Full visibility: The most effective way to tackle internal fraud
Author: Simon Darr, ObserveIT
Posted: 12 June 2017
As experience has taught chief information security officers (CISOs) and boards in every industry, employee fraud can, and does, occur on every level within an organisation. Whatever the motives, fraud can be perpetrated by anyone who has access to sensitive IT systems or data, from entry-level workers to senior managers, and everyone in between.
Of course, as an individual’s access level increases, so does the level of risk that the individual potentially poses to the organisation. While it might sound trivial, this truth should inform the prioritisation of security budgets around those employees who pose the most danger. Unfortunately, in many organisations, security measures tend to be deployed, instead, along the path of least resistance: where it is cheapest, easiest and where there is the least internal resistance. For example, third-party vendors are almost always the first to be monitored, even though there may be many more internal privileged users, business users and managers with extensive access rights.
Fraudsters are always thinking one step ahead of our best efforts – we put up a wall, they look for a window. We board up the windows, they find a basement entrance. As perimeter IT security has improved, the most common avenue of fraud into an organisation is now by targeting innocent (and often naive) employees, duping them into clicking a link, opening an attachment or submitting a form that grants the fraudster the ability to steal or deface systems and data. No one knows what will be next; this is a never-ending battle. Only full and continuous visibility into everything that users are doing with their privileged access will allow organisations to withstand the never-ending evolution of fraud.
Employee fraud is often difficult to detect and can take a long time to catch. In fact, many fraudulent activities go on for months, or even years, before they are first noticed. By focusing on obtaining comprehensive visibility into employee activity, an organisation can dramatically reduce time-to-detection. This reduces risk, as well as damage suffered by long-continuing fraud. Additionally, when employees are aware that their activities are being monitored, it is proven that they are far less likely to engage in fraud.
The point I’m making here is clear: the most effective way to reduce fraud is to focus on achieving full and continuous visibility into the computer-based activities of employees. This involves three pillars:
- Prevention: There are three facets to proactively preventing insider fraud: education (employees must be regularly trained in acceptable and unacceptable/risky computer behaviours and general online security awareness), deterrence (achieved when employees know that their computer activities are monitored) and real-time blocking (using technology that can detect and halt dangerous, illegal or out-of-policy actions on the spot);
- Detection: The deployment of technological measures allows the organisation to effectively monitor and understand employee activities so that fraudulent actions can be detected quickly and effectively, without generating too many false alarms.
- Investigation: Once a suspicious activity has been detected, it is critical that the organisation has the ability to rapidly determine exactly what happened. In addition to system-level logs and the like, this level of investigative capability requires detailed, human-readable user-activity logs, historical user behaviour analysis and screen recordings.
More and more organisations, across every industry, are realising that most insider fraud is preventable, by focusing on achieving full and continuous visibility into the computer activity of employees. This employee-centric fraud-prevention paradigm relies on both policies and technologies, including employee education, deterrence, activity monitoring, proactive activity blocking, analytics-based fraud detection and user-activity-focused investigative capabilities.
To discover how 500 banks and financial services organisations are detecting and preventing internal fraud and Insider Threats daily, visit ObserveIT.
ObserveIT is the leading Insider Threat Monitoring and Analytics Solution with more than 1,500 customers across 87 countries. ObserveIT identifies and eliminates insider threats by having "eyes on the endpoint" and continuously monitoring user behavior and alerting Security and IT teams about activities that put organisations at risk. With full video capture, 200 out-of-the-box insider threat alerts, outstanding search capability and playback of any policy violation, ObserveIT provides comprehensive visibility into what people – contractors, privileged users and high risk users – are doing, and reduces investigation time from days to minutes.
For more information or to request a personal demo, visit ObserveIT.
Simon Darr is VP International Sales and Marketing at ObserveIT.
Simon will be speaking at our Annual Conference 2017.