Insider Threat: Corporate Integrity Culture...

In August 2011, this Operational Risk Management (ORM) blog posted the following.  In light of the increasing impact of "Insider Incidents" in 2013, this is worth revisiting:

Does your organization have a culture of "Corporate Integrity?" The depth and breadth of Operational Risks are apparent in the 2011 CyberSecurity Watch Survey by CSO Magazine, USSS, CERT and Deloitte.

46% of the respondents said damage caused by "Insider Attacks" is more damaging than "Outsider Attacks". The most common insider e-crime at 63% is unauthorized access to / use of corporate information. Here are the others:

• 57% - Unintentional exposure of private or sensitive data
• 37% - Virus, worms or other malicious code
• 32% - Theft of intellectual property

When asked which electronic crimes were most costly or damaging the results were:

• 38% - Outsiders
• 33% - Insiders
• 29% - Unknown

Regarding the "Insiders," the reasons that were given for not referring for legal action, the one that stands out in our mind is this one:

40% could not identify the individual(s) responsible for committing the eCrime.  And maybe even more astonishing is that 39% did not have enough information or a lack of evidence to proceed with either civil or criminal litigation.

So what is really going on with the facts presented so far? Even though the respondents say that "Insiders" are the most damaging, they have done little to collect enough evidence to identify who the responsible parties are to the incident. This may be for several reasons including the lack of internal expertise to preserve evidence and conduct timely investigations.

We have addressed the "Insiders" that make up one third of the digital incidents but what about the "Unknowns," who add an additional 29%. The combination of the two make up 62% of all the incidents in the study. This is where Operational Risk professionals can have a significant impact within the enterprise.

The unauthorized access to information and use of that information is at the center of this issue. When an organization realizes that this "information" has impacted them, the funds have been stolen, the trades have been placed or the press has published a trade or national security secret. To narrow this down further, you might say the Fraudsters and the WikiLeakers are bringing the institution into a torrential storm of criminal activities.

Regardless of the high tech tools utilized or the systems and controls within the organization there are always methods and processes that if properly implemented, will reduce the number of "Unknowns" and "Insiders." In your particular case, it just may come down to developing more effective situational awareness with your employees. This particular educational and awareness building process may indeed also uncover the individuals within your company, who may be already down a path of fraud, embezzlement, insider trading or corporate espionage.

Suppose you create a mandatory program for all employees that is focused on corporate integrity and each year the CEO kicks off the first session with their own attendance and their own direct reports, including the Board of Directors. Next, all senior staff attend the program and posted on the corporate Intranet are webcast shows with several 5 minute clips of parts of the one day session. Finally, the roll out for the remainder of the employees is tied to the annual 360 degree review, that each manager does with their subordinates in the company. This top down process for injecting the situational awareness of Operational Risks, Insider e-crimes and Corporate Integrity is sure to flush out those who are the current suspects and others who will flee the company.

No one that we know of can explain the basis for this process better than Martin T. Biegelman:

"Obviously, a poor working environment provides a motive and rationalization to commit fraud. Here's a quick health check: does management appear not to care about their employees? Does it have unreasonable expectations or financial targets? Is the organization autocratic or participative? Is there a lack of training or promotion opportunities? Does management say one thing but do another? Are senior executives treated differently than rank and file employees when it comes to discipline?" 

Employees must understand the ethical behavior expected of them. New employee orientation should detail the organization's mission, values and code of conduct, types of fraud, compliance, their responsibility to report violations of ethical behavior and impropriety, and details of the hotline or other ways to report fraud and other integrity concerns. Periodic training throughout an employee's career reinforces fraud awareness and the cost of fraud to an entity.

So what?  What does this have to do with with Operational Risk and those who are experts at deception?  Believe us when we say, they may be standing right in front of you.  Anton R. Valukas has also provided more context on the mindset of insider(s), what may be the most relevant lesson, for early detection of "Insider Threat."  "Information in plain sight.  Information in plain sight for what reason?"  What is missing?  Anton Valukas and his team uncovered the context, on why and how Lehman brought the United States to it's break point:

On January 29, 2008, Lehman Brothers Holdings Inc. (“LBHI”1) reported record revenues of nearly $60 billion and record earnings in excess of $4 billion for its fiscal year ending November 30, 2007. During January 2008, Lehman’s stock traded as high as $65.73 per share and averaged in the high to mid‐fifties, implying a market capitalization of over $30 billion. Less than eight months later, on September 12, 2008, Lehman’s stock closed under $4, a decline of nearly 95% from its January 2008 value. On September 15, 2008, LBHI sought Chapter 11 protection, in the largest bankruptcy proceeding ever filed.

There are many reasons Lehman failed, and the responsibility is shared. Lehman was more the consequence than the cause of a deteriorating economic climate. Lehman’s financial plight, and the consequences to Lehman’s creditors and shareholders, was exacerbated by Lehman executives, whose conduct ranged from serious but non‐culpable errors of business judgment to actionable balance sheet manipulation; by the investment bank business model, which rewarded excessive risk taking and leverage; and by Government agencies, who by their own admission might better have anticipated or mitigated the outcome.

If your organization does not currently have a program as we have described earlier, then maybe it's time to start one. If you already have one in place, how effective is it in detecting the "Insider Threat" and the spectrum of Operational Risks within your organization?