Insider threat: employees can be your greatest asset — or greatest risk

By Erin Ayers on October 3, 2014

?????????It’s a common saying that any organization’s great assets are its employees, but recent events show that disgruntled employees, low morale and insider threats may be among the most challenging risks for employers to manage.

Inappropriate employee access to sensitive information or funds leaves businesses open to the high costs of business interruption, negative publicity, lost trade secrets or data.

Fraudsters gonna defraud

The news recounts numerous instances of employee sabotage – just this week, an air traffic control employee managed to ground over 2,000 flights out of Chicago’s two international airports, as reported by The Guardian. The incident wasn’t cyber-related; the alleged culprit started a fire in the air traffic control center.

Even the Home Depot data breach, which already made headlines for potentially being the largest loss of customer data ever, had an added element of intrigue. The retailer’s senior IT security developer was only briefly on the job, having been indicted for sabotaging a former employer, EnerVest Operating.

In data tracked by Advisen, employee embezzlement cases and theft of trade secrets are not uncommon – and can be going on for decades before fully noticed.

In one case involving the District of Columbia’s Office of Tax and Revenue, an employee managed to defraud the OTR for over 18 years, diverting more than $48 million. The embezzler, along with several of her family members and friends, was sentenced to prison for the scheme. In several other cases, employees of firms with strictly confidential products spirited away with those trade secrets to competitors.

The issue may garner more attention as cyber threats create concern for organizations everywhere. Last week, the FBI issued a statement warning businesses that employees pose a significant danger to company computer networks.

“Insider threat” is defined as “a current or former employee, contractor, or other business partner who has or had authorized access to an organization’s network, system, or data and intentionally misused that access to negatively affect the confidentiality, integrity, or availability of the organization’s information or information systems.”

“A review of recent FBI cyber investigations revealed victim businesses incur significant costs ranging from $5,000 to $3 million due to cyber incidents involving disgruntled or former employees. Businesses reported various factors into their cost estimates, to include: calculating the value of stolen data, Information Technology (IT) services, the establishment of network countermeasures, legal fees, loss of revenue and/or customers, and the purchase of credit monitoring services for employees and customers affected by a data breach,” the FBI stated.

Employee mistakes cause more data breaches

Employee mistakes cause more data breaches, but cyber attacks involving malware or spyware carry a higher cost to corporations, according a review of over 1,500 data breaches conducted by Beazley Group.

“With more information being stored electronically and in the cloud, the risk of data breaches is growing,” said Katherine Keefe, head of Beazley Breach Response (BBR) Services. “Consumers expect their privacy will be protected, and a data breach can have serious reputational and financial impact.”

Employees are far more likely to either send emails and faxes to the wrong party (31 percent of breaches) or to simply lose physical records (24 percent), Beazley learned from analyzing its collected data. The firm, which offers data breach incident response services, released its findings at a recent International Association of Privacy Professionals’ (IAPP) event.

Common culprits, unwittingly

PwC released a recent report based on a survey. Respondents said cyber incidents caused by employees increased 10 percent. Insiders often unwittingly compromise data by losing mobile devices or opening up phishing emails. Participants in the worldwide survey by PwC and CIO and CSO magazines said incidents connected to current and former service providers and consultants and contractors increase 15 percent and 17 percent, respectively.

In PwC’s 2014 US State of Cybercrime Survey, 32 percent of respondents said insider crimes are more costly than cyber incidents from the outside.

“Based on my experience with the [Chelsea] Manning and [Edward] Snowden leaks, and with managing one of the leading insider program’s within the intelligence community, I have seen that organizations sometimes overlook the threat from within their own business ecosystem,” said Sean Joyce, PwC principal and former deputy director of the FBI. “The effects can be devastating.”

Seventy-five percent of respondents said they handle insider incidents without involving law enforcement and bringing charges. By doing that, they may leave other organizations vulnerable if they hire the same person in the future.

Keeping tabs

Organizations have the opportunity and responsibility to prevent these and other employee-related incidents from occurring by incorporating employee risk into the overall risk management process. Best practices would suggest that employers make every effort to keep their employees engaged, well-compensated, and acknowledged. These efforts can include offering a healthy work-life balance, good benefits, open and respectful workplaces – and the ability to deftly quash problems before they arise.

