Insider Fraud confronts its evolutionary problems

International Fraud Awareness Week is gone but hardly forgotten, nor should it be. Fraudsters aren’t sleeping on the advances made to fight their efforts, and here at Bottomline, we’re not sleeping on fraud of any kind. But, as we’ve noted several times across this blog, insider fraud is one of the most dangerous and insidious types of financial crimes. As the week closed, I participated in two webinars (one on EMEA-based issues, one on North America) on Insider Fraud: The Evolving Threat. And it struck me that the title for the webinar is very telling. What makes insider fraud so tough to fight aggressively is its evolution.

An informal LinkedIn poll we conducted during the end of fraud week shows that insider and employee fraud is a long-term problem. When asked how long it takes before employee fraud is detected 38% of respondents said more than a year and 28% said longer than six months. And as I said in the webinar, the best way to look at it is as a triangle. At one point is technology, at the next point is the talent that drives your company and at the third point is the internal stakeholder that is keen to limit this problem and eventually eradicate it. Each point of the triangle is constantly evolving, adding up to the need for a system that keeps us alert so we can react in relatively real-time and stop the problem much before it becomes a catastrophe.

I feel strongly that the data leakage challenge that makes up part of the insider fraud problem can be stopped with the right technology – especially a system that sits between the company’s application layer (where users can do damage) and the outside world. The other two points of the triangle are just as important. They were amplified by the two executives that joined me on the North America webinar, Philip Munguia, Leader of Fraud Monitoring at Equifax, and Divya Baranawal, Research Director, Quadrant Knowledge Solutions.

There were many excellent points made on the webinar. If I had to boil it down to its essentials, I would pick these four key takeaways:

1. Communication: Here’s the internal stakeholder point. It would be logical that employees, whether they’re just being onboarded or have been with you for years, would understand that not sharing sensitive information outside the company is a given, and that any effort to track that by your company is a violation. Not the case. As Philip Munguia said, companies should communicate to employees that when you work here, there's going to be some degree of lack of privacy. Making that clear at the outset, he said, ensures that you’re doing your job in securing sensitive information, and it makes it crystal clear to employees that there should be no expectation of complete privacy while using a company asset.
    
2. Sophistication: Here’s the technology point of the triangle. The evolution of fraud means that the solution you used prior to the pandemic and its subsequent work-from-home arrangements probably won’t work anymore. As Divya Baranawal told the audience, point solutions like data loss prevention tools and privileged access management platforms aren’t enough in stopping insider threats. Organizations are demanding purpose-built solutions aligned with their risk priorities. So, they're looking for sophisticated solutions that will cover beyond corporate networks, securing external infrastructure, employee-owned devices and the public cloud.
    
3. Critical Data: Baranawal alluded to a point that’s probably somewhere between technology and talent: Data. Banks and corporates need to engage a partner that can detect and respond to insider threats across the increasing volume of users and devices with data collected across various channels. AI and ML advancements can predict, detect and prevent insider threats in real time based on that data. And by leveraging data, organizations are better able to mitigate insider threats.
    
4. Accentuate the positive. This was one of my points, and it relates to talent. Insider fraud defense solutions are not 100% centered on punitive or criminal activity. As Munguia said about communication, it’s important to make it clear to employees that with great power comes great responsibility. And that’s why a monitoring system is in place. Right now, the aftermath of COVID and its hybrid work environments are the perfect storm for fraud. But, proper internal monitoring is unlocking the ability for organizations to be more visual and launch more services without fear of abuse. With the right tools you can hire much faster, give more people access to data and add speed and reliability to your business.  

The Bottomline: I heard an interesting analogy recently. Are you familiar with the cameras on dangerous roads that check the speed of drivers? Although it may be annoying, the purpose of it is not to issue more traffic tickets. Its purpose is actually to keep the road safe by acting as a deterrent because drivers know they are being monitored. Look at insider fraud defenses that same way.

Subscribe

For further insight into the payments and banking industries, subscribe now and stay up-to-date on the latest tips, trends, and topics. You can also check out The Payments Podcast, where experts engage each other on the real-world factors impacting your industry.