Insider threats, the risks and dangers caused by malicious or careless acts performed by your own employees, contractors, and trusted vendors is perhaps the most difficult cyber attack to detect and defend. What happens when a member of your own IT department turns to the dark side?
Between 2015 and 2019, IT executive Hicham Kabbaj scammed his employer out of $6 million dollars for servers, other products, and installation services by fictitious technology services company “Interactive Systems. In reality, Interactive Systems was set up by Kabbaj. He placed orders, verified delivery, and approved invoices for payment to Interactive Systems, and once paid, moved the money to his own account.
An investigation revealed that several of these invoices, which were Word documents, contained metadata which proved the invoices were created on a computer belonging to Kabbaj. He had managed to circumvent internal company processes that required approval setting up a new vendor.
Kabbaj pled guilty to felony theft and is awaiting sentencing.
Defending against this type of insider threat, which in this case is a form of embezzlement requires security controls such as:
- Separation of Duties – This practice separates different roles in the purchasing process, and should have meant that Kabbaj could not have approved for payment invoices for equipment he had ordered himself.
- Mandatory Vacation – Requiring everyone to take earned vacation of a least a week allows time to uncover fraudulent practices when duties are turned over to a replacement.
- Job Rotation – This is another means of prevent a single individual from setting up a fraudulent system. Job responsibilities are rotated between employees, and should uncover a scam like this one.
- Dual Control – This practice requires at least two people to approve an invoice or confirm a delivery. Dual control is especially important in the accounts payable process, and prevents any single individual from processing a payment.
- Financial Audit – A regular financial audit by and outside auditor is another way to detect fraudulent activity by an employee.
This type of exploit is more difficult to uncover because most employers tend to trust the people working for them. And smaller organizations often lack the number of employees required to adopt the security control listed above. This makes smaller companies more at-risk for these sorts of exploits. In this situation a regular outside audit by an accounting company may be the only way these types of crimes are eventually detected.
- Sophos Naked Security – IT Exec Scams Employer
- New Twists on the Insider Threat
- Dealing With The Insider Threat
- The Insider Threat – Part 2
- The Insider Threat – Part 1
- Employees A Cyber-Threat? FBI Says Yes