Take a Look at Yourself: Addressing Internal Threats and Occupational Fraud
Keeping your company’s data safe from prying eyes is vital. You must have a clear understanding of where data is located, who can access the data, the regulations that apply to the data’s security, and how the data can be recovered in the event of an attack.
When discussing cybersecurity threats, however, it is important to realize that the threats are not always external to the organization. Threats can also exist within the organization itself, including employees, vendors, and partners – even executive management. So, while your information security team is working hard to secure the entry points to your network, they are also responsible for securing your network and applications from the inside of your organization as well.
These days, it’s not enough to know who has access to your systems. You also need to know what they are doing with that access.
Bear in mind that an internal threat does not necessarily mean a person with malicious intent to defraud the company. For example, an employee with the authority to make payments without oversight and who creates a costly error by inadvertently allocating money to the wrong account can also be considered an internal threat.
This blog outlines some of the risks and solutions employed by organizations to combat internal threats and occupational fraud.
Some fast facts on occupational fraud
The Association of Certified Fraud Examiners produces an annual report on occupational fraud. In their Occupational Fraud 2022: Report to the Nations, the ACFE researched more than 2,000 cases of fraud taken from 133 countries and 23 industries, representing a combined total loss of $3.6B.
Here are a handful of facts taken from that report:
- The fraud examiners estimate that, on average, organizations lose 5% of revenue to fraud each year. Given that the IMF estimates of the Gross World Product for 2022 topped $100T, that percentage represents a global loss of more than $5T due to fraud in 2022 alone.
- The average loss per case is more than $1.7M.
- A typical fraud case costs an organization $8,300 per month and lasts 12 months on average before the fraud is detected.
- Nearly half of the fraud cases analyzed occurred due to either a lack of internal controls or an override of existing controls.
- The presence of anti-fraud controls resulted in lower fraud losses and quicker fraud detection.
Establishing access controls with user roles
A major component of managing risk inside an organization starts with properly establishing the roles assigned to each user in your business software applications.
- Define user roles – Modern business applications allow administrators to define user roles. These roles assign privileges that identify the software applications within the organization that a user can access and the actions a user with that role can perform. Giving users too much access to sensitive company information can lead to errors, fraud, and intellectual property theft.
- APIs (application programming interfaces) can have privileges assigned to them, too – Integrations between business applications are essential. For instance, an API between your financial and CRM applications allows your sales team to see a customer’s sales and payment history from the CRM side. The downside is that giving the programming interface from one business application the ability to make modifications on another application can lead to misuse, fraud, and malicious attacks if not properly managed. It is essential to impose restrictions on these interfaces to limit their actions on the target application.
- User roles must be defined and properly assigned for each application – Administrators should be aware of the risk to the organization posed by the same user having access to multiple applications. For example, a user who can modify the vendors in your CRM application and make payments to those vendors in your financial application poses a tremendous fraud risk to the organization.
Maintaining security with Least Privileged Access, Zero Trust, and more
Below are several recommended practices that companies use to help them minimize the risk posed by internal threats.
- Least Privilege Access – To limit the impact one person can have on a system, Least Privilege Access (LPA) is a security measure to assign user roles with the minimum privileges they require to perform their job functions and no more. LPA applies to everyone granted access to a system, including employees, suppliers, vendors, customers, partners, and even APIs and cloud services.
- Zero Trust model – Zero Trust is a network security model built on the assumption that every attempt to access a network or application represents a potential threat. Therefore, all access requests are authenticated and continuously validated, whether they originate from inside or outside the organization.
- Segregation (or Separation) of Duties (SoD) – Any time a single person can complete both sides of a transaction (for example, the ability to create a vendor and then authorize payments to that vendor), there is a potential for fraud. Segregation of Duties requires that these types of processes are divided between two people or more. While SoD does not eliminate the possibility of two people working in collusion, it reduces the possibility that one person can commit unchecked fraud in isolation. Companies can impose additional controls to counter fraud, such as managerial approval for all transactions over a specified amount.
- Temporary Elevated (or Emergency) Access Provisioning – There are times that require a person to temporarily upgrade their roles or privileges to a higher level of access than their job would typically need. For example, if the person normally handling that responsibility is sick or on vacation, a junior person might assume that role in their absence. The easy fix is to make the junior person a super user on the system until the senior person returns. The problem is that unless you remember to revoke those privileges when the person returns, that junior person now has the “keys to the kingdom” forever. Temporarily granting elevated privileges to an employee should also have an expiration date to ensure those privileges are removed or re-evaluated after a specified period.
- Periodic Access Reviews – The management team should periodically review the access privileges of users on all the company’s networks and business applications to ensure Least Privileged Access is maintained. For example, it is perfectly justified that an employee in the Finance department should be able to create payments. However, if that person later moves into sales or operations, they can still make payments in the system unless that privilege is revoked.
- Single Sign-On (SSO) – SSO allows users to log into the system once and access multiple sites and applications without having to re-authenticate every time. With SSO, users only have to remember one set of credentials, and administrators have greater control over user access to company applications. The downside is that setting up SSO can be complex and may pose a security risk if not properly monitored.
- Monitor for unusual activity – Administrators should monitor for questionable or unusual activity. For example, it might look suspicious if someone from accounting logs in on a Saturday night and starts authorizing payments to a single vendor or if an employee logs in from a different state than where they live and deletes files. While these may be legitimate actions, they can also be cause for concern. Conditional access policies can help prevent suspicious or fraudulent activity by imposing restrictions on how users can access the system based on time of day, geographic location, IP address, and more.
- Continuous training on fraud and cybersecurity threats – Security threats are everywhere, and they are real. The best way to keep your company safe is to train your users, including employees, contractors, and vendors, on how to secure company networks, applications, and data. At the end of the day, investing in user education provides the best ROI when it comes to avoiding unnecessary risk.
Security is an ongoing process
Securing your company from external and internal threats can seem overwhelming. But you don’t have to go it alone.
ArcherPoint’s IT Managed Services helps companies take advantage of Azure’s secure cloud environment for application and data security, risk mitigation, disaster recovery services, and more. Our network security specialists provide custom assessments, awareness training, and Azure setup and management.
October is Cybersecurity Awareness Month. Check out more security blogs from ArcherPoint:
- Password Security and Protection Has Never Been More Important
- Remaining Vigilant: External threat detection with OSINT
- Understanding the Potential Risks of Google’s New Domains
- Phishing, Quishing, Vishing, and Smishing
- How to Respond to a Ransomware Attack – A Framework for Companies
- How to Address Common Security Vulnerabilities with a Zero Trust Model
- Considering Cyber Insurance? You Need a Solid Security Strategy
- Endpoint Security Management: How It Benefits Microsoft Dynamics 365 Business Central Users