The inside job
Sergey Ozhegov of SearchInform discusses how employees of any size business may cause more damage than hackers.
For some workers, an employer's business can become a goldmine; there are plenty of ways to get more than just a salary from a company.
As the saying goes, forewarned is forearmed. The topic can best be explored through the spectacle of typical behaviour patterns of insiders, with some real-life examples from our clients.
For example, the engineering department employees of a manufacturing company worked for a few weekends overtime due to a high-priority project with a strict deadline. The information security department discovered that there were activities other than the project taking place. In fact, the engineers spent most of their weekend time on a project for a direct competitor. Considering the use of confidential commercial information, the cost of the project was estimated at $443,000.
Working for a competitor is not all that uncommon. If employees start to do a lot of overtime, working on the weekends, or take work home, it is advised to monitor these off-hour activities. Pay special attention to the protection of commercially valuable data, confidential information, research and scientific materials. Incidents can be prevented here by proper distribution of access rights, restricting and controlling the access to important folders. Some data loss prevention (DLP) systems have a function to restrict the access to the folders of top management. Track attempts to obtain confidential documents by unauthorised people. That means nobody, including system administrators, should be able to access top managers' folders, be it on their PCs or network storage servers. Such thorough control is possible with the help of modern technology based on DLP and security information and event management (SIEM) systems.
One of our client companies discovered a suspicious relationship between three employees, who were not connected in any way; they worked in different departments and had no joint projects. Interestingly, all used the same webmail account. With the help of the DLP info-security figured that those employees used the webmail account to coordinate shadow sales of equipment produced by the company. Monthly damage to the company was between $40,000 and $50,000. It is a classic example of a shell company set up by insiders.
Insiders can be, and often times are, very cautious. In the event of sharp increase in the number of messages between unrelated workers, info-security specialists should check out the contents of such communications, especially when they use non-work related channels of communication, such as personal webmail or a social media account.
The managing director of one of the offices of a large oil company actively advocated one of the suppliers in tenders for mining equipment and parts. Naturally, the info-security department found it to be suspicious. The retrospective analysis of captured communications showed that the director received around $200,000 in kick-backs from the supplier. As a result of these deals, the company lost over $1.5 million.
Kick-backs and bribes are the perpetual satellites of business, which is why the info-security specialists must understand who the employees really are, and which are the groups of risk–groups that might have an intention to undermine the company’s earnings. In the event of sales and procurement people falling into a risk group, the information security specialists must take preventive measures and use professional software to monitor the activities of these employees. In selected DLP systems there is technology to automatically identify various types of fraud, including kick-backs. Such systems alert security whenever there is an instance of suspicious correspondence or behaviour.
Corporate fraud is another serious problem. An insurance company office had 11 insurance agents, working without an on-site supervisor. The office was responsible for way too many high-cost claims, hence remained unprofitable for a while. It turned out that some agents sold backdated plans. Their friends and family, who needed expensive medical treatment or surgery, would pay their way into an appropriate backdated insurance. As a result, the office was losing about $150,000 yearly.
As obvious as it sounds, remote offices require just about as much, if not more, attention in respect to information security–all communications and activities are subject to corporate info-security compliance. To investigate the cases, similar to the one mentioned above, the info-security officers would need to conduct a thorough analysis of employees’ actions and communications, as well as non-work related ties between workers and clients. A good DLP captures and stores all related data–activities, communications, connections–and makes it available for transparent retrospective analysis.
After implementing a worktime monitoring solution, a telecom company discovered that a handful of people were working on non-work related projects: SEO optimisation, web design, copyrighting, and other similar activities that people usually do to make some money on the side. However, all these activities were taking place between two and three hours per day, during work hours. Obviously, the company lost money on paying for the idle hours and suffered from shortfalls in profits for the same reason.
Control not only the result, but also the work process. This could be done with the help of automated monitoring systems, which identify violators of work duties, by controlling the activities the employees engage in during the workday. The system informs a designated supervisor when an employee diverts away from work. If needed, screenshots help to clarify such situations. Additionally, these systems could measure how efficient and productive a particular employee, department, or organisation as a whole is.
It is virtually impossible to foresee all possible fraudulent schemes, as threats are constantly evolving, and people behind them are pretty resourceful. But using all reasonable means to ensure the security of a business is what lies at the core of effective risk management, and it’s what makes a difference between failure and success.
Risk mitigation recommendations:
Implement rules for working with information and stick with them.
Strict adherence to the rules of storage and handling of information must apply to any employee, from a top manager to a regular employee.
Establish an info-security department to focus on.
The task of info-security officers is not only to investigate violations, but to analyse potential threats. For example, pay special attention to employees who are at risk: people prone to substance abuse, departing or dissatisfied employees, etc.
Use the means of information security.
Utilise worktime monitoring, DLP, and SIEM systems. Control the maximum available channels of communication. Do not wait for insiders or intruders to appear and harm your business. For any business trust is of paramount importance. Insure the security of information about your clients, employees and partners.
Get rid of formalism and mediocracy.
The implementation of information security tools is not a guarantee of protection, especially when you work with them only as the circumstances arise. Often, info-security incidents happen because the tools are not used to their full potential: some channels aren’t controlled; some users have access to the information that should be inaccessible for them, etc.
Use the principle of checks and balances.
Don’t allow all responsibility and power concentrate in one person’s hands. Establish an info-security department to counterbalance to the IT department, which often has the access to the most important confidential information and, technically, could use it for any purpose.