The Threat of the Malicious Insider: What Is the CFO's Responsibility?
Created by Bob Hayes, Managing Editor; Kathleen Kotwica, Ph.D., EVP and Chief Knowledge Strategist; and Richard Lefler, Emeritus Faculty, Security Executive Council
As these examples indicate, malicious insiders may use a variety of methods to cause damage - network or manual sabotage, espionage, fraud, embezzlement, misuse of information or theft of intellectual property carried out by electronic means or on paper. (And with the passage of the Dodd-Frank Wall Street Reform and Consumer Protection Act, we can't neglect the potential for employees to seek or plant evidence of wrongdoing in order to profit from the 10 to 30 percent of monetary sanctions granted to whistleblowers under the law.)
They may act alone or with the support of an outside party such as an organized cyber crime group or a state-sponsored entity. The malicious insider can come from any function in the organization, and from any level, from third-party contractor to staff to executive. They may want to hurt the company for revenge, or as a strategy for advancement, or they may simply be looking for a way to skim off some cash.
Are these concerns unfounded or blown out of proportion? Many senior executives believe insider threat is a low-frequency event; however, malicious insider data leaks were up by over 50% in the first six months of 2009, according to KPMG's 2009 Data Loss Barometer research. And the cost of significant insider events is undeniably high. The 2010 Cybersecurity (e-crime) Watch Survey (conducted by CSO, the U.S. Secret Service, CERT and Deloitte's Center for Security & Privacy Solutions) and Ponemon Institute's Cost of Cyber Crime Study 2010 find that insider incidents are often more costly than external breaches. The Association of Certified Fraud Examiners' 2010 Report to the Nations estimates that the typical organization loses 5% of its annual revenue to fraud. When applied to the estimated 2009 Gross World Product, that figure translates to a total of more than $2.9 trillion. And those statistics only account for two types of malicious insider activity.
Recent research by the Security Executive Council shows that while security leadership ranks insider threat as a high-level concern, they don't feel senior management always agrees. Clearly organizational risk is a C-level issue (Warren Buffett was even quoted in Fortune in 2008 as saying "The CEO has to be the chief risk officer"), but the insider as a perpetrator may not specifically show up on the radar. We argue that all senior management should be aware of and watching for this issue, and that the financial executive should be particularly on guard.
First, the CFO is in a good position to clearly define the organization's valuable assets, which is the first step to adequate protection against any threat. Second, functions that are critical in early detection and prevention of insider attacks, including accounts payable, information, the comptroller, accounts receivable and purchasing and supply chain, often report to the CFO. This gives the financial executive a unique perch to oversee these functions with an eye for the insider threat. If the CFO is attuned to this issue and watching those areas, he or she will greatly increase the odds that the company will discover malicious insider activity before it's too late.
The organization that employs enterprise risk management will enjoy a higher level of protection, particularly if the financial executive is a major team player in consideration of the insider threat. In a truly unified organization there should be many groups involved in risk oversight, including Business Conduct & Ethics, Compliance, Legal, Privacy, Audit, and Corporate Security. Each of them likely owns or monitors some function that can provide detection or prevention of malicious insider activity.
One might wonder whether insider risk truly needs to be managed separately from overall organizational risk. It needn't be managed separately, but it must be recognized as a unique risk category. Many financial executives have been involved in the ERM process and are very active in identifying risk to the organization, but little time is spent thinking about who the perpetrator is. Mitigating the insider risk involves a specific set of strategies because of the nature of the perpetrator.
There are four types of mitigation strategies that may be employed to minimize insider risk:
Through unified oversight of risk and an internal focus on detecting insider threats, the financial executive can help the organization avoid significant brand and bottom-line damage.
For more information on this topic see Program Best Practices: Insider Threat
Watch our 3-minute video to learn about how the SEC works with security leaders. Contact us at: contact @secleader.com.
Copyright Security Executive Council. Last Updated: January 23, 2019
A PDF file of this article is available below.