Recent cyber attacks on organisations as diverse as the NHS and EasyJet have shown just how vulnerable businesses are to attacks from organised hackers. It is therefore perhaps unsurprising that companies across the world have been ploughing money into addressing the external threat. However, new research appears to prove that perhaps this investment is misguided, and that a greater threat is posed by the company’s own workers and management.
What is the Insider Threat?
Most people working in an organisation are honest and trustworthy. They are all working towards the same goals, want the company to succeed and to be profitable. It takes just one rogue employee to take advantage of that collective trust and try to exploit their knowledge of the company’s systems to their own ends. It’s far more difficult to pick up on the risk of the internal threat, as we all like to think of our colleagues as friends and as trustworthy. Companies work hard to build a team atmosphere and get everyone working together and sending out a message that insider fraud is a problem can undermine this message. This is especially true when more people are working from home or remotely, with companies directing lots of effort into building team spirit and developing shared goals.
Not every employee is going to “turn rogue2 and be tempted to siphon money from the company bank account into their own. But a small percentage may, given the right circumstances and opportunity. There is a range of motivating factors which might tempt someone to commit fraud against their employer, such as coercion, a radical ideology, serious debt problems, revenge or just for the thrill of it.
Dealing with Insider Fraud – Pre-Employment Checking
One way which companies have traditionally dealt with risks of insider fraud is to run background checks on all of their applicants before making job offers. This might be effective in weeding out people with convictions for fraud or theft in the past. Not all jobs qualify for a DBS check, and employers are restricted by law as to what level of information they can get on employees. Credit checks are also commonly used in the financial services industry to try to detect employees with serious debt problems.
Whistleblowing and Prevention
Obtaining DBS certificates won’t help identify the insider who has never committed a crime or been arrested for offences. Their record will be clean, as will the certificate. Most companies tackle the issues around insider fraud in other ways too. Most consider the potential for fraud when setting up new computer systems and processes, by building in password checks, or ways of seeing which users are accessing which accounts with timestamps. Should a fraud be identified, it should be easy to trace who may be responsible. Most large organisations also have a whistle-blowing policy, which allows employees to raise concerns anonymously about people at any level of the organisation they suspect of acting inappropriately.