Crimes divide into two groups: those committed by people with an individual relationships with an organization, and those with an organizational relationship. Those insiders from organizational relationships committed more insider fraud and were after financial gain. Sabotage was most often perpetrated by insiders who had individual relationships with an organization.
Insiders with organizational relationships are typically in non-technical positions and have authorized access to those databases that they use to do their work. For these perpetrators, the crime is usually done at the business location -- most commonly fraud. Typically, there is more money associated with these relationships and so there is a greater motivation for fraud.
Insiders with individual relationships generally hold positions that are technical in nature, system administrators and the like. Their insider crimes utilize unauthorized access to the organization's systems.
The typical consultant or contractor individual insider gets mad, they were released from their relationship with the institution, they were fired, or maybe their contract expired, and this upsets them. The individual insider uses their technical knowledge to cause damage to the systems, either by planting a logic bomb or installing back doors before they were forced to leave, so they can come back afterward to perpetrate damage.
The individual insider typically attacks from a remote location, using the back doors they installed before leaving. There are many different ways they can damage an organization, destroying data on databases -- they can do real harm to the organization.
Another area of growing concern is the theft of intellectual property (IP). Where IP is concerned, client lists and databases are taken shortly before the insider leaves. IP data is usually taken within a month of the employee leaving. So monitoring what they downloaded, emailed or printed out during their final days may uncover what they have taken with them.
Other types of valuable IP for financial services firms could be proprietary software code used to run a trading platform, as well as trading algorithms.
Cracking Down on Crime
How to prevent insider crimes by trusted business partners? Having clear contractual measures drawn up can help set new standards of doing business with the institution, including some of the security requirements. This is especially key when dealing with global partners.
In many instances the overseas contractor and consultants aren't as security-conscious as an institution would like them to be. The stronger one can make the contractual agreement that holds the trusted business partner to strict security controls, the better the opportunity to keep possible insiders from doing harm.
Screen Employees -- It doesn't have to be DOD level clearance, but a screening of personnel should be required. In one case, CMU's research found where a person who had a criminal record was handling data as a trusted business partner's employee.
Reinforce Policies -- Security procedures and policies should be at least at the same level of the institution, and all employees should be aware and comfortable using them.
Monitor Exits -- Termination policies of the trusted business partners should be scrutinized and strengthened, if need. Moore says in many cases of sabotage, the insider was getting back into the organization's networks via backdoors installed on servers, causing damage, often without the business contractor knowing they had access. If the trusted business partner isn't tracking access of its employees, it won't be able to disable it when the employee leaves the company. Reviewing logs upon an employee's departure may help spot where a back door was installed on a system, most of the sabotage events are done within a month of an employee's termination or resignation.
Enforce Separation - insiders can't do fraud if someone else is doing part of the work. For critical transactions, a system of checks and balances should be a familiar process for institutions. People who are entering transactions shouldn't be able to approve them, too.
Measure Access -- Be able to monitor the intellectual property to which employees and business partners have access. Go with the least privilege access level, give only what they need in order to do their job.