A 2013 KPMG study revealed most businesses are more concerned with finding talented workers and training them, rather than keeping them satisfied and engaged at work. This can lead to a shortage of qualified workers, or more dissatisfaction with the company itself.

“After all, you would never hear a CEO say they were unconcerned by how consumers perceive their business’s brand,” said Laura Croucher of KPMG Canada in the study. “Yet, at the end of the day, it is your people who are delivering your brand into your market, day in and day out. They’re the ones who shape consumer perception. As the world globalizes, as virtual workforces become more common and as we move deeper into a knowledge economy, organizations will come under increasing pressure to connect their people.”

A new performance management report from Aon Hewitt acknowledges the hard road companies must face when dealing with appropriately balancing business objectives and engaging employees.

“If you want a culture that pays for performance, stronger differentiation in [employee] ratings and the consequences of those ratings are required,” noted Aon. “If downsizing is necessary this year, forced ranking and fewer ratings may be the way to go. Different business strategies and talent philosophies will lead you to different performance management designs. Either way, make the decision and stick with it. Don’t let the loudest complaints (often coming from lower- and middle-performing employees) dictate your process. In all decisions, always keep your objectives in mind.”

Since most companies have among their objectives “profit” and “trustworthy employees,” there are a few strategies available. And while much research on talent management focuses on retaining talented workers, there is unfortunately a need at all organizations to prevent or detect outright employee fraud.

In terms of avoiding employee trouble on computer networks, the FBI has suggestions, including: Conduct a regular review of employee access and terminate any account that individuals do not need to perform their daily job responsibilities; terminate all accounts associated with an employee or contractor immediately upon dismissal; change administrative passwords to servers and networks following the release of IT personnel; avoid using shared usernames and passwords for remote desktop protocol; do not use the same login and password for multiple platforms, servers, or networks; ensure third party service companies providing e-mail or customer support know that an employee has been terminated; restrict Internet access on corporate computers to cloud storage Web sites; do not allow employees to download unauthorized remote login applications on corporate computers; maintain daily backups of all computer networks and servers; require employees change passwords regularly.

The stakes aren’t low for any business. Occupational fraud and abuse cost organizations an estimated 5 percent of revenue annually, according to a recently-released report from the Association of Certified Fraud Examiners (ACFE). The industries most frequently affected include banking and financial services; government and public administration; and manufacturing. Losses to fraud are highest for the mining, real estate, and oil and gas industries. Efforts to quell fraud do help, the ACFE survey showed.

“The presence of anti-fraud controls is associated with reduced fraud losses and shorter fraud duration,” the organization noted. “Fraud schemes that occurred at victim organizations that had implemented any of several common anti-fraud controls were significantly less costly and were detected much more quickly than frauds at organizations lacking these controls.”

The ACFE added, “Unfortunately, however, many organizations still suffer from an ‘it can’t happen here’ mindset.”

This is the end

The time may come when an employee must be terminated. Even if there has been cause for the termination, businesses need to ensure they’ve “dotted all the Is and cross the Ts,” according to Rick Rossignol of RTR Consulting, a human resources consultant with 20 years of experience. Documentation, professionalism, and assistance are the keys.

“Any time you’re terminating an employee, you have risk, especially if the employee is disgruntled,” he told Advisen. “You can’t stop them from badmouthing you on Facebook or different social media platforms. But you can make sure they don’t do any damage internally to the business. You’re walking through a list of risks you have before you terminate them. There’s a lot of planning that goes into it.”

He added, “If you’re treating people with good faith and fair dealing, you don’t have as much of a problem. If they feel like they’re not being treated fairly and they shouldn’t have gotten fired, that could be a problem.”

“Care and compassion” can ease the transition for a fired or laid-off worker, Rossignol noted. Many of the issues that arise when an employee leaves on bad terms can be avoided, with planning.

“Tell them, ‘You’re not a bad person. The company’s going in one direction and your goals are going in a different direction,’” he suggested. “Once they find a company that works for them, they’re going to be a big success. It’s not working for them, either and they typically know that.”

eayers@advisen.com'

Erin is an editor at Advisen. She has 15 years of journalism experience. Prior to Advisen, Erin covered property-casualty insurance for 13 years as editor-in-chief of The Standard, New England’s Insurance Weekly. Erin is based in Boston, Mass. Contact Erin at eayers@advisen.com.