1440 Insider Threat Cases Reported as Fraud Figures Rocket

Over £1 billion was lost by businesses to online crime in the last year.

According to new figures released by Get Safe Online and Action Fraud, there was a 22% increase in reports to action fraud from March 2015 – March 2016 and on average, each police force in the UK recorded £19,623,323 in losses.

The City of London Police’s Commander Chris Greany, the Police National Coordinator for Economic Crime, said: “Businesses are a major target for fraudsters and these figures illustrate the significant rise in Action Fraud reports. The true figure will be much higher and businesses need to take steps as many of these crimes could be prevented. “

Also on the rise was corporate employee fraud, or insider threat cases, with 1440 cases recorded between 2015-2016.

Justine Cross, regional director at Watchful Software, told Infosecurity that the insider threat cases were almost certainly the tip of the iceberg, as many insider crimes go completely undetected.

“A worrying number of organizations have very little visibility of where vital data is kept on their systems, or who is able to access it,” she said. “Any data which is susceptible to being exploited by insiders, such financial information or intellectual property, must be accessible only to a few essential personnel. The more staff that are able to access information, the greater the risk of fraud being committed – and the harder it is to track down the perpetrator.

Matthew Ravden, CMO at Balabit, said: “The insider threat is one of the greatest fears for most businesses, especially those with large numbers of system administrators who can gain legitimate access to corporate systems. UK businesses have already spent billions on firewalls and other perimeter technologies to try and keep hackers at bay, but none of these systems can do anything about an employee who goes rogue or has their credentials stolen. 

“To be able to prevent an insider attack, we have to change the way we think about authentication. Most of the systems that are currently used to manage 'privileged users' involve one-off authentication methods and once the user is through, he or she can do anything. Instead, we need to build profiles of users and monitor their behavior in real time. This is the only way we can spot something unusual and act fast enough to stop a breach.”

Tony Neate, CEO of Get Safe Online, said that the figures show the enormous, and quite frankly daunting impact online crime can have on a business, its reputation, its employee and even its continued operation. He called for businesses to review their own skills and knowledge, determine if they need outside help, and then create measures to prevent, detect and respond to potential security threats. “It’s all about education, and staff must be aware of this plan and trained where necessary,” he said.

Sean Arrowsmith, sales director at IRM, said: “Until there is a legislative shift that mandates breach notification or disclosure, we will never see the reality as firms currently won’t admit to breaches occurring. In the US the figure went up dramatically due to breach notification requirements, after the original change to state law in California around mandatory breach notification and the steady uptake of that by the rest of the US states. This demonstrates that firms were clearly sweeping things under the carpet.”

Nick Pollard, UK general manager at Guidance Software, suspected that the real amount of losses may be higher, and this number is likely to go up in future given that (with the impending GDPR), we’ll have a more stringent regulatory framework in place for breach reporting.

He told Infosecurity: “Businesses can do more to tackle threats – including those from within the organization: firstly, they need to create a culture where employees feel they can report suspicious cyber activity without fear. They should also have the tools in place to provide the evidential basis for any such reports. This means identifying the signs of fraudulent activity through tools which can spot anomalies in typical behavior, such as malicious processes running or compromised accounts.

“Education and training are critical; however a ‘one- size-fits all’ approach won’t work. Organizations should tailor training so that it’s relevant to their business and so that they get buy-in from employees. Finally, organizations need to ‘walk the walk’ when it comes to enforcing policy. It’s no good setting security policies to protect data if these aren’t upheld, if necessary, by penalizing behavior that flouts the rules.”

What’s Hot on Infosecurity Magazine?