Light Dark
April 2, 2018 By Paul McCormack 4 min read
Fraud Protection
Incident Response

Within hours, sometimes minutes, after an insider threat or employee fraud incident is discovered, executives are met with a flurry of emails and phone calls asking about the extent of the damage, the departments involved and the overall impact on the business.

In the midst of this whirlwind of activity, there’s a tendency for some companies to play the blame game, assigning fault to a specific department or executive for failing to prevent the attack. With blame assigned, the implicated department engages in damage control.

Depending on the extent of the attack and the missteps that allowed it to happen, one or more employees may lose their jobs. Shortly thereafter, the internal audit department, or sometimes the compliance department, issues a report that often lacks a complete understanding of the facts associated with the attack. The report identifies failure points and compels the departments involved to fix them within a certain period of time.

As companies struggle to return to normalcy, many overlook critical lessons regarding how and why the incident happened in the first place. In the rush to close the chapter on the attack, weaknesses remain undiscovered and unaddressed. So what’s the alternative? Is there a better way for companies to recover from an insider attack?

Download the IBM research report: Battling security threats from within your organization

A Five-Step Approach to Investigating Employee Fraud

Whether an attack involves a current or former employee, contractor, or business partner who intentionally or unintentionally played a role in a breach, there’s a great deal of sensitivity around insider attacks. Unlike attacks perpetrated by a third party, companies know the identity of the alleged attacker. Consequently, at the risk of violating that individual’s rights, executives proceed with far more caution than is the case when responding to an incident from outside the organization. Nonetheless, recovering from an insider attack requires strong leadership. Without a standard operating procedure related to these incidents, executives lack direction and the company’s response flounders.

Before an insider attack happens, it’s important to develop comprehensive incident procedures that detail your company’s response strategy. The policy can borrow concepts from your organization’s data breach procedures, but since these incidents involve employees, the strategy must include representatives from legal and human resources. Circulate a copy of the policy with key stakeholders and solicit their feedback. Update the policy to reflect their feedback, then secure their approval to adopt it.

Security teams can develop strong incident response procedures by taking the following steps in the wake of an insider attack.

1. Convene a Meeting of Your Quick Reaction Team

Mitigating the effects of an insider attack requires quick, decisive action. A quick reaction team is made up of representatives from departments with the means to implement measures to limit exposure to an attack. Typically, the team includes IT, information security, legal, compliance, corporate security, human resources, corporate communications and representatives from the business units impacted. Make sure to address pressing problems, such as deleting the perpetrator’s system access credentials and stopping transactions they initiated.

2. Create a Cross-Divisional Team to Establish One Version of the Truth

Invite representatives of the departments that possess information regarding how the attack transpired to share their knowledge as well as any relevant documents associated with the incident. The team may need to meet on multiple occasions. Identify someone on your team to take notes and develop a timeline of the events. For particularly complex incidents, develop a flowchart that encapsulates how the attack took place. It’s also important to revisit the steps taken to mitigate the effects of the attack to ensure there are no loose ends.

3. Investigate What Drove the Insider to Attack

While many companies spend most of their efforts mitigating the effects of an incident, they often don’t dedicate time to understanding the attacker’s motivations. Use the collective knowledge of the cross-divisional team to ascertain what drove the insider to attack. By understanding his or her motives, you may uncover ways to improve your organization’s defenses. For example, if an employee knew that his or her compensation was far less than his or her peers and felt justified in stealing to make up the shortfall, it may be worth reviewing your payroll system for additional employees who may be underpaid.

4. Conduct a Root Cause Analysis to Identify Failure Points

With a detailed understanding of how the attack evolved, classify each factor that contributed to the incident as a failure of technology, a process or a person, bearing in mind that some observations may qualify as more than one classification. For example, if an employee opened a phishing email and clicked on an attachment, the company’s ability to detect such emails may need improvement, and employees may also need more education on the dangers of opening unsolicited messages.

5. Develop a Remediation Plan and Assign Ownership

It’s one thing to identify a failure point, but fixing it is what really matters. Yet developing a remediation plan is where many organizations fall short because it requires someone to assume responsibility for bridging the gaps that facilitated the attack. That’s why it’s important to establish a concise means of documenting the status of the remediation efforts.

To ensure accountability, some organizations opt to continuously share the status of remediation with key stakeholders until completion. Remember, by fixing a control deficiency, you’ll raise the perception of detection — the belief among employees that if they commit fraud, someone within the business will uncover their criminal activity quickly.

Detecting Future Insider Attacks

What constitutes a significant insider incident varies by organization. Some focus on the potential dollar losses, while others concentrate on the impact to customers or the alleged insider’s role within the organization. In reality, the thresholds detailed in the above incident procedures serve as a guide. If an incident fails to breach these thresholds but still feels significant, it’s OK to apply the procedure.

In addition to creating a comprehensive incident response procedure, some organizations go a step further by creating an internal threat mitigation working group to gather and analyze insider attacks reported in the news. Building such a library enables these organizations to learn from the trials and tribulations of others.

Start by gathering examples of insider attacks within your business sector, then broaden your efforts to include companies outside your industry. Use the cases to identify gaps in your business that require remediation. If an incident involved an employee who stole intellectual property before he or she left to join a competitor, use this case to revisit the protections you have in place to prevent similar cases of fraud.

Unlike attacks from outsiders, many organizations don’t have a process to deal with incidents that involve insiders. An incident response procedure tailored to insider attacks eliminates much of the hesitancy and doubt that often paralyzes the executive team.

Read the solution brief: Orchestrated Response — A Game-Changing Strategy

 |  |  |  |  | 
Paul McCormack

More from Fraud Protection
October 30, 2023

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

August 23, 2023

Remote access detection in 2023: Unmasking invisible fraud

3 min read - In the ever-evolving fraud landscape, fraudsters have shifted their tactics from using third-party devices to on-device fraud. Now, users face the rising threat of fraud involving remote access tools (RATs), while banks and fraud detection vendors struggle with new challenges in detecting this invisible threat. Let’s examine the modus operandi of fraudsters, prevalence rates across different regions, classic detection methods and Trusteer’s innovative approach to RAT detection through behavioral analysis. A rising threat As Fraud detection methods become more and…

August 17, 2023

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature