealed that he had set up more than 1,000 false loan accounts with names similar to those of real customers.

Matthew Pemble was involved in the investigation of the case. "Although MacKenzie got the commission, the fraud was done to help his friends," says Pemble, who is now a security consultant at Vizuri. "A lot of insider fraud is carried out because someone is tempted by something that drops into their lap. MacKenzie was caught when a new system for dealing with loan applications was put in. He got away with it until then by using the system and being so successful at his job. The sort of people who commit internal fraud know the bank's system very well, and catching them can often be down to luck or carelessness."

MacKenzie's complex fraud went undetected for five years until March 2004, but Pemble says signs of odd behaviour were there all along in retrospect. MacKenzie wrote about 200 apology letters to customers every year - another strand of his intricate web. The norm would be fewer than 10. Although many apology letters would not automatically trigger red alert warnings, it is an anomaly.

Pemble said another sure sign of a possible cheat is keenness. "Some fraudsters are always in work, as they are scared that they may be caught if their back is turned, he says.

"As every fraudulent transaction is a risk for them, they will often opt for figures below limits to avoid dectecion."

Both honest and deceitful staff should be told clearly what fraud is, according to Pemble. "There is always the chance that employees do not realise they are doing it," he says. " Minor expenses fraud was normal in the 1970s. The vast majority of your employees are not trying to defraud you. Also, employees do not want to report on their colleagues, and are unlikely to suspect them of any untoward behaviour, but a fraud hotline should be set up so they have the option." He also recommends all authorisations should involve two people, and there should be stringent vetting and personal controls.

Pemble says internal fraud deserves such attention because it eclipses the external threat as once inside, those at the heart of a firm can hit where it hurts.

French bank Societe Generale is still reeling from the £3.9bn it lost at the hands of alleged rogue trader Jerome Kerviel. He spent time in jail for breach of trust, fabricating documents and illegally accessing computers, but now is out in bail. France's second bank says Kerviel's insider's knowledge of the systems allegedly allowed him to commit the fraud.

Adrian Davis, a senior security researcher at ISF, agrees that companies are more vulnerable to corrupt insiders. "When someone works for you they automatically bypass 95% of security defences deployed," he says.

Kerviel has now launched court proceedings saying that he was unlawfully sacked. It is clear that companies face a maze when proceeding through the courts and no wonder it is seen as a last option. "It is easier to fire someone than to go through a court room," says Davis. "But policies need to strongly state what the company will not tolerate so sacking that is lawful."

Davis also advocates segregation of duties and management of user accounts to keep a lid on opportunities presented to would-be con artists.

"Once inside, companies rely on giving people the right access," he says. "People need access to e-mail, file servers, print servers and so on." Davis notes that another loophole that can be easily closed with a little care is permissions. Staff are often allowed to keep permissions despite switching positions, meaning that employees inherit access rights that are not needed for their jobs.

The Financial Services Authority (FSA) also stresses that access rights should be carefully monitored. FSA financial crime sector leader Philip Robinson says, "It is up to individual firms to decide how to manage the risk of insider fraud. However, examples of good practice found in the industry include good vetting of staff, segregation of duties and IT controls to prevent access to systems or data that could be used to commit fraud.

"Generally, the industry has improved in this area but can do more to manage the risks. There is a lot of work going on, but firms should not be complacent. In particular they should consider whether their vetting standards are adequate in higher risk areas such as call centres and IT."

Financial services firms are required to notify the FSA of significant fraud and it has the power to issue fines. But it says further action depends on the firm and the fraud involved. Those that are thought to have inadvertently caused fraud through weak security get rapped. Last May the FSA fined BNP Paribas Private Bank £350,000 for weaknesses in systems and controls, which enabled an employee to transfer £1.4 million out of clients' accounts.

Robinson says that discovery of internal fraud is thwarted by determined insiders knowing how to manipulate systems to cover their tracks but refused to comment on how much fraud goes undetected.

But Bart Patrick, head of risk at fraud software supplier SAS estimates that few scams are actually unearthed. "Close one loop hole and another opens," he says. "The systems currently implemented do not make best use of all the information available such as e-mails, telephone calls, entry and exit logs, system-usage logs, website tracking and usage logs. Analysis of previous fraud types and the development of big-picture fraud models seem to be absent, even though the technology to do this is available. Internal fraud still seems to be the hairy copper, which is lacking sophistication."

He recommends software that strings together disparate data. "Advanced modelling of diverse data is giving companies the edge in real-time discovery," he says.

Patrick points to forward-looking technologies such as advanced analytics and neural network analysis as good ideas. And he advocates a few basic steps to thwart internal fraud:

• Sort out what data sources the organisation has.

• Employ advanced analytics across the data to statistically understand fraud patterns.

• Create and use fraud models to interrogate the data on an ongoing basis to uncover fraud in real-time.

• Then evolve these models in suitable timescales, as fraud evolves.

An even bolder step would be datamining, but is taken by very few, he says. "I would go so far as to say that datamining and text mining, with the associated modelling of this information is the most significant step a complex financial institution can take to counter internal fraud," he says.

Mark Girolami, of Glasgow University, delved into the use of datamining to counter telecoms fraud among customers. His research - Data Mining Tools for Fraud Detection - was designed to work on call data record logging systems and was conducted in alliance with software developer Memex. Even though it was geared at detecting external fraud the methods are general and could be applied elsewhere.

"We were seeking to address the problem of characterising the 'behaviour' or 'patterns of usage' of individuals (or groups of individuals) in terms of a statistical model (for each individual) that could be used to answer questions such as 'what range of actions is this individual most likely to make next or under certain conditions," Girolami says.

"The models can then be used to assess the likelihood of actions or characteristics that were discordant with previous persistent activities and possibly similar to activities suggestive of potential malfeasance. The use of a statistical model meant that ranked lists of red alerts could be generated which were optimal in the sense of returning, for example, fraudulent behaviours at the top of the ranked list."

The aim of the system was to detect "deviations from normal activity that potentially would suggest malfeasance (given some idea of the distinction between harmless anomalies and anomalies suggestive of fraud)."

Keeping track of deviations from normal activity is a huge job especially across a diverse landscape of systems typical of large companies. Datamining techniques such as Girolami's expect most users to conform to certain types of behaviour. If they sway from the protocol, then the system is alerted. As opportunities for colossal frauds continue to emerge in complex systems, it is clear that unexplained employee decorum should raise eyebrows. And as model bank manager MacKenzie's elaborate betrayal of RBS shows, your enemy is closer than you think.

Read more on IT risk